This is a continuation of January’s post about the upcoming secure boot certificate expiration. I’ve put together a script assisted strategy for patching our fleet of VMware vSphere machines by clearing out the NVRAM files in mass.

The first pass on the script has been uploaded to my GitHub as VMW_MSUEFICA2023Patch.ps1 and has so far been successful in test and pre-production scenarios to work through and patch a batch of VMs.

To reiterate on the issue at hand. In June of this year, the Microsoft signing certificates that are part of the secure boot process that have been in place since 2011 are expiring. Replacement of those certificates in the virtual environment cannot be handled from within the operating system because of an invalid platform key in the VMware vSphere virtual BIOS. So far, Broadcom has published two potential solutions. Either, (1) deleting the NVRAM file and allowing the UEFI variables to reset to new defaults on boot or, (2) fixing the invalid platform key through some very manual console work. I’ve opted to implement the first option.

Continue reading →

Back in 2023 with the release of CVE-2023-24932 (BlackLotus), the conversation around replacing Secure Boot certificates came to light. In the context of the CVE, it was to prevent use of signed and completely valid boot manager that could be exploited to bypass Secure Boot protections. Even without the CVE, those same certificates expire in mid-2026 – this year.

For the average consumer, Microsoft is managing the installation of replacement certificates. For enterprises with managed updates, we’re left to do it ourself. Neither instance addresses the revocation of the old certificates, which remains a manual step. Virtual machines add an additional complication with the KEK certificate – more on that below. Continue reading →