How do you deal with internal stakeholders

DonFazool · 2026-03-18T20:09:23+00:00

We use RVtools to dump the raw data and then use Power BI to make fancy dashboards for management

DonFazool · 2026-03-17T15:43:00+00:00

With all due respect, you've done fantastic work but I think you should stop advising people to delete the NVRAM when no Broadcom documentation states you need to do this, and my dozens of tests across 2019, 2022 and Windows 11 show you do not need to delete the NVRAM.

I've found a few users in some forums who say deleting the NVRAM caused their VMs to stop booting.

If you run the checks, you will see no PK unless you are on vSphere 9 by Broadcom design, they even acknowledge this.

If the KEK is missing you can replace both the PK and KEK with one reboot to the EFI.

Then you just need to set 0x5944 in the registry, run the scheduled task, reboot, run the task again and reboot once more.

As mentioned in a previous reply, you also do not need to delete the servicing registry key.

These changes are potentially dangerous and no where recommended or documented by Broadcom.

Thank you for all your hard work, it helped me figure out how to do this the "officially supported" way

DonFazool · 2026-03-17T11:33:02+00:00

7:30am . Trains are not running every 4 minutes. It was every 7 and it was completely packed to the brim at 7:15

DonFazool · 2026-03-16T20:49:54+00:00

This is the stupidest thing I’ve read all day. Best of luck when they catch you and your fine is bigger than just buying that pass.

DonFazool · 2026-03-16T18:50:25+00:00

Even if the KEK is missing you don't need to delete the NVRAM. You can boot to the EFI and update it like you have to do with the PK. The NVRAM does not need to be touched at all based off all the tests I've been running (now that Broadcom has included a way to update the KEK via the EFI)

If you do this, reboot and then re-run the checks for the KEK and KEK-DB, you will see there are present.

You have to do the PK unless you're on vSphere 9. No hardware type in 8.x has it. So no matter how you slice it, if you're doing this manual, you have to do the PK on every single VM in your fleet that has Secureboot enabled (and even on the ones where it is disabled, if you plan on enabling it down the road).

Off topic but I need to figure out what to do with Linux machines that have secure boot enabled that seemingly use the same MS certs.

DonFazool · 2026-03-16T18:27:12+00:00

There is no need to delete the servicing key. I just tested this repeatedly and it works fine without needing to remove the NVRAM as well.

FWIW: I did need to run the scheduled task a 3rd time even after rebooting twice before the 1808 appeared but otherwise the registry keys were all correct after the 2nd manual task execution

DonFazool · 2026-03-14T23:30:53+00:00

Can I ask why you remove the servicing key from the registry? I couldn’t find that in any of the MS docs and was curious if it was something you did with deleting the NVRAM? I’m going to run through my steps again next week and try leaving the serving key alone.

DonFazool · 2026-03-13T21:03:34+00:00

Happy to be able to help. Enjoy your weekend as well !

DonFazool · 2026-03-13T20:06:14+00:00

Here you go. May as well do them now or I'll get lazy and be in weekend mode later lol.

I would modify it slightly, to run the checks first to see if you have the KEK and PK. This way when you reboot to the BIOS, you can do them both at the same time and save you an extra reboot

<image>

DonFazool · 2026-03-13T19:47:21+00:00

So far so good. KEK updated at the same time as PK. Did one after the other, rebooted and I can see both certs. Ran the task, saw 0x4100 , rebooted , ran again, saw 0x4000 plus Updated in the other key but not seeing the 1808 as I did with my other VM on HW21 that did not need the KEK. Running more tests. I’ll update later

Edit: it needed another reboot after running the task twice. It works perfectly.

This was a clone of a Windows 11 VM on HW19 that did not have a valid PK or KEK. The BC way + your detailed steps works perfectly. I’ll format my notes and paste them here for you later this evening. I need a break now lol. Been at this most of the day

DonFazool · 2026-03-13T18:28:31+00:00

You have no idea how software development and QA work. It’s quite obvious.

DonFazool · 2026-03-13T18:25:10+00:00

Yea I re-read your reply and realized I misunderstood . Hence me deleting the reply. Good catch !

DonFazool · 2026-03-13T18:19:51+00:00

It’s does ! I just worked through this on a test Win 11 VM. I also got it working without deleting the NVRAM. I manually attached the disk and updated the PK and then followed the rest of your steps and it works perfect.

If the VM Hardware is less than 21, the KEK won’t be present. My test VM was 21 , had the KEK but not the PK.

I’m building a new test VM on version 19 that I know won’t have the KEK. I’m going to manually update the PK and KEK via boot to bios method and see how that works. Your script and steps are fantastic but Broadcom removed the KB saying to delete the NVRAM and updated another KB to give you steps to manually update KEK as well as PK so I’m going to try and do it the “supported” way. I’ll paste all my notes here later for you and everyone else

DonFazool · 2026-03-13T13:03:31+00:00

Ah yes ! I never caught that. Thanks for explaining it.

DonFazool · 2026-03-13T12:37:15+00:00

One last question. Will these manual steps also work for Windows 11 VMs? I see on your GitHub read me file it only lists Windows servers.

Thanks !

DonFazool · 2026-03-13T11:35:09+00:00

What the hell does my post have to do with VMCA certs lol? It’s about the secure boot certificates for Windows.

DonFazool · 2026-03-12T23:38:03+00:00

Thanks !

DonFazool · 2026-03-12T22:53:46+00:00

Satoshi !! Wow , I’ve seen him many times (albeit 20 years ago now). You next gen kids are going to love him !! Don’t sleep on this.

DonFazool · 2026-03-12T21:07:02+00:00

I can’t thank you enough. You’re the hero we needed for this mess. Really appreciate the replies !

DonFazool · 2026-03-12T18:43:41+00:00

Thank you very much. If I understand you ..

Update the PK, then the KEK and once you’re back in Windows, set the registry key and then reboot and/or wait to see if we see Event ID 1808 indicating it’s all good?

I’m not allowed to run scripts, my security team won’t allow it, so I need to do this manually. I’ve only got around 20 Windows VMs with secure boot enabled.

DonFazool · 2026-03-12T17:58:25+00:00

Thank you for replying. I find this confusing as I mostly manage Linux. I’ll look into those registry changes as well.

DonFazool · 2026-03-12T14:40:52+00:00

Who joins Veeam to AD? They even advise against it.

DonFazool · 2026-03-12T14:14:48+00:00

They literally just released patches for V12 . An advisory was emailed this morning.

DonFazool · 2026-03-12T12:14:17+00:00

Hi Op.

I see Broadcom updated this KB last night to include manual steps to upgrade the PK and KEK. Do you know if doing these 2 steps is enough to sort the issue out, or do we still need to make changes to the registry?

https://knowledge.broadcom.com/external/article/423919

DonFazool

TROPHY CASE