VMware have released an update that makes updating the Secure Boot certificates within the BIOS/UEFI NVRAM as easy as shutting down a VM and then restarting it (ensuring it is running VM Hardware 21+).
But what happens if you have some hosts you have not yet updated to ESXi 8.0.3 Update 3j P09 (25429389) that supports this?
Once a Microsoft Windows deployment running within a VMware Virtual Machine has had its Secure Boot certificates updated (in the BIOS/UEFI NVRAM) and also swapped to the Boot Manager signed with the new 2023 certificates what is the impact of moving it back to a VMware host that is pre-ESXi 8.0.3 Update 3j P09 (25429389) where the support to remediate the Secure Boot of a VM running Microsoft Windows by just powering the VM off and back on again was added.
After performing the Secure Boot remediation to a Microsoft Windows Server VM, it was then shut down and migrated to a VMware ESXi Host which was not yet running 8.0.3 Update 3j PO9 (25429389), the expectation is that the VM will continue to run as expected because once the NVRAM has been flashed to include the new certificates and the Boot Manager has also been swapped, and so the mechanism needed to facilitate the update to the BIOS/UEFI NVRAM although missing from earlier VMware ESXi version should not need to be used.
Conclusion
The test was successful, a Virtual Machine that has had its Secure Boot remediated will successfully start and run on a VMware ESXi host running an earlier version than 8.0.3 Update 3j PO9 (25429389), however it was also confirmed that if a Virtual Machine has not yet had its Secure Boot remediated the process will not start (or be able to be completed) on a VMware ESXi version earlier than 8.0.3 Update 3j PO9 (25429389) by merely shutting down the machine and restarting it, even if Event ID 1801 can be seen within the Windows Event Log.
Updated Secure Boot certificates are available on this device but have not yet been applied to the firmware. Review the published guidance to complete the update and maintain full protection. This device signature information is included here.
DeviceAttributes: BaseBoardManufacturer:Intel Corporation;FirmwareManufacturer:VMware, Inc.;FirmwareVersion:VMW71.00V.24504846.B64.2501180334;OEMModelNumber:VMware7,1;OEMModelBaseBoard:440BX Desktop Reference Platform;OEMModelSystemFamily:;OEMManufacturerName:VMware, Inc.;OEMModelSKU:;OSArchitecture:amd64;
BucketId: 32cf6c4f85da58381a72f5cae4794609c8ddf6604da764fb8fcb05888dec12d2
BucketConfidenceLevel:
UpdateType:
For more information, please see https://go.microsoft.com/fwlink/?linkid=2301018.