Home/Insights/Windows

Troubleshooting Secure Boot 2026 Certificate Rollout Stuck on VMware VMs

Use this when VMware VMs stall or fail around the Secure Boot 2026 certificate rollout.

Quick Read

  • Symptom: Use this when VMware VMs stall or fail around the Secure Boot 2026 certificate rollout.
  • Check first: Confirm OS build, domain or workgroup state, local admin rights, and whether the host is managed by GPO, Intune, or another baseline.
  • Risk: Review before running

Symptoms

Secure Boot 2026 certificate rollout is not progressing on VMware virtual machines, causing boot failures and security compliance issues.

Environment

VMware ESXi 7.x, VMware vSphere Client, Windows Server 2022 VMs with Secure Boot enabled.

Most Likely Causes

The issue may stem from outdated VM hardware compatibility settings, incorrect firmware settings, or conflicts with existing certificates in the VM's UEFI firmware.

What to Check First

  1. Confirm OS build, domain or workgroup state, local admin rights, and whether the host is managed by GPO, Intune, or another baseline.
  2. Collect the exact error code, Event Viewer entries, and the command or UI action that triggers the failure.
  3. Check whether the issue follows the user profile, machine, network, or application package.

Fix Steps

  1. Verify VM Hardware Compatibility

    Ensure that the virtual machine is set to a hardware compatibility version that supports Secure Boot.

    Example pattern only. Adjust for your environment before running.

    Open VMware vSphere Client.
Right-click on the VM and select 'Compatibility' > 'Upgrade VM Compatibility'.
Choose the latest hardware version compatible with your ESXi host.
  2. Check Secure Boot Configuration

    Confirm that Secure Boot is enabled in the VM's firmware settings.

    Example pattern only. Adjust for your environment before running.

    Power off the VM.
Right-click on the VM and select 'Edit Settings'.
Under 'VM Options', expand 'Boot Options'.
Ensure 'Secure Boot' is checked.
  3. Update VM Tools

    Ensure that VMware Tools is up to date, as outdated tools can affect VM performance and compatibility.

    Example pattern only. Adjust for your environment before running.

    Power on the VM.
Select the VM and click on 'Actions' > 'Guest OS' > 'Install VMware Tools'.
Follow the prompts within the guest OS to complete the installation.
  4. Check for Existing Certificates

    Inspect the UEFI firmware for any existing certificates that may conflict with the Secure Boot process.

    Example pattern only. Adjust for your environment before running.

    Power on the VM and enter the UEFI firmware settings (usually by pressing F2 during boot).
Navigate to 'Security' > 'Secure Boot' > 'PK, KEK, db, dbx' to review installed certificates.
Remove any certificates that are not required or that may conflict with the Secure Boot 2026 rollout.
  5. Review VM Logs for Errors

    Examine the VM logs for any error messages related to the Secure Boot process.

    Safe to run: read-only

    Access the VM's console.
Use the command: 'Get-EventLog -LogName Application -Newest 100' to review recent logs.
Look for entries related to Secure Boot or certificate validation failures.
  6. Reboot and Monitor Progress

    After making the necessary adjustments, reboot the VM and monitor the Secure Boot rollout process.

    Example pattern only. Adjust for your environment before running.

    Power off the VM.
Power on the VM and observe the boot process for any errors.
Check the status of the Secure Boot rollout in the VM's operating system.

Validation

  • The failing Windows action completes after reboot or service restart if the remediation requires one.
  • Event Viewer stops logging the same error ID for the same component during a retest.
  • The fix works for the affected standard user context, not only for an elevated administrator session.

Logs to Check

  • Event Viewer: System, Application, Setup, WindowsUpdateClient, TerminalServices, or PowerShell logs as relevant.
  • CBS.log, DISM.log, or WindowsUpdate.log when servicing or feature installation is involved.
  • Security, RDP, or application-specific logs for authentication and session failures.

Rollback and Escalation

  • Record the original registry, service, feature, policy, or firewall value before changing it.
  • Undo temporary local policy, firewall, or service changes after validation.
  • Use a restore point, VM snapshot, or exported configuration when changing servicing, boot, or security settings.

Escalate When

  • Escalate if the same error persists after rollback and a clean retry from the original failing path.
  • Escalate if logs show authorization, data loss, certificate, replication, or production availability risk outside the local service owner scope.

Edge Cases

  • If the VM still fails to boot after following the steps, consider reverting to a previous snapshot before the rollout began.
  • If the issue persists across multiple VMs, check the ESXi host for any updates or patches that may address Secure Boot issues.

Notes from the Field

  • If the machine is domain-managed, local fixes can be overwritten. Check the winning GPO or MDM policy before repeating the same change.
  • Prefer read-only collection first on Windows incidents because many repair commands change component store, services, or user profile state.