{"id":11115,"date":"2025-04-01T10:28:03","date_gmt":"2025-04-01T10:28:03","guid":{"rendered":"https:\/\/mainvps.net\/blog\/?p=11115"},"modified":"2025-04-07T11:44:22","modified_gmt":"2025-04-07T11:44:22","slug":"enable-secure-boot-in-vmware-esxi","status":"publish","type":"post","link":"https:\/\/mainvps.net\/blog\/enable-secure-boot-in-vmware-esxi\/","title":{"rendered":"How to Enable Secure Boot in VMware ESXi"},"content":{"rendered":"\n<p>Given the increasing threats to cybersecurity, ensuring protection of your VMware ESXi hosts from unauthorized boot and firmware attacks is necessary. One of the best methods to secure your ESXi environment is through Secure Boot configuration.<\/p>\n\n\n\n<p>Secure Boot validates that only trusted, digitally signed code is executed during the booting process, eliminating the risks of rootkits, bootkits, and other forms of malware interfering with the ESXi hypervisor.<\/p>\n\n\n\n<p>In this guide, we\u2019ll walk you through <strong>enabling Secure Boot on ESXi<\/strong>, checking its status, and troubleshooting common issues.<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-light-blue ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 eztoc-toggle-hide-by-default' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/mainvps.net\/blog\/enable-secure-boot-in-vmware-esxi\/#What_is_Secure_Boot_in_ESXi\" >What is Secure Boot in ESXi?<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/mainvps.net\/blog\/enable-secure-boot-in-vmware-esxi\/#How_Does_Secure_Boot_Work_in_ESXi\" >How Does Secure Boot Work in ESXi?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/mainvps.net\/blog\/enable-secure-boot-in-vmware-esxi\/#Benefits_of_Enabling_Secure_Boot_in_ESXi\" >Benefits of Enabling Secure Boot in ESXi<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/mainvps.net\/blog\/enable-secure-boot-in-vmware-esxi\/#Step_1_Check_If_Secure_Boot_Is_Enabled_on_ESXi\" >Step 1: Check If Secure Boot Is Enabled on ESXi<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/mainvps.net\/blog\/enable-secure-boot-in-vmware-esxi\/#Method_1_Check_Secure_Boot_Status_via_ESXi_Shell\" >Method 1: Check Secure Boot Status via ESXi Shell<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/mainvps.net\/blog\/enable-secure-boot-in-vmware-esxi\/#Method_2_Check_Secure_Boot_in_vSphere_Client\" >Method 2: Check Secure Boot in vSphere Client<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/mainvps.net\/blog\/enable-secure-boot-in-vmware-esxi\/#Step_2_Enable_Secure_Boot_in_ESXi\" >Step 2: Enable Secure Boot in ESXi<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/mainvps.net\/blog\/enable-secure-boot-in-vmware-esxi\/#1_Enable_UEFI_Boot_Mode_in_BIOS\" >1. Enable UEFI Boot Mode in BIOS<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/mainvps.net\/blog\/enable-secure-boot-in-vmware-esxi\/#2_Enable_Secure_Boot_in_UEFI\" >2. Enable Secure Boot in UEFI<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/mainvps.net\/blog\/enable-secure-boot-in-vmware-esxi\/#Step_3_Verify_Secure_Boot_in_ESXi_After_Enabling\" >Step 3: Verify Secure Boot in ESXi After Enabling<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/mainvps.net\/blog\/enable-secure-boot-in-vmware-esxi\/#Check_Secure_Boot_via_ESXi_Shell\" >Check Secure Boot via ESXi Shell<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/mainvps.net\/blog\/enable-secure-boot-in-vmware-esxi\/#Verify_Secure_Boot_Using_vSphere_Client\" >Verify Secure Boot Using vSphere Client<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/mainvps.net\/blog\/enable-secure-boot-in-vmware-esxi\/#Step_4_Troubleshooting_Common_Issues\" >Step 4: Troubleshooting Common Issues<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/mainvps.net\/blog\/enable-secure-boot-in-vmware-esxi\/#Issue_1_Secure_Boot_Option_is_Missing_in_BIOS\" >Issue 1: Secure Boot Option is Missing in BIOS<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/mainvps.net\/blog\/enable-secure-boot-in-vmware-esxi\/#Issue_2_ESXi_Fails_to_Boot_After_Enabling_Secure_Boot\" >Issue 2: ESXi Fails to Boot After Enabling Secure Boot<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/mainvps.net\/blog\/enable-secure-boot-in-vmware-esxi\/#Issue_3_Secure_Boot_is_Enabled_but_ESXi_Still_Shows_It_as_Disabled\" >Issue 3: Secure Boot is Enabled, but ESXi Still Shows It as Disabled<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/mainvps.net\/blog\/enable-secure-boot-in-vmware-esxi\/#Step_5_Ensure_All_ESXi_Components_are_Secure_Boot_Compatibl\" >Step 5: Ensure All ESXi Components are Secure Boot Compatibl<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-18\" href=\"https:\/\/mainvps.net\/blog\/enable-secure-boot-in-vmware-esxi\/#Check_Installed_VIBs_for_Secure_Boot_Compatibility\" >Check Installed VIBs for Secure Boot Compatibility<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-19\" href=\"https:\/\/mainvps.net\/blog\/enable-secure-boot-in-vmware-esxi\/#Remove_Unsigned_VIBs\" >Remove Unsigned VIBs<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-20\" href=\"https:\/\/mainvps.net\/blog\/enable-secure-boot-in-vmware-esxi\/#Update_ESXi_to_the_Latest_Version\" >Update ESXi to the Latest Version<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-21\" href=\"https:\/\/mainvps.net\/blog\/enable-secure-boot-in-vmware-esxi\/#Step_6_Enable_TPM_for_Additional_Security\" >Step 6: Enable TPM for Additional Security<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-22\" href=\"https:\/\/mainvps.net\/blog\/enable-secure-boot-in-vmware-esxi\/#Enable_TPM_in_BIOS\" >Enable TPM in BIOS<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-23\" href=\"https:\/\/mainvps.net\/blog\/enable-secure-boot-in-vmware-esxi\/#Check_TPM_Status_in_ESXi\" >Check TPM Status in ESXi<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-24\" href=\"https:\/\/mainvps.net\/blog\/enable-secure-boot-in-vmware-esxi\/#Conclusion\" >Conclusion<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-25\" href=\"https:\/\/mainvps.net\/blog\/enable-secure-boot-in-vmware-esxi\/#Quick_Summary_of_Steps\" >Quick Summary of Steps:<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-26\" href=\"https:\/\/mainvps.net\/blog\/enable-secure-boot-in-vmware-esxi\/#FAQs\" >FAQs<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-27\" href=\"https:\/\/mainvps.net\/blog\/enable-secure-boot-in-vmware-esxi\/#1_Can_I_enable_Secure_Boot_on_an_existing_ESXi_installation\" >1. Can I enable Secure Boot on an existing ESXi installation?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-28\" href=\"https:\/\/mainvps.net\/blog\/enable-secure-boot-in-vmware-esxi\/#2_Does_Secure_Boot_impact_ESXi_performance\" >2. Does Secure Boot impact ESXi performance?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-29\" href=\"https:\/\/mainvps.net\/blog\/enable-secure-boot-in-vmware-esxi\/#3_Can_I_disable_Secure_Boot_after_enabling_it\" >3. Can I disable Secure Boot after enabling it?<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-30\" href=\"https:\/\/mainvps.net\/blog\/enable-secure-boot-in-vmware-esxi\/#4_Does_Secure_Boot_require_a_TPM_module\" >4. Does Secure Boot require a TPM module?<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"What_is_Secure_Boot_in_ESXi\"><\/span><strong>What is Secure Boot in ESXi?<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p><strong>Secure Boot<\/strong> is a UEFI (Unified Extensible Firmware Interface) feature that verifies the integrity of the bootloader and OS kernel using cryptographic signatures.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"How_Does_Secure_Boot_Work_in_ESXi\"><\/span><strong>How Does Secure Boot Work in ESXi?<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>UEFI Firmware Verification:<\/strong> The system verifies that all boot components are signed and trusted.<\/li>\n\n\n\n<li><strong>ESXi Kernel Integrity Check:<\/strong> VMware ESXi only loads modules and drivers that are properly signed.<\/li>\n\n\n\n<li><strong>Malware Prevention:<\/strong> Secure Boot blocks unauthorized code from executing at boot.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Benefits_of_Enabling_Secure_Boot_in_ESXi\"><\/span><strong>Benefits of Enabling Secure Boot in ESXi<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Prevents Boot-Level Attacks:<\/strong> Blocks unauthorized <a href=\"https:\/\/mainvps.net\/blog\/what-is-kvm\/\">kernel<\/a> modules and rootkits.<\/li>\n\n\n\n<li><strong>Ensures Kernel Integrity:<\/strong> Only signed VMware and vendor drivers\/modules are loaded.<\/li>\n\n\n\n<li><strong>Complies with Security Standards:<\/strong> Required for compliance with security frameworks like <strong><a href=\"https:\/\/www.cisecurity.org\/\" target=\"_blank\" rel=\"noopener\">CIS<\/a>, NIST, and PCI DSS<\/strong>.<\/li>\n\n\n\n<li><strong>No Performance Impact:<\/strong> Secure Boot does not slow down your system.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Step_1_Check_If_Secure_Boot_Is_Enabled_on_ESXi\"><\/span><strong>Step 1: Check If Secure Boot Is Enabled on ESXi<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Before enabling Secure Boot, check if it\u2019s already active.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Method_1_Check_Secure_Boot_Status_via_ESXi_Shell\"><\/span><strong>Method 1: Check Secure Boot Status via ESXi Shell<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>SSH into the ESXi host<\/strong> or access the ESXi <strong>Direct Console Interface (DCUI)<\/strong>.<\/li>\n\n\n\n<li>Run the following command: bashCopyEdit<code>esxcli system settings encryption get<\/code><\/li>\n\n\n\n<li>Look for <strong>Secure Boot Status<\/strong>:\n<ul class=\"wp-block-list\">\n<li><code>Enabled<\/code> \u2192 Secure Boot is active.<\/li>\n\n\n\n<li><code>Disabled<\/code> \u2192 Secure Boot is turned off.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Method_2_Check_Secure_Boot_in_vSphere_Client\"><\/span><strong>Method 2: Check Secure Boot in vSphere Client<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Open the <strong>vSphere Web Client<\/strong>.<\/li>\n\n\n\n<li>Navigate to <strong>Host &gt; Configure &gt; Security Profile<\/strong>.<\/li>\n\n\n\n<li>Under the <strong>Secure Boot<\/strong> section, check the status.<\/li>\n<\/ol>\n\n\n\n<p>\ud83d\udccc <em>If Secure Boot is disabled, proceed to the next steps to enable it.<\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Step_2_Enable_Secure_Boot_in_ESXi\"><\/span><strong>Step 2: Enable Secure Boot in ESXi<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>Secure Boot requires <strong>UEFI firmware<\/strong>. If your server is using <strong>Legacy BIOS mode<\/strong>, you must switch to UEFI first.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"1_Enable_UEFI_Boot_Mode_in_BIOS\"><\/span><strong>1. Enable UEFI Boot Mode in BIOS<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Reboot the ESXi Host<\/strong> and enter the BIOS\/UEFI settings (usually by pressing <code>F2<\/code>, <code>Del<\/code>, or <code>Esc<\/code> during startup).<\/li>\n\n\n\n<li>Navigate to the <strong>Boot Settings<\/strong> or <strong>Advanced Boot Options<\/strong>.<\/li>\n\n\n\n<li>Change <strong>Boot Mode<\/strong> from <code>Legacy<\/code> to <code>UEFI<\/code>.<\/li>\n\n\n\n<li>Save and Exit BIOS.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"2_Enable_Secure_Boot_in_UEFI\"><\/span><strong>2. Enable Secure Boot in UEFI<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Re-enter the BIOS\/UEFI settings.<\/li>\n\n\n\n<li>Find the <strong>Secure Boot<\/strong> option under <strong>Security<\/strong> or <strong>Boot Configuration<\/strong>.<\/li>\n\n\n\n<li>Set <strong>Secure Boot Mode<\/strong> to <strong>Enabled<\/strong>.<\/li>\n\n\n\n<li>Save changes and reboot the ESXi host.<\/li>\n<\/ol>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Step_3_Verify_Secure_Boot_in_ESXi_After_Enabling\"><\/span><strong>Step 3: Verify Secure Boot in ESXi After Enabling<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>After enabling Secure Boot, confirm that it is working correctly.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Check_Secure_Boot_via_ESXi_Shell\"><\/span><strong>Check Secure Boot via ESXi Shell<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>SSH into the ESXi host.<\/li>\n\n\n\n<li style=\"font-size:18px\">Run: bash<br>esxcli system settings encryption get<\/li>\n\n\n\n<li>You should see <strong>Secure Boot: Enabled<\/strong>.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Verify_Secure_Boot_Using_vSphere_Client\"><\/span><strong>Verify Secure Boot Using vSphere Client<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Open the vSphere Web Client.<\/li>\n\n\n\n<li>Go to <strong>Host &gt; Configure &gt; Security Profile<\/strong>.<\/li>\n\n\n\n<li>Check the <strong>Secure Boot<\/strong> status\u2014it should say <strong>Enabled<\/strong>.<\/li>\n<\/ol>\n\n\n\n<p>\ud83d\udccc <em>If Secure Boot is still disabled, check the BIOS settings again and ensure UEFI mode is enabled.<\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Step_4_Troubleshooting_Common_Issues\"><\/span><strong>Step 4: Troubleshooting Common Issues<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>If Secure Boot fails to enable, consider these fixes:<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Issue_1_Secure_Boot_Option_is_Missing_in_BIOS\"><\/span><strong>Issue 1: Secure Boot Option is Missing in BIOS<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>\ud83d\udd39 <strong>Fix:<\/strong> Update your server\u2019s firmware to the latest version.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Issue_2_ESXi_Fails_to_Boot_After_Enabling_Secure_Boot\"><\/span><strong>Issue 2: ESXi Fails to Boot After Enabling Secure Boot<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>\ud83d\udd39 <strong>Fix:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ensure <strong>UEFI firmware is enabled<\/strong>.<\/li>\n\n\n\n<li>Some third-party drivers may not be signed\u2014check and replace them with VMware-certified drivers.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Issue_3_Secure_Boot_is_Enabled_but_ESXi_Still_Shows_It_as_Disabled\"><\/span><strong>Issue 3: Secure Boot is Enabled, but ESXi Still Shows It as Disabled<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>\ud83d\udd39 <strong>Fix:<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Reboot ESXi and enter the BIOS again.<\/li>\n\n\n\n<li>Disable and then re-enable Secure Boot.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Step_5_Ensure_All_ESXi_Components_are_Secure_Boot_Compatibl\"><\/span><strong>Step 5: Ensure All ESXi Components are Secure Boot Compatibl<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>To prevent boot issues, make sure all <strong>drivers, modules, and VIBs (VMware Installation Bundles)<\/strong> are signed.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Check_Installed_VIBs_for_Secure_Boot_Compatibility\"><\/span><strong>Check Installed VIBs for Secure Boot Compatibility<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Run:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\" style=\"font-size:18px\">bash<br>esxcli software vib list | grep -i \"unsigned\"<br><\/pre>\n\n\n\n<p>If you see any <strong>unsigned<\/strong> VIBs, update them with signed versions or remove them.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Remove_Unsigned_VIBs\"><\/span><strong>Remove Unsigned VIBs<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\" style=\"font-size:18px\">bash<br>esxcli software vib remove -n VIB_NAME<br><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Update_ESXi_to_the_Latest_Version\"><\/span><strong>Update ESXi to the Latest Version<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Keeping ESXi updated ensures <strong>secure boot compatibility<\/strong> and patches known security vulnerabilities.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\" style=\"font-size:18px\">bash<br>esxcli software profile update -d https:\/\/hostupdate.vmware.com\/software\/VUM\/PRODUCTION\/main\/vmw-depot-index.xml --profile ESXi-8.x-XXXXXX<br><\/pre>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Step_6_Enable_TPM_for_Additional_Security\"><\/span><strong>Step 6: Enable TPM for Additional Security<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>For <strong>stronger security<\/strong>, enable <strong>Trusted Platform Module (TPM)<\/strong> alongside Secure Boot.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Enable_TPM_in_BIOS\"><\/span><strong>Enable TPM in BIOS<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Restart the ESXi host and enter the BIOS.<\/li>\n\n\n\n<li>Go to <strong>Security Settings<\/strong>.<\/li>\n\n\n\n<li>Enable <strong>TPM (Trusted Platform Module)<\/strong>.<\/li>\n\n\n\n<li>Save and exit BIOS.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Check_TPM_Status_in_ESXi\"><\/span><strong>Check TPM Status in ESXi<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Run:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\" style=\"font-size:18px\">bash<br>esxcli hardware trustedboot get<br><\/pre>\n\n\n\n<p>If TPM is enabled, it will show <strong>TPM: Active<\/strong>.<\/p>\n\n\n\n<p>\ud83d\udd39 <strong>Why Enable TPM?<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>TPM <strong>stores cryptographic keys<\/strong> securely.<\/li>\n\n\n\n<li>Prevents <strong>tampering and unauthorized changes<\/strong> to ESXi.<\/li>\n\n\n\n<li>Required for <strong>vSphere 8 security features<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span><strong>Conclusion<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>One of the key ways to combat boot level attacks on your virtual infrastructure is enabling Secure Boot in VMware ESXi. Best code integrity practices ensure no rootkits, malware or other forms of non-permissive code modification supplant authorized modification.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Quick_Summary_of_Steps\"><\/span><strong>Quick Summary of Steps:<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>1: Review current status of Secure Boot.<br>2: Change BIOS to UEFI mode.<br>3: Set Secure Boot in the UEFI menu.<br>4: Check the status of Secure Boot in ESXi.<br>5: Restrict bootable media to signed VIBs only.<br>6: Set TPM to on.<\/p>\n\n\n\n<p>By following this guide, your <strong>ESXi hosts will be more secure<\/strong> and compliant with modern cybersecurity best practices. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"FAQs\"><\/span><strong>FAQs<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"1_Can_I_enable_Secure_Boot_on_an_existing_ESXi_installation\"><\/span><strong>1. Can I enable Secure Boot on an existing ESXi installation?<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Yes! You just need to <strong>switch to UEFI mode in BIOS<\/strong> and enable Secure Boot. However, ensure that all <strong>drivers and modules are signed<\/strong> to avoid boot issues.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"2_Does_Secure_Boot_impact_ESXi_performance\"><\/span><strong>2. Does Secure Boot impact ESXi performance?<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>No, Secure Boot does not affect ESXi performance\u2014it only verifies the integrity of boot components.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"3_Can_I_disable_Secure_Boot_after_enabling_it\"><\/span><strong>3. Can I disable Secure Boot after enabling it?<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>Yes, you can disable Secure Boot anytime by changing the <strong>UEFI settings in BIOS<\/strong>. However, this reduces security.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"4_Does_Secure_Boot_require_a_TPM_module\"><\/span><strong>4. Does Secure Boot require a TPM module?<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>No, but <strong>enabling TPM (Trusted Platform Module)<\/strong> adds additional security benefits.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Given the increasing threats to cybersecurity, ensuring protection of your VMware ESXi hosts from unauthorized boot and firmware attacks is necessary. One of the best methods <a class=\"read-more-link\" href=\"https:\/\/mainvps.net\/blog\/enable-secure-boot-in-vmware-esxi\/\">Read More<\/a><\/p>\n","protected":false},"author":4,"featured_media":11168,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[],"class_list":["post-11115","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-servers"],"_links":{"self":[{"href":"https:\/\/mainvps.net\/blog\/wp-json\/wp\/v2\/posts\/11115","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mainvps.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mainvps.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mainvps.net\/blog\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/mainvps.net\/blog\/wp-json\/wp\/v2\/comments?post=11115"}],"version-history":[{"count":4,"href":"https:\/\/mainvps.net\/blog\/wp-json\/wp\/v2\/posts\/11115\/revisions"}],"predecessor-version":[{"id":11120,"href":"https:\/\/mainvps.net\/blog\/wp-json\/wp\/v2\/posts\/11115\/revisions\/11120"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/mainvps.net\/blog\/wp-json\/wp\/v2\/media\/11168"}],"wp:attachment":[{"href":"https:\/\/mainvps.net\/blog\/wp-json\/wp\/v2\/media?parent=11115"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mainvps.net\/blog\/wp-json\/wp\/v2\/categories?post=11115"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mainvps.net\/blog\/wp-json\/wp\/v2\/tags?post=11115"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}