After you upgrade an ESXi host from an older version of ESXi that did not support UEFI secure boot, you may be able to enable secure boot. Whether you can enable secure boot depends on how you performed the upgrade and whether the upgrade replaced all of the existing VIBs or left some VIBs unchanged. You can run a validation script after you perform the upgrade to determine whether the upgraded installation supports secure boot.

For secure boot to succeed, the signature of every installed VIB must be available on the system. Older versions of ESXi do not save the signatures when installing VIBs.

UEFI secure boot requires that the original VIB signatures are persisted. Older versions of ESXi do not persist the signatures, but the upgrade process updates the VIB signatures.
  • If you upgrade using ESXCLI commands, upgraded VIBs do not have persisted signatures. In that case, you cannot perform a secure boot on that system.
  • If you upgrade using the ISO the upgrade process saves the signatures of all new VIBs. This also applies to upgrades of vSphere Update Manager that use the ISO.

If any old VIBs remain on the system the signatures of those VIBs still are not available and secure boot is not possible.

For example, if the system uses a 3rd-party driver, and the VMware upgrade does not include a new version of the driver VIB, then the old VIB remains on the system after the upgrade. In rare cases VMware may drop ongoing development of a specific VIB without providing a new VIB that replaces or obsoletes it, so the old VIB remains on the system after upgrade.

UEFI secure boot also requires an up-to-date bootloader. This script does not check for an up-to-date bootloader.


  • Verify that the hardware supports UEFI secure boot.
  • Verify that all VIBs are signed with an acceptance level of at least PartnerSupported. If you include VIBs at the CommunitySupported level, you cannot use secure boot.


  1. Upgrade the ESXi and run the following command.
    /usr/lib/vmware/secureboot/bin/ -c
  2. Check the output.
    The output either includes Secure boot can be enabled or Secure boot CANNOT be enabled.