header banner

How do virtual machines and ESXi hosts get protected by VMware secure boot? | TechTarget

The new VMware secure boot feature in vSphere 6.5 comes in two forms: secure boot for ESXi and secure boot for virtual machines. Secure boot for VMs only allows users to load signed drivers to a particular VM, which adds a layer of security against malware, viruses and spyware. Secure boot also prevents the startup of VMs with corrupted drivers. This is especially important in enterprise environments, in which data must be kept highly secure.

VMware secure boot for VMs

VIDEO: Before I do anything with VMware ESXi I do this first

In order to use secure boot for VMs, the guest OS must support secure boot. If it doesn't, the boot process will stop and the VM won't boot. Fortunately, most modern OSes, including VMware Photon OS, Red Hat Enterprise Linux, Windows 8 or later and Windows Server 2012 or later, do support secure boot.

Before you can enable secure boot, make sure the VM is configured to run Extensible Firmware Interface (EFI) firmware. The VM must also run virtual hardware 13, also known as vmx-13, which is new to vSphere 6.5.

The vSphere Web Client detects OSes through the user interface; if your VM is running EFI firmware, the secure boot check box should also be visible. Click this box to enable secure boot.

Enable secure boot.
Enable secure boot for virtual machines.

VMware secure boot for ESXi

VIDEO: VMware ESXi update fixes Windows Server 2022 VM boot Problem

You can also enable VMware secure boot at the ESXi host level. Secure boot for ESXi uses Unified Extensible Firmware Interface (UEFI) firmware to validate the digital signature of the ESXi kernel against a digital certificate in the UEFI firmware. This ensures only a properly signed kernel boots.

ESXi is made up of digitally signed packages, called vSphere Installation Bundles. The ESXi file system maps to the content of these packages. During the boot process, the ESXi kernel checks each VIB against the UEFI firmware's digital certificate. This prevents ESXi hosts with unsigned kernels from booting.

If you enable secure boot for ESXi hosts, you won't be able to install unsigned code on ESXi, including unsigned drivers. This guarantees that secure boot only runs VMware digitally signed code with ESXi.

Next Steps

VIDEO: How to take ESXi host backup ? | How to restore ESXi host from the backup ? | VMware vSphere backup

Protect your vSphere environment with these tips

VSphere 6.5 doubles down on security features

How do you set up VMware VM Encryption?

Dig Deeper on VMware ESXi, vSphere and vCenter

Related Q&A from Vladan Seget

What is VMware Remote Console and how do you run it?

A vSphere administrator can use VMware Remote Console to remotely access a VM's peripherals, configuration and desktop remotely through the vSphere ...  Continue Reading

How do you upgrade VM hardware, and what are the benefits?

You can set up your infrastructure to better take advantage of new technology in just a few steps. Perform a VM version upgrade to get the most out ...  Continue Reading

How do you use VMware ESXi logs to troubleshoot your host?

With access to logs, you can troubleshoot your ESXi host and track issues as they crop up. You can access your logs via the console or a web browser ...  Continue Reading


Article information

Author: Brandon Simpson

Last Updated: 1704673804

Views: 1554

Rating: 4.8 / 5 (33 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Brandon Simpson

Birthday: 1939-03-10

Address: 19391 Gabriella Locks, Padillaland, NE 27833

Phone: +4081202909837568

Job: Article Writer

Hobby: Wine Tasting, Tennis, Photography, Beekeeping, Meditation, Knitting, Chess

Introduction: My name is Brandon Simpson, I am a esteemed, exquisite, transparent, venturesome, steadfast, spirited, honest person who loves writing and wants to share my knowledge and understanding with you.