If your hardware supports UEFI secure boot, you might be able to enable secure boot for the ESXi host. Whether that is possible depends on how you performed the upgrade. You can run a validation script after you perform the upgrade to determine whether it supports secure boot.

UEFI secure boot requires that the original VIB signatures are persisted. Older versions of ESXi do not persist the signatures, but the upgrade process updates the VIB signatures.

If you upgrade using the ISO, upgraded VIBs have persisted signatures.

If you upgrade using ESXCLI commands, upgraded VIBs do not have persisted signatures. In that case, you cannot perform a secure boot on that system.

Even if you upgrade using the ISO, the upgrade process cannot persist signatures of third-party VIBs. In that case, secure boot on the system fails.


UEFI secure boot also requires an up-to-date bootloader. This script does not check for an up-to-date bootloader.

Verify that the hardware supports UEFI secure boot.

Verify that all VIBs are signed with an acceptance level of at least PartnerSupported. If you include VIBs at the CommunitySupported level, you cannot use secure boot.


Upgrade the ESXi and run the following command.

/usr/lib/vmware/secureboot/bin/secureBoot.py -c

Check the output.

The output either includes Secure boot can be enabled or Secure boot CANNOT be enabled.