Blog Post

Windows IT Pro Blog
8 MIN READ

Secure Boot playbook for certificates expiring in 2026

Ashis_Chatterjee's avatar
Ashis_Chatterjee
Icon for Microsoft rankMicrosoft
Nov 13, 2025
Have questions? Join the Secure Boot Ask Microsoft Anything (AMA), December 10 at 8:00 AM PST. The first set of tools and steps are now available to help you proactively update your Secure Boot...
Updated Dec 05, 2025
Version 8.0
servicing and updates
banduraj's avatar
banduraj
Copper Contributor
Dec 12, 2025

As mentioned by others already, the FAQ is not helpful at all when it comes to updating Hyper-V VM's. Following either the process for updating Secure Boot using the registry or group policy puts all existing Windows Server 2019 and 2022 Hyper-V VM's in a state where Event ID 1795 are generated with either the message "The system firmware returned an error The media is write protected. when attempting to update a Secure Boot variable KEK 2023." or "The system firmware returned an error The media is write protected. when attempting to update a Secure Boot variable 4.". All new Hyper-V VM's (either 2019 or 2022) built are updated and do not exhibit this issue.

Proper guidance on how to correctly and complete update existing Hyper-V VM's would be helpful. Thank you.

  • Brent-H's avatar
    Brent-H
    Brass Contributor
    Dec 12, 2025

    Thanks for your post mentioning that all newly created VMs have the KEK updated. 

    That led me to try setting the secure boot template (in Hyper-V manager, VM settings, Security) to "Microsoft UEFI Certificate Authority" and then booting. That failed to boot (appears to only trust 3rd-party images, e.g. Linux) but once I changed it back to "Microsoft Windows", Windows booted, and the KEK was updated. I then tried the same on a 2019 VM on a 2019 host - shut down VM, change template to "Microsoft UEFI Certificate Authority", click Apply, change template to "Microsoft Windows", click apply/OK, start the VM, and it appears to have worked.

     

    This device has updated Secure Boot CA/keys. This device signature information is included here.
    DeviceAttributes: FirmwareManufacturer:Microsoft Corporation;FirmwareVersion:Hyper-V UEFI Release v4.1;OEMModelNumber:Virtual Machine;OEMManufacturerName:Microsoft Corporation;OSArchitecture:amd64;
    BucketId: [redacted]
    BucketConfidenceLevel: 
    UpdateType: Windows UEFI CA 2023 (DB), Option ROM CA 2023 (DB), 3P UEFI CA 2023 (DB), KEK 2023, Boot Manager (2023)
    For more information, please see https://go.microsoft.com/fwlink/?linkid=2301018.

     

    It looks like this can also be done in PowerShell using https://learn.microsoft.com/en-us/powershell/module/hyper-v/set-vmfirmware?view=windowsserver2025-ps, e.g.

    Get-VM -Name server22vm | Set-VMFirmware -SecureBootTemplate MicrosoftUEFICertificateAuthority

    Get-VM -Name server22vm | Set-VMFirmware -SecureBootTemplate MicrosoftWindows

    • banduraj's avatar
      banduraj
      Copper Contributor
      Dec 16, 2025

      Yup, this appears to be a working fix for both Server 2019 and 2022. I have coded it this way for a single VM. Will probably do something more elaborate to update our entire environment.

       

      $vmName = "my-vm-name"
$hostServer = "my-host-server"

$vm = Get-VM -Name $vmName -ComputerName $hostServer
Stop-Computer -Force -ComputerName $vmName
while ($vm.State -ne "Off") { Start-Sleep -Seconds 1 }
$vm | Set-VMFirmware -SecureBootTemplate MicrosoftUEFICertificateAuthority
$vm | Set-VMFirmware -SecureBootTemplate MicrosoftWindows
$vm | Start-VM

       

      Awesome work. Great find.

      • banduraj's avatar
        banduraj
        Copper Contributor
        Dec 16, 2025

        As a follow up, this fix does not work for VM's where the TPM has been enabled and initialized.