Microsoft
MicrosoftGuidance for VM's can be found in Secure Boot FAQ:
Frequently asked questions about the Secure Boot update process - Microsoft Support
aka.ms/getsecureboot->Q5 in IT managed section
As mentioned by others already, the FAQ is not helpful at all when it comes to updating Hyper-V VM's. Following either the process for updating Secure Boot using the registry or group policy puts all existing Windows Server 2019 and 2022 Hyper-V VM's in a state where Event ID 1795 are generated with either the message "The system firmware returned an error The media is write protected. when attempting to update a Secure Boot variable KEK 2023." or "The system firmware returned an error The media is write protected. when attempting to update a Secure Boot variable 4.". All new Hyper-V VM's (either 2019 or 2022) built are updated and do not exhibit this issue.
Proper guidance on how to correctly and complete update existing Hyper-V VM's would be helpful. Thank you.
Thanks for your post mentioning that all newly created VMs have the KEK updated.
That led me to try setting the secure boot template (in Hyper-V manager, VM settings, Security) to "Microsoft UEFI Certificate Authority" and then booting. That failed to boot (appears to only trust 3rd-party images, e.g. Linux) but once I changed it back to "Microsoft Windows", Windows booted, and the KEK was updated. I then tried the same on a 2019 VM on a 2019 host - shut down VM, change template to "Microsoft UEFI Certificate Authority", click Apply, change template to "Microsoft Windows", click apply/OK, start the VM, and it appears to have worked.
This device has updated Secure Boot CA/keys. This device signature information is included here.
DeviceAttributes: FirmwareManufacturer:Microsoft Corporation;FirmwareVersion:Hyper-V UEFI Release v4.1;OEMModelNumber:Virtual Machine;OEMManufacturerName:Microsoft Corporation;OSArchitecture:amd64;
BucketId: [redacted]
BucketConfidenceLevel:
UpdateType: Windows UEFI CA 2023 (DB), Option ROM CA 2023 (DB), 3P UEFI CA 2023 (DB), KEK 2023, Boot Manager (2023)
For more information, please see https://go.microsoft.com/fwlink/?linkid=2301018.
It looks like this can also be done in PowerShell using https://learn.microsoft.com/en-us/powershell/module/hyper-v/set-vmfirmware?view=windowsserver2025-ps, e.g.
Get-VM -Name server22vm | Set-VMFirmware -SecureBootTemplate MicrosoftUEFICertificateAuthority
Get-VM -Name server22vm | Set-VMFirmware -SecureBootTemplate MicrosoftWindows
$vm | Set-VMFirmware -SecureBootTemplate MicrosoftUEFICertificateAuthority
$vm | Set-VMFirmware -SecureBootTemplate MicrosoftWindows
Set-VMFirmware : 'VM-NAME' failed to modify settings.
Cannot modify the secure boot template ID property.
'VM-NAME' failed to modify settings. (Virtual machine ID GUID)
Cannot modify the secure boot template ID property after the virtual TPM is initialized.This won't work - it would try to shutdown the computer instead of the VM and should fail with RPC unavailable.
Stop-Computer -Force -ComputerName $vmName
Yup, this appears to be a working fix for both Server 2019 and 2022. I have coded it this way for a single VM. Will probably do something more elaborate to update our entire environment.
$vmName = "my-vm-name"
$hostServer = "my-host-server"
$vm = Get-VM -Name $vmName -ComputerName $hostServer
Stop-Computer -Force -ComputerName $vmName
while ($vm.State -ne "Off") { Start-Sleep -Seconds 1 }
$vm | Set-VMFirmware -SecureBootTemplate MicrosoftUEFICertificateAuthority
$vm | Set-VMFirmware -SecureBootTemplate MicrosoftWindows
$vm | Start-VM
Awesome work. Great find.
As a follow up, this fix does not work for VM's where the TPM has been enabled and initialized.