MicrosoftBrent-H I can confirm, that updating SecureBoot DB certificates from inside an Hyper-V VM works, but updating the KEK certificate from inside an Hyper-V VM does NOT work and just ends with the Eventlog-Error-Message 1795 (The system firmware returned an error The media is write protected ...) you already cited. I tested this with Win11 v25H2 installed in the Hyper-V VM, PatchTuesday 11. November 2025 Updates applied, C:\Windows\system32\SecureBootUpdates\KEKUpdateCombined.bin updated 12. November 2025 17:19 ... that was the Timestamp when PatchTuesday-Cumulative-Hotfix was installed in the VM.
So either the KEKUpdateCombined.bin still doesn't contain a suitable KEK signed with the "Microsoft Hyper-V Firmware PK" (Platform Key) or the Hyper-V UEFI Implementation (Host is running on fully patched Windows 11 v25H2 too) doesn't allow to update KEK. Seems Microsoft has to fix this.
When I search through https://github.com/microsoft/secureboot_objects/tree/main/PostSignedObjects/KEK/Microsoft I think the needed KEK signed with "Microsoft Hyper-V Firmware PK" should be the File KEKUpdate_Microsoft_PK1.bin ... BUT I have no idea if this is merged into KEKUpdateCombined.bin
If you create a new VM on fully patched Windows 11 v25H2 Hyper-V Host, then the UEFI of this new VM is already initialized with both 2011 + 2023 KEK certificates.
Ashis_Chatterjee pointed to the FAQ, but the FAQ doesn't answer why there ist currently no working way of updating KEK of an existing Hyper-V VM.
You don't have to delete the Hyper-V VM and create a new one to update the KEK on older VMs.
Simply
- turn off the VM
- change the SecureBoot Template to "Microsoft UEFI Certificate Authority"
- click Apply
- change the Template back to "Microsoft Windows"
- click ok.
- turn the VM on and everythings fine
(in addition to set the reg value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecureBoot\\AvailableUpdates to 0x5944 or whatever you want)
(testet on Windows Server 2022 Datacenter in a Failover Cluster)
