Cant find my previous comment asking about updating EXISTING (aka long running) Hyper-v gen2 VM's
and it failing to update the uefi side of things  (for the KEK)

Error 1795 on Test VM – “Medium is write protected”

• Meaning: Event ID 1795 indicates that Windows attempted to update a Secure Boot variable (DB, DBX, or KEK) in the firmware, but the firmware returned an error. In your case, the error text suggests the UEFI firmware reported the storage medium as write-protected.
• Why it happens: This typically occurs in virtualized environments where Secure Boot variables are emulated and may not allow OS-initiated writes. It can also happen if the VM configuration does not support Secure Boot updates or if the virtual firmware is locked down.