Event details

It's time for our second Ask Microsoft Anything (AMA) about updating Secure Boot certificates on your Windows devices before they expire in June of 2026. If you've already bookmarked Secure Boot play...
Heather_Poulsen
Updated Feb 19, 2026
AMA
CJM_419's avatar
CJM_419
Occasional Reader
Feb 02, 2026

Unable to perform update on Hyper-V VM in test environment

Log Name: System

Source: Microsoft-Windows-TPM-WMI

Date: 2/2/2026 12:34:04 AM

Event ID: 1795

Task Category: None

Level: Error

Keywords:

User: SYSTEM

Computer: ABCDWin11.gpmn.test.com

Description:

The system firmware returned an error The media is write protected. when attempting to update a Secure Boot variable KEK 2023. This device signature information is included here.

DeviceAttributes: FirmwareManufacturer:Microsoft Corporation;FirmwareVersion:Hyper-V UEFI Release v4.1;OEMModelNumber:Virtual Machine;OEMManufacturerName:Microsoft Corporation;OSArchitecture:amd64;

BucketId: 4e22d051e8c143d2875b9d16ef2241c7ec548985a21e5073126d3c1f9bf53bb2

BucketConfidenceLevel: .

 

This Event ID (1795) is preventing a Hyper-V VM Generation 2 CV 10.0 running the Windows 11 version 25H2 O/S on a Hyper-V Host Server (Dell PowerEdge T140) System, that has successfully updated the BIOS Firmware, and Microsoft 2023 Secure Boot Certificates, and has UEFI and "Secure Boot" turned on within the server configuration settings.

  • mihi's avatar
    mihi
    Brass Contributor
    Feb 02, 2026

    This is a known issue (read the other comments here). Will probably be fixed with cumulative update in March, to be applied to the Hyper-V host. Workaround (if you care) is to suspend bitlocker (if used), and then move the virtual hard disk to a freshly created Gen 2 VM (after updating the host to have the cumulative January patches, if not already done). The freshly created VM will receive the new KEK in the Secure Boot template and the rest of the process can continue.

    • kumarshai88hotmailco's avatar
      kumarshai88hotmailco
      Copper Contributor
      Mar 11, 2026

      can we have update if March release CU has fix of Error event ID 1795, as i installed the March CU on Hyper-V host but still getting same event 1795.

      • CJM_419's avatar
        CJM_419
        Occasional Reader
        Mar 23, 2026

        You will have to make sure you that the Hyper-V Guest Gen 2 VM isn't too old, which means it can't be created before the Year 2023, if it is older the Secure Boot Certificates update process will be stuck in the "In Progress" Mode.

        Found the following information in a Reddit Hyper-V Forum:

        Newly created VMs will use the new Secure Boot from the Host Server, existing VMs can not, under any circumstances use the new Secure Boot CA Certificates.

        Why?:

        Microsoft's position on this is if there is a new trusted root, it can only be applied to new VMs.

        Your Option:

        Create a new Generation 2 VM after you have shutdown the older VM, Make sure the older VM is using the UEFI Boot Mode and Secure Boot is turned on, make sure that you have catalogued the settings of the older VM, that will be used in the new one.

        To be on the safe side you can Export a backup copy of the older VM to another drive or external hard drive before you delete the older VM.

        Once you delete the older VM, it will only delete the files within the "Virtual Machine" folder, but all of the .vhdx disk files will remain within the "Virtual Hard Drives" folder.

        You must also rename the older VM folder name add _old to the end of it.

        Create the new Gen 2 VM using the prior name and folder location that the older Gen 2 is residing within, but when you are initially configuring the select the option to "Add Hard Drive Disks Later" close settings.

        Open the older Gen 2 folder name and drag the "Virtual Hard Disks" folder into the the new Gen 2 VM folder, then re open settings and attach the disk drives to this new systems, and make sure you add all of the other settings you had catalogued from the older system, apply all settings.

        You are now ready to "Start" the newly created VM which after a moment should load successfully.

        Once you successfully login to the new VM open the "Computer Management" Windows Logs System view and Filter the view to see if the following Event IDs are present in this succession (1801, 1800, 1808).

        You can also open the Registry Editor to check the "Servicing Status" subfolder within this view:

        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot

        It will either indicate (Not Started, In Progress, or Updated)

        If you see "Not Started" indicated open the PowerShell Admin Command Prompt and run:

        reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f

        Then run:

        Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

        Give it a few minutes, and recheck the Registry Editor "Servicing Status" view should show "In Progress"

        The restart the new Gen 2 VM, after logging back on the "Servicing Status view should show "Updated"

        Give it about 10 or 15 minutes and the filtered "Computer Management" Windows Log System view should then show the Event ID 1808, and you will have then successfully updated the secure boot certificates.

        One final note, if you have additional disk drives connected to the new VM from the old VM other than the Local Disk C:\ Boot Drive, you will need to go into the "Computer Management" Disk Management view and put those "Offline" drives back into an "Online" mode.

        You are done!