You will have to make sure you that the Hyper-V Guest Gen 2 VM isn't too old, which means it can't be created before the Year 2023, if it is older the Secure Boot Certificates update process will be stuck in the "In Progress" Mode.

Found the following information in a Reddit Hyper-V Forum:

Newly created VMs will use the new Secure Boot from the Host Server, existing VMs can not, under any circumstances use the new Secure Boot CA Certificates.

Why?:

Microsoft's position on this is if there is a new trusted root, it can only be applied to new VMs.

Your Option:

Create a new Generation 2 VM after you have shutdown the older VM, Make sure the older VM is using the UEFI Boot Mode and Secure Boot is turned on, make sure that you have catalogued the settings of the older VM, that will be used in the new one.

To be on the safe side you can Export a backup copy of the older VM to another drive or external hard drive before you delete the older VM.

Once you delete the older VM, it will only delete the files within the "Virtual Machine" folder, but all of the .vhdx disk files will remain within the "Virtual Hard Drives" folder.

You must also rename the older VM folder name add _old to the end of it.

Create the new Gen 2 VM using the prior name and folder location that the older Gen 2 is residing within, but when you are initially configuring the select the option to "Add Hard Drive Disks Later" close settings.

Open the older Gen 2 folder name and drag the "Virtual Hard Disks" folder into the the new Gen 2 VM folder, then re open settings and attach the disk drives to this new systems, and make sure you add all of the other settings you had catalogued from the older system, apply all settings.

You are now ready to "Start" the newly created VM which after a moment should load successfully.

Once you successfully login to the new VM open the "Computer Management" Windows Logs System view and Filter the view to see if the following Event IDs are present in this succession (1801, 1800, 1808).

You can also open the Registry Editor to check the "Servicing Status" subfolder within this view:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot

It will either indicate (Not Started, In Progress, or Updated)

If you see "Not Started" indicated open the PowerShell Admin Command Prompt and run:

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x5944 /f

Then run:

Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"

Give it a few minutes, and recheck the Registry Editor "Servicing Status" view should show "In Progress"

The restart the new Gen 2 VM, after logging back on the "Servicing Status view should show "Updated"

Give it about 10 or 15 minutes and the filtered "Computer Management" Windows Log System view should then show the Event ID 1808, and you will have then successfully updated the secure boot certificates.

One final note, if you have additional disk drives connected to the new VM from the old VM other than the Local Disk C:\ Boot Drive, you will need to go into the "Computer Management" Disk Management view and put those "Offline" drives back into an "Online" mode.

You are done!

The March updates need to be applied to both the host and the guest:

• Host changes to allow KEK updates to NVRAM
• Guest changes to include a Hyper-V PK signed KEK that the guest can use to apply to the NVRAM

Patching both is necessary.

My intuition is that 1795 means the host is rejecting the update, which implies that the host needs an update. If the host is updated and the guest is not, I believe the guest will get an 1803 event saying it couldn't find a KEK.