We have an air gapped environment with Windows 2019 servers and on them some Hyper-V VMs.

Cause of air gapped we can only install patches once a year and we are on patch KB5062557 and try now with registry keys and starting of the scheduled task to refresh the certs on our boxes. Works fine on physical ones, but we have problems on VMs. Sometimes current KEK is updated, sometimes not (Microsoft Corporation KEK 2K CA 2023) , same for Current UEFI DB (here we do not get the 2023 certificates, sometimes). 

Is there a proven and let's say stable way for refreshing the certificates on the VMs and what has to be done to "avoid" the error "1795 - The system firmware returned an error The media is write protected"? We tested the switching of the SecureBootTemplate, but as I wrote it seems to work only sometimes.