I can confirm the March 2026 cumulative updates installed on the Hyper V Host, and on the guest VMs (in my case it was Server 2019 that was not getting the updated Secure Boot Certificates. Once the march patches were installed and I restarted the servers it took a short time, but they both now show the Updated status as desired.

I have both Server 2022 and Server 2019 VM's in Hyper V on Windows 11 24H2, I have updated the certificates on the host, and the Server 2022 VM's with the registry update, forced them to update successfully after a reboot or two. The same host's Server 2019 VM's are getting the Event ID 1795 with the error that the media is write protected. Error code in the registry is showing in progress with this code 0x80070013, which is media is write protected. Not sure what else to try, I am going to upgrade the host to 25H2 and see if that changes anything, but I don't see why it would.

My guess as to what's going on is that everything is complete except for the KEK. There's a fix in Hyper-V coming out today (applied to the server) that allows guest VMs to update the KEK. If you look back in the events (SYSTEM log, TPM-WIM source) you might see an event 1795 where it says it cannot apply the KEK.

If this is the case, applying the March updates to the Hyper-V server(s) should allow the KEK updates to apply.