Event details
I've done all of the same procedures on my Hyper-V guest Windows 2022 servers I did to my workstations but the certificates are not updating fully. I get a 1799 but no 1808.
Are we still awaiting patches for this from Microsoft?
EDIT: March cumulative on the host and working on guests now. All of them are getting certs now.
MicrosoftMy guess as to what's going on is that everything is complete except for the KEK. There's a fix in Hyper-V coming out today (applied to the server) that allows guest VMs to update the KEK. If you look back in the events (SYSTEM log, TPM-WIM source) you might see an event 1795 where it says it cannot apply the KEK.
If this is the case, applying the March updates to the Hyper-V server(s) should allow the KEK updates to apply.
Going to try that, my Server 2022 VM's updated, but Server 2019 VM's did not stating that the TPM was write protected in the 1795 system event.
- Arden_White
One thing I forgot to say - in addition to the Hyper-V fix on the server side, the guests need to be on the March 2026 or later updates. The KEK signed by the Hyper-V PK is included in the March updates and is needed to complete the picture.
Confirmed Arden, once the march patches were deployed to both host and guests, they are all showing the updated status for the Secure Boot Certificates!
