Event details
Hi! We have legacy hardware running Hyper-V, supporting legacy EUC and general workloads. This hardware is running Server 2016, using legacy boot and is planned to be decommissioned after the first year of ESU, to allow for adequate planning for cloud migration into an extended zone. While the secure boot updates have successfully updated the active DB on the virtual machines, we are hit with blocking failures when reprovisioning/scaling VDI workloads as the default DB provided by Hyper-V doesn't accept the updated bootloader which is signed with the new certificates. It can be reproduced against existing VMs when resetting the NVRAM as well. We have raised a case but they are adamant for us to rebuild as it was not a scenario that was tested. Is there a way we can work around this without rebuilding Hyper-V with UEFI / server OS > 2016?
- Prabhakar_MSFTJul 08, 2026
Microsoft
Hello G0B1IN5486
Hyper-V VMs should be able to update the certs to new 2023 certificates when you set the registry key AvailableUpdates value to 0x5944. Are you observing failure to apply certs via this method?
- Cliff_HughesJul 08, 2026Tin Contributor
I found if the Hyper-V host does not support secure boot, then the VM's won't support it either. Also if the Hyper-V VM is an older format, and does not include secure boot, then it will not be able to be updated, I have server VM that was running server 2016 and is now on Server 2022 but has never had Secure boot enabled or available since it was an old Gen 1 VM. As far as I know, you need to have a secure boot enable Host, and you will need to rebuild the VM to support Secure Boot. Unless there is an easier way, I would love to know!
- Prabhakar_MSFTJul 08, 2026
Microsoft
Hello Cliff_Hughes All Generation 2 VMs support Secure Boot. Have you observed that you cannot have Secure Boot enabled on a Generation 2 VM if Hyper-V Host have Secure Boot disabled?