I'm getting the following error when trying to boot a Hyper-V VM from network using a WDS server:
The image's hash and certificate are not allowed (DB).
It looks like the signature of the WDS boot loader wdsmgfw.efi is not accepted by the Hyper-V VM. I looked at the date of the file and it was created on Dec 10, 2020. I've been using this setup for years with no issue. I didn't change anything, it just stopped working.
It is possible that the boot loader was updated through an update for Windows Server and now is rejected by Hyper-V?
Some additional information:
The WDS server is running on Windows Server 2012 R2. The Hyper-V VM is running on Hyper-V Server 2019 (the standalone product). The VM is generation 2 with secure boot enabled.
Additionally, I noticed the following behavior:
If I disable secure boot, there is no problem (obviously)
If I replace the boot loader wdsmgfw.efi with an older version of the file, it works. I used a version from 2016, that I found here: C:\Windows\System32\RemInst\boot\x64
Checksum of the boot loader:
wdsmgfw.efi signature date: Jun 11, 2016 md5 918d038ea743a24e7f1e37a06227d1f0
wdsmgfw.efi signature date: unknown, file created Dec 10, 2020 md5 60eb56f71a6bc5fb5328287e108c03f2