WDS UEFI boot loader's image hash not allowed

Siegfried Beitl 116 Reputation points

I'm getting the following error when trying to boot a Hyper-V VM from network using a WDS server:

The image's hash and certificate are not allowed (DB).

It looks like the signature of the WDS boot loader wdsmgfw.efi is not accepted by the Hyper-V VM. I looked at the date of the file and it was created on Dec 10, 2020. I've been using this setup for years with no issue. I didn't change anything, it just stopped working.

It is possible that the boot loader was updated through an update for Windows Server and now is rejected by Hyper-V?

Some additional information:
The WDS server is running on Windows Server 2012 R2. The Hyper-V VM is running on Hyper-V Server 2019 (the standalone product). The VM is generation 2 with secure boot enabled.

Additionally, I noticed the following behavior:
If I disable secure boot, there is no problem (obviously)
If I replace the boot loader wdsmgfw.efi with an older version of the file, it works. I used a version from 2016, that I found here: C:\Windows\System32\RemInst\boot\x64

Checksum of the boot loader:
wdsmgfw.efi signature date: Jun 11, 2016 md5 918d038ea743a24e7f1e37a06227d1f0
wdsmgfw.efi signature date: unknown, file created Dec 10, 2020 md5 60eb56f71a6bc5fb5328287e108c03f2


A Windows technology providing a hypervisor-based virtualization solution enabling customers to consolidate workloads onto a single server.
2,621 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Teemo Tang 11,371 Reputation points

    According to your test, I agree with your surmise
    The boot loader was updated through an update for Windows Server then influence Hyper-V.
    However, due to limited condition, we can’t reproduce your scenario for test. Both of Your current behaviors are ok, from my experience, I always disabling the "Secure Boot" option in the settings screen to fix this error.
    If you want to do a deep research on this, I suggest to open a request ticket with Microsoft
    Thanks for understanding


    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    2 people found this answer helpful.
    0 comments No comments