I updated my XCP-NG host back in January, after those updates none of my Windows Server VMs would boot back up with the error FAILED_TO_START_EMULATOR. I dug into some articles that eventually got me to some talk about UEFI Secure boot certs. At the time I was in a rush and decided to try disabling Secure Boot rather than applying any fixes. That worked, and I moved on.

A couple months down the road (last week) I noticed my servers were not applying their updates properly, they were “could not complete update, undoing changes” for every patch. The error was always 0x800f0922. I dug around a bit, did some random fixes but once I checked the CBS Logs I noticed error messages dealing with Secure Boot.

I went back to the posts above and actually tried applying a fix. It ended up being one simple command that was ran on the XCP-NG host to resolve everything, secureboot-certs install.

📝 You can check the state of your certs with the command secureboot-certs report.

Once these certs were in place I was able to shut down my VMs, toggle secure boot back on and after they came back online all the updates took successfully.

❗ LESSON: Windows Server may not update if you turn off Secure Boot after initial installation with it on.