I updated my XCP-NG host back in January, after those updates none of my Windows Server VMs would boot back up with the error
FAILED_TO_START_EMULATOR. I dug into some articles that eventually got me to some talk about UEFI Secure boot certs. At the time I was in a rush and decided to try disabling Secure Boot rather than applying any fixes. That worked, and I moved on.
A couple months down the road (last week) I noticed my servers were not applying their updates properly, they were “could not complete update, undoing changes” for every patch. The error was always
0x800f0922. I dug around a bit, did some random fixes but once I checked the CBS Logs I noticed error messages dealing with Secure Boot.
I went back to the posts above and actually tried applying a fix. It ended up being one simple command that was ran on the XCP-NG host to resolve everything,
📝 You can check the state of your certs with the command
Once these certs were in place I was able to shut down my VMs, toggle secure boot back on and after they came back online all the updates took successfully.
❗ LESSON: Windows Server may not update if you turn off Secure Boot after initial installation with it on.