Windows update fails on Hyper-V 2012 R2 generation 2 virtual machines

Windows Server 2012 R2

If you have deployed a Windows Server 2012 R2 generation 2 virtual machine on 2012 R2 Hyper-V server you may find that Windows Update fails on any generation 2 virtual machines.

Generation 2 virtual machines use UEFI rather than BIOS. UEFI is a firmware interface to the hardware that will gradually replace BIOS on newer hardware. It is more secure than BIOS and designed to protect pre-boot prcesses from attack, improve startup times and support larger disks, as well as a number of other enhancements.

So a Generation 2 virtual machine uses UEFI, and therefore has the Enable Secure Boot option enabled by default.

Below are lots of WindowsUpdateClient event id 20 error messages. I recieved on my first generation 2 virtual machine.

Event Viewer error message
To resolve the issue, turn off Secure Boot, update the server and then re-enable Secure Boot after.

Shutdown the virtual machine in question, then select Settings.

Hyper-V Manager VM Settings
Click Firmware, then unselect Enable Secure Boot tick box.

Disable Secure boot

Next, run Windows Update, patch the server and once the updates are completed, shutdown the server so you can re-enable the Secure Boot option.

Enable Secure Boot

Related Posts:

1. How to enable Data Deduplication in Windows 2012

2. How to enable Windows 8.1 Windows 2012 R2 dual boot – boot to VHD

3. Windows Server 2012 Hyper-V Best Practices

6 thoughts on “Windows update fails on Hyper-V 2012 R2 generation 2 virtual machines

  1. Sputnik

    I had the same problem, after 2 days trying to find what was the problem It pointed that it has to be something related to Generation 2 but still didn’t know what exactly. I tried your suggestion and it did work. Thank you to save me time 🙂

    Reply
      1. Danny Molenkamp

        I have this also on my servers but mine got stuck at rebooting after installing the updates and complaining that it failed the updates and now all my machines won’t boot up any more.

        This was before I have read your post, is there a way I can boot my machines?

        Reply
  2. Stephen

    Wow, thanks so much! That fixed my issue… have been spending days on this and would have never figured that one out. Thanks!

    Reply
  3. Chris

    I was looking for a different solution rather than this “work around”. But this site definitely helped me find it. I was using an old iso for 2012 R2 so all my new builds had this problem. Checking with Microsoft there is a new iso that has been fixed so you can build a new box and patch it and never have to remember to uncheck “Enable Secure Boot”.

    Thanks!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *