Hyper-V Boot Error: The Image’s Hash and Certificate Are not Allowed

By August 19, 2020September 24th, 2020No Comments

I came across an interesting issue when trying to install Linux CentOS on a virtual machine running on a Hyper-V server (the type of the virtual machine was “Generation 2” with UEFI support). I had downloaded CentOS 7 installation file (ISO), created a new gen2 type VM in Hyper-V, mounted the ISO file and tried to boot the VM from the installation ISO. However, when booting the VM, the following error message appeared in the Hyper-V console:

SCSI DVD (0,0). The image's hash and certificate are not allowed (DB).

No UEFI-compatible file system was found.

No operating system was loaded. Press a key to retry the boot sequence…

Hyper-V error: The image's hash and certificate are not allowed
The problem is that Hyper-V by default is using UEFI with Secure Boot mode enabled for its Generation 2 virtual machines. Secure Boot prevents boot from an untrusted Linux bootloader in the ISO file (the Linux bootloader neither signed nor certified by Microsoft).

To start Linux installation, I had to disable Secure Boot in the virtual machine settings (Settings -> Security -> uncheck the option Enable Secure Boot).

Or you can leave Secure Boot enabled, but use Microsoft UEFI Certificate Authority template instead of Microsoft Windows. According to Microsoft information, this template allows you to run Linux distros in the Secure Boot compatibility mode.

hyper-v vm gen-2 - secure boot mode and Microsoft UEFI Certificate Authority template

Restart your VM and try to boot it again from the CentOS installation ISO image or another Linux distribution (I managed to run CentOS 8 and Ubuntu 19.04 installation using this method).

boot from linux iso on hyper-v vm in uefi mode

In the same way, you can manage Secure Boot and templates setting of VM using PowerShell. Here is how you can get the current VM firmware settings:

Get-VMFirmware -VMName "centos7"

Get-VMFirmware hyper-v

To disable Secure Boot mode for your VM:

Set-VMFirmware -VMName "centos7" -EnableSecureBoot Off

In order to change the bootloader certificate validation template to the one compatible with most Linux distros:

Set-VMFirmware -VMName "centos7" -EnableSecureBoot On -SecureBootTemplate "MicrosoftUEFICertificateAuthority"

Leave a Reply