fix: Do not attempt to modify SecureBootTemplate on a VM with a vTPM initialized

[bdonaldson77]

When running the hyperv-vmcx builder, the plugin will always attempt to set the -SecureBootTemplate parameter if it is detected as available. However, when the source .vmcx template has a vTPM initialized (e.g. if it is a Windows 11 HyperV VM) then this operation will always fail:

2024-11-18T15:02:25-08:00: Build 'hyperv-vmcx' errored after 41 seconds 321 milliseconds: Error setting secure boot: PowerShell error: Hyper-V\Set-VMFirmware : 'win11_24H2-master-bdonaldson-TEST' failed to modify settings.
Cannot modify the secure boot template ID property.
'win11_24H2-master-bdonaldson-TEST' failed to modify settings. (Virtual machine ID
4DCCACA2-2DB5-465D-86E4-680373C80102)
Cannot modify the secure boot template ID property after the virtual TPM is initialized.
At C:\Users\bdonaldson\AppData\Local\Temp\2\Powershell1356268187.ps1:6 char:2
+     Hyper-V\Set-VMFirmware -VMName $vmName -EnableSecureBoot $enableS ...
+     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Set-VMFirmware], VirtualizationException
    + FullyQualifiedErrorId : OperationFailed,Microsoft.HyperV.PowerShell.Commands.SetVMFirmware

This change makes it so that Packer will only attempt to reconfigure the SecureBootTemplate if there is no initialized vTPM. If there is a vTPM, it will simply skip attempting to set the SecureBootTemplate, but continue to configure SecureBoot as desired.

Closes #49

[hashicorp-cla-app]

Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement

Learn more about why HashiCorp requires a CLA and what the CLA includes

---

Donaldson, Ben seems not to be a GitHub user.
You need a GitHub account to be able to sign the CLA.
If you have already a GitHub account, please add the email address used for this commit to your account.

_{Have you signed the CLA already but the status is still pending? Recheck it.}

[bdonaldson77]

Hey @lbajolet-hashicorp (sorry for the unprompted direct ping),

I expect this may have fallen between the couch cushions, or it's not even on anyone's radar as the CLA check isn't cleared. I think I might have made a mistake in signing it, as I modified the email field, and I can't re-submit it anymore to correct it.

CLA shenanigans aside, is it possible to get eyes on this PR? Thanks!

[bdonaldson77]

Hey @lbajolet-hashicorp (sorry for the unprompted direct ping),

I expect this may have fallen between the couch cushions, or it's not even on anyone's radar as the CLA check isn't cleared. I think I might have made a mistake in signing it, as I modified the email field, and I can't re-submit it anymore to correct it.

CLA shenanigans aside, is it possible to get eyes on this PR? Thanks!

Hey @lbajolet-hashicorp, again, apologies for an unprompted direct ping. I'm hoping that this could be reviewed soon. Cheers!

[bdonaldson77]

I've updated this PR with an additional change that will check if a VM has had a VMKeyProtector initialized, and if so, leaves it alone. This makes it so that if you create a template with a vTPM enabled and then disable the vTPM to do a hyperv-vmcx build using that source template, Packer will not try to reinitialize the VMKeyProtector, causing it to fail to boot with this error:

'[Virtual Machine Name]' failed to restore.
Microsoft Virtual TPM Device (Instance ID ...): Failed to restore with Error:
'The computed authentication tag did not match the input authentication tag.'

[jotterbot]

this is sorely needed Hashicorp team - please consider merging. Current fix is to compile a custom "dev" plugin, but that is clunky going forward.

cc. @devashish-patel @mogrogan @lbajolet-hashicorp 🙏

[jotterbot]

Hello 2026 👋

What will it take to get this merged/integrated Hashicorp team? @anurag5sh @trippsc2

@bdonaldson77 , i think at minimum, you will need to sign their Contributor License Agreement for this PR to get a look in.

[bdonaldson77]

Yeah, there was a snafu with the CLA in terms of how my enterprise Github account clashes with this personal one - I tried to reach out to get that looked at and got no response. I do want to get it sorted if possible, though. We've been running a private fork of this plugin internally for over a year now.