From ffb0e8b37160c3e3ff4764d15683ed565ad2204f Mon Sep 17 00:00:00 2001
From: "Donaldson, Ben" <bdonaldson@ea.com>
Date: Mon, 18 Nov 2024 14:33:52 -0800
Subject: [PATCH] fix: Do not attempt to modify SecureBootTemplate on a VM with
 a vTPM initialized

---
 builder/hyperv/common/powershell/hyperv/hyperv.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/builder/hyperv/common/powershell/hyperv/hyperv.go b/builder/hyperv/common/powershell/hyperv/hyperv.go
index d95fe0d..8e21612 100644
--- a/builder/hyperv/common/powershell/hyperv/hyperv.go
+++ b/builder/hyperv/common/powershell/hyperv/hyperv.go
@@ -718,8 +718,10 @@ func SetVirtualMachineSecureBoot(vmName string, enableSecureBoot bool, templateN
 	var script = `
 param([string]$vmName, [string]$enableSecureBootString, [string]$templateName)
 $cmdlet = Get-Command Hyper-V\Set-VMFirmware
+# We cannot modify SecureBoot Templates on VMs with a TPM enabled
+$tpmEnabled = Hyper-V\Get-VMSecurity -VMName $vmName | Select-Object -ExpandProperty TpmEnabled
 # The SecureBootTemplate parameter is only available in later versions
-if ($cmdlet.Parameters.SecureBootTemplate) {
+if ($cmdlet.Parameters.SecureBootTemplate -and !$tpmEnabled) {
 	Hyper-V\Set-VMFirmware -VMName $vmName -EnableSecureBoot $enableSecureBootString -SecureBootTemplate $templateName
 } else {
 	Hyper-V\Set-VMFirmware -VMName $vmName -EnableSecureBoot $enableSecureBootString