Secure Boot was not enabled in the VM. I enabled Secure Boot in the VM and was able to install KB5012170 without any problem.
I tested further to see if there were any issues related to enabling then disabling Secure Boot in the VM. I did not experience any problems booting the VM after disabling Secure Boot. There were no problems booting the VM after moving it to a pool where the default UEFI Certificates had not been installed.
For anyone wanting to resolve the KB5012170 update error, here are the steps I took:
- On the pool/host for the VM, install the UEFI Certificates with
secureboot-certs install
- Shut down the problem VM
- Enable Secure Boot on the VM. I do this via Xen Orchestra but it can also be done with
xe vm-param-set uuid=[uuid of VM] platform:secureboot=true
- Boot the VM
- Apply the KB5012170 update
- Shut down the VM
- Disable Secure Boot on the VM via XO or
xe vm-param-set uuid=[uuid of VM] platform:secureboot=false
- Boot the VM
https://xcp-ng.org/docs/guides.html#guest-uefi-secure-boot is a very thorough guide on Secure Boot in XCP-ng.
Thanks for the help @stormi