VMWare and XenServer based PVS Targets using Secure Boot Become Unbootable After Applying Windows Updates to the vDisk

book

Article ID: CTX696455

calendar_today

Updated On:

Description

After applying Windows Updates to a PVS vdisk using a master target, and then later booting it on production PVS targets, a boot time error "LoadImage error: Access Denied" is displayed. 

Only the master target, which was used when applying the windows update continues to boot.

image.png

The vDisk has been updated, so that the Windows Boot Loader is signed by a new certificate.

As documented by Microsoft (see additional information), the current certificates used for validating binaries when using Secure Boot are expiring in 2026 and have been replaced by new CA certificates which will be used in the future to validate that binaries are properly signed.  When applying Windows Updates, if the new Windows certificate is detected in the master VM, it will install a version of the Boot Loader that is signed by the new certificate. Later on, if you have target VMs that do not include the new certificate, the resulting vDIsk will not be bootable as it cannot validate the signature of the Boot Loader.

When you upgrade your hypervisor to a version that embeds the new certificates, existing VMs are not updated to include this new certificate by default which is why subsequent boot of the vDisk fails with the above error.

NOTE: the expiration of the existing certificates does not matter and existing vDisks will continue to boot after expiration. The only failure occurs when a new Windows Boot Loader is installed in the vDisk that is signed by the new certificate.

Environment

"Citrix is not responsible for and does not endorse or accept any responsibility for the contents or your use of these third party Web sites. Citrix is providing these links to you only as a convenience, and the inclusion of any link does not imply endorsement by Citrix of the linked Web site. It is your responsibility to take precautions to ensure that whatever Web site you use is free of viruses or other harmful items."

Cause

This behavior would follow a pattern like below:

  1. The master target device has the new Windows Secure Boot certificates:
    • Windows update may apply new certificate to the master target device UEFI firmware.
    • Alternatively if the hypervisor was upgraded to a version that has the the new Windows Secure Boot certificates, and a new master target device is created, then it be created with the new certificate.
  2. When applying Windows Updates, if the new Windows certificate is detected in the master VM, it will install a version of the Boot Loader that is signed by the new certificate.
  3. Subsequently, if target device VMs which do have the new certificate boot the vdisk, it will not be bootable on these target devices, as the signature of the new Boot Loader cannot be validated.

Resolution

The following steps should be followed for VMWare and XenServer deployments:

  • Upgrade your hypervisor hosts to a version that embeds the new certificates:
    • For VMWare that means vSphere 8.0 update 3h or newer or vSphere 9.
    • For XenServer you must be running 8.4, November 2025 update or newer.
  • Update or reprovision ALL PVS target VMs that were created before the hypervisor host was upgraded:
    • For VMWare, you can shutdown the VM and then delete the nvram file (which contains the certificates) - this will be recreated with the correct certificates on next boot.
    • For XenServer it is not possible to update existing VMs so all VMs that were created before upgrading to 8.4 update 3h will have to be reprovisioned.

Important Notes

  • Any VM that is also using a TPM has to be reprovisioned - it is not possible to update the certificates in this case as the measurements created by the TPM during boot include the certificates.
  • Microsoft have documented a manual procedure for revoking the old certificate - this MUST NOT BE DONE as doing so will prevent the PVS boot program from running. A later PVS release will address this.

Issue/Introduction

This article shows how to address the issue for VMWare and XenServer based setups, where PVS Targets using Secure Boot Become Unbootable After Applying Windows Updates to the vDisk

 

Additional Information

Windows Secure Boot certificate expiration and CA updates 

https://support.microsoft.com/en-us/topic/windows-secure-boot-certificate-expiration-and-ca-updates-7ff40d33-95dc-4c3c-8725-a9b95457578e

Powered by Wolken Software