What is Citrix doing about this issue?

In November 2025 an update was released to XenServer 8.4, which would ensure newly provisioned Virtual Machines would have both the 2011 and 2023 certificates. As such any entirely new virtual machines created after this update has been applied will be unaffected by the expiry.

For virtual machines created prior to this update, Citrix is preparing changes to allow for certificate update. These changes are expected to be released before June 2026.

These changes (which will be useable through XenCenter, the API (including all supported SDKs) and the ‘xe’ command line interface) will allow customers to:

• Determine which VMs do not have the updated 2023 certificates present
• Schedule an update of the certificates to occur on the next VM boot

This mechanism (referred to as an ‘out of band’ update) is required as for technical reasons it is not possible to perform an ‘in band’ update from within the Virtual Machine.

Additionally, Citrix will be providing guidance on how to use these changes in typical CVAD environments.

Cause

Some UEFI virtual machines retain Microsoft’s 2011 Secure Boot certificates in their UEFI NVRAM. After certificate expiry, these VMs may fail to boot securely or trigger guest‑side recovery workflows.

XenServer builds released from November 2025 onwards include the newer 2023 Microsoft certificates. Newly provisioned VMs on those builds are not affected.
The issue applies only to VMs whose existing metadata still reflects the legacy 2011 certificate state.

Precautions

An ‘out of band’ certificate update may trigger recovery workflows inside a virtual machine. In particular, for VMs using Microsoft’s BitLocker technology, it may trigger the BitLocker recovery workflow and require the recovery key.

As such, Citrix strongly recommends that administrators:

• If using BitLocker in a VM:
  • As a precaution verify recovery keys are accessible prior to performing any operations.
  • Suspend protection prior to updating the certificates and resume protection after completing the process.
• Consider taking a snapshot of a virtual machine prior to performing any operations.

Issue

Microsoft UEFI Secure Boot certificates issued in 2011 are scheduled to expire starting in June 2026. Replacement certificates were issued by Microsoft in 2023, and included into XenServer in 2025, however older Virtual Machines (VMs) may not have these certificates present.

See “Windows Secure Boot certificate expiration and CA updates” for more information from Microsoft.

There are two scenarios where problems may occur with XenServer virtual machines in relation to this certificate expiry:

1. VMs missing the 2023 certificates may be unable to install or apply future updates from Microsoft related to the early boot process.
2. If a secure boot enabled VM that is missing the 2023 certificates attempts to boot using an updated boot component (for example one that may have come from an updated golden image in a CVAD deployment) that has been signed using the 2023 certificates, the boot will fail. See CTX696455 for more information.

It is important to clarify that, other than in scenario 2 above, the expiry will not automatically cause VMs to fail to boot, as the expiry date of the certificate is, by design, not checked during the normal boot process.

Microsoft have published a blog on this issue at - Act now: Secure Boot certificates expire in June 2026 - Windows IT Pro Blog