After updating with the MCS Machine Catalogs with a golden image that has it's bootloader signed by the Windows UEFI CA 2023, VDAs can fail to boot with “No Boot Media”.
Applies to:
This happens because the updated master image contains a 2023-signed bootloader, but the VM’s Secure Boot database still only trusts the 2011 certificate. The diagram below illustrates the root cause of the problem.

Example: VMware ESXi
Follow your hypervisor below for resolution steps.
Recommendation:
For VMware, administrators can follow the steps below to address the Windows UEFI CA 2023 issue.
Step 1: Upgrade the hypervisor to VMware ESXi 8.0 U3j or later.
Step 2: If VMs have already failed to boot, reset the NVRAM files (refer to Fix Option 1 below).
Step 3: Deploy the Windows UEFI CA 2023 certificate to the Secure Boot DB.
Step 4: Verify the deployment of the Windows UEFI CA 2023 certificate.
The details of each step are described below.
Fix VMs That Failed to Boot
Among the fixes option below, we recommend the option 1.
Fix Option 1: Reset NVRAM Files (Recommended)
Delete the NVRAM files of affected VMs. On the next boot, new NVRAM files will be created with the 2023 certificate included.
To automate this, refer to the example script (Fix Boot Failure - Reset NVRAM)
Fix Option 2: Roll Back the Master Image
Revert the MCS catalog to the previous master image snapshot that uses a 2011-signed boot loader.
Fix Option 3: Disable Secure Boot
Disable Secure Boot on affected VMs so the boot loader signature is not checked.
To automate this, refer to the example script (Fix Boot Failure - Disable Secure Boot)
Deploy the 2023 certificate to VDAs
Step 1: Complete Windows updates by running the PowerShell cmdlets below. Windows Updates can be automated via Group Policy (GPO).
Step 2: Deploy the Windows UEFI CA 2023 to the VMs by running the PowerShell cmdlet below.
Step 3: Restart the VM twice from inside the guest OS, not from Citrix Web Studio.
To automate this, refer to the example script (Prevent Boot Failure - Deploy Certificate)
Verification
Run the following cmdlet in PowerShell:
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
Returns True if the Windows UEFI CA 2023 certificate has been deployed to the Secure Boot DB.
For XenServer, administrators can currently either disable Secure Boot or roll back the image update. Further updates and releases are underway.
Recommendation:
For SCVMM, administrators can follow the steps below to address the Windows UEFI CA 2023 issue.
Step 1: If VMs have already failed to boot, roll back the master image or disable secure boot.
Step 2: Deploy the Windows UEFI CA 2023 certificate to the Secure Boot DB.
Step 3: Verify the deployment of the Windows UEFI CA 2023 certificate.
The details of each step are described below.
Fix VMs That Failed to Boot
Fix Option 1: Roll Back the Master Image
Revert the MCS catalog to the previous master image snapshot that uses a 2011-signed boot loader.
Fix Option 2: Disable Secure Boot
Disable Secure Boot on affected VMs so the boot loader signature is not checked.
Deploy the 2023 certificate to VDAs
Step 1: Complete Windows updates by running the PowerShell cmdlets below. Windows Updates can be automated via Group Policy (GPO).
Step 2: Deploy the Windows UEFI CA 2023 to the VMs by running the PowerShell cmdlet below.
Step 3: Restart the VM twice from inside the guest OS, not from Citrix Web Studio.
To automate this, refer to the example script (Prevent Boot Failure - Deploy Certificate)
Verification
Run the following cmdlet in PowerShell:
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
Returns True if the Windows UEFI CA 2023 certificate has been deployed to the Secure Boot DB.
OpenShift will not have the Windows UEFI CA 2023 certificate issue. This is because the OpenShift versions 4.18+ that Citrix supports already include 2023 certificate.
Recommendation:
For Nutanix, administrators can follow the steps below to address the Windows UEFI CA 2023 issue.
Step 1: Upgrade the hypervisor to AHV 10.3.1 (AOS 7.3.1)
Step 2: If VMs have already failed to boot, roll back the master image or disable secure boot.
Step 3: Deploy the Windows UEFI CA 2023 certificate to the Secure Boot DB.
Step 4: Verify the deployment of the Windows UEFI CA 2023 certificate.
The details of each step are described below.
Fix VMs That Failed to Boot
Fix Option 1: Roll Back the Master Image
Revert the MCS catalog to the previous master image snapshot that uses a 2011-signed boot loader.
Fix Option 2: Disable Secure Boot
Disable Secure Boot on affected VMs so the boot loader signature is not checked.
Deploy the 2023 certificate to VDAs
Step 1: Complete Windows updates by running the PowerShell cmdlets below. Windows Updates can be automated via Group Policy (GPO).
Step 2: Deploy the Windows UEFI CA 2023 to the VMs by running the PowerShell cmdlet below.
Step 3: Restart the VM twice from inside the guest OS, not from Citrix Web Studio.
To automate this, refer to the example script (Prevent Boot Failure - Deploy Certificate)
Verification
Run the following cmdlet in PowerShell:
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
Returns True if the Windows UEFI CA 2023 certificate has been deployed to the Secure Boot DB.
Recommendation:
For Azure, VMs created after March 2024 are not affected by the Windows UEFI CA 2011 certificate issue. VMs created prior to March 2024 do not include the Secure Boot 2023 certificates.
Step 1: If VMs have already failed to boot, roll back the master image or disable secure boot.
Step 2: Deploy the Windows UEFI CA 2023 certificate to the Secure Boot DB.
Step 3: Verify the deployment of the Windows UEFI CA 2023 certificate.
For Azure Local,
Step 1: Upgrade the hypervisor to 2603.
Step 2: If VMs have already failed to boot, roll back the master image or disable secure boot.
Step 3: Deploy the Windows UEFI CA 2023 certificate to the Secure Boot DB.
Step 4: Verify the deployment of the Windows UEFI CA 2023 certificate.
The details of each step are described below.
Fix VMs That Failed to Boot
Fix Option 1: Roll Back the Master Image
Revert the MCS catalog to the previous master image snapshot that uses a 2011-signed boot loader.
Fix Option 2: Disable Secure Boot
Disable Secure Boot on affected VMs so the boot loader signature is not checked.
Deploy the 2023 certificate to VDAs
Step 1: Complete Windows updates by running the PowerShell cmdlets below. Windows Updates can be automated via Group Policy (GPO).
Step 2: Deploy the Windows UEFI CA 2023 to the VMs by running the PowerShell cmdlet below.
Step 3: Restart the VM twice from inside the guest OS, not from Citrix Web Studio.
To automate this, refer to the example script (Prevent Boot Failure - Deploy Certificate)
Verification
Run the following cmdlet in PowerShell:
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
Returns True if the Windows UEFI CA 2023 certificate has been deployed to the Secure Boot DB.
Recommendation:
For GCP, administrators can follow the steps below to address the Windows UEFI CA 2023 issue.
Step 1: If VMs have already failed to boot, roll back the master image or disable secure boot.
Step 2: Deploy the Windows UEFI CA 2023 certificate to the Secure Boot DB.
Step 3: Verify the deployment of the Windows UEFI CA 2023 certificate.
The details of each step are described below.
Fix VMs That Failed to Boot
Fix Option 1: Roll Back the Master Image
Revert the MCS catalog to the previous master image snapshot that uses a 2011-signed boot loader.
Fix Option 2: Disable Secure Boot
Disable Secure Boot on affected VMs so the boot loader signature is not checked.
Deploy the 2023 certificate to VDAs
Step 1: Complete Windows updates by running the PowerShell cmdlets below. Windows Updates can be automated via Group Policy (GPO).
Step 2: Deploy the Windows UEFI CA 2023 to the VMs by running the PowerShell cmdlet below.
Step 3: Restart the VM twice from inside the guest OS, not from Citrix Web Studio.
To automate this, refer to the example script (Prevent Boot Failure - Deploy Certificate)
Verification
Run the following cmdlet in PowerShell:
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
Returns True if the Windows UEFI CA 2023 certificate has been deployed to the Secure Boot DB.
Recommendation:
For AWS, administrators can follow the steps below to address the Windows UEFI CA 2023 issue.
Step 1: If VMs have already failed to boot, roll back the master image or disable secure boot.
Step 2: Deploy the Windows UEFI CA 2023 certificate to the Secure Boot DB.
Step 3: Verify the deployment of the Windows UEFI CA 2023 certificate.
The details of each step are described below.
Fix VMs That Failed to Boot
Fix Option 1: Roll Back the Master Image
Revert the MCS catalog to the previous master image snapshot that uses a 2011-signed boot loader.
Fix Option 2: Disable Secure Boot
Disable Secure Boot on affected VMs so the boot loader signature is not checked.
Deploy the 2023 certificate to VDAs
Step 1: Complete Windows updates by running the PowerShell cmdlets below. Windows Updates can be automated via Group Policy (GPO).
Step 2: Deploy the Windows UEFI CA 2023 to the VMs by running the PowerShell cmdlet below.
Step 3: Restart the VM twice from inside the guest OS, not from Citrix Web Studio.
To automate this, refer to the example script (Prevent Boot Failure - Deploy Certificate)
Verification
Run the following cmdlet in PowerShell:
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
Returns True if the Windows UEFI CA 2023 certificate has been deployed to the Secure Boot DB.
Recommendation:
For AWS Workspace Core, administrators can follow the steps below to address the Windows UEFI CA 2023 issue.
Step 1: If VMs have already failed to boot, roll back the master image or disable secure boot.
Step 2: Deploy the Windows UEFI CA 2023 certificate to the Secure Boot DB.
Step 3: Verify the deployment of the Windows UEFI CA 2023 certificate.
The details of each step are described below.
Fix VMs That Failed to Boot
Fix Option 1: Roll Back the Master Image
Revert the MCS catalog to the previous master image snapshot that uses a 2011-signed boot loader.
Fix Option 2: Disable Secure Boot
Disable Secure Boot on affected VMs so the boot loader signature is not checked.
Deploy the 2023 certificate to VDAs
Step 1: Complete Windows updates by running the PowerShell cmdlets below. Windows Updates can be automated via Group Policy (GPO).
Step 2: Deploy the Windows UEFI CA 2023 to the VMs by running the PowerShell cmdlet below.
Step 3: Restart the VM twice from inside the guest OS, not from Citrix Web Studio.
To automate this, refer to the example script (Prevent Boot Failure - Deploy Certificate)
Verification
Run the following cmdlet in PowerShell:
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
Returns True if the Windows UEFI CA 2023 certificate has been deployed to the Secure Boot DB.
Microsoft is transitioning from the Windows UEFI CA 2011 certificate to the Windows UEFI CA 2023 certificate for signing Windows bootloaders. The 2011 certificate expires in 2026.