After applying Microsoft Windows security updates (specifically April 2026 patches or those addressing CVE-2023-24932) to a golden image and pushing it to Citrix VDI clones, the virtual machines (VMs) fail to boot.

The Windows Boot Manager may list entries similar to the following:

• Windows Boot Manager... Security Violation

• Windows Boot Manager... Unsuccessful

The "vmware.log" file for the affected VM will contain entries similar to the following:

• SECUREBOOT: Signature: 0 in db, 0 in dbx, 1 unrecognized, 0 unsupported alg.
• SECUREBOOT: Image DENIED.

• vSphere 8.x
• vSphere 9.x

Recent Microsoft Windows updates or previous updates which address **CVE-2023-24932** may implement revocations for the Windows Boot Manager.  When **Secure Boot** is enabled on virtual machines, the UEFI firmware may deny the boot image because the signature is unrecognized or revoked.

An exact cause of the secure boot failure will require the OS vendor to troubleshoot the issue further.

Reach out to Microsoft support to assist with troubleshooting the issue that is causing secure boot to prevent booting the VM.

As a temporary option, disabling secure boot for the VM should allow the VM to boot.  Steps on disabling or enabling secure boot are detailed in KB article 377377:

Enable or Disable UEFI Secure Boot for a Virtual Machine