Overview
Microsoft's original Secure Boot certificates begin expiring in June 2026. For most modern server platforms this is handled automatically via a BIOS update. The DataON 5000 Series (Intel S2600WF) reached end-of-life before Intel could deliver that BIOS update, so the full certificate chain cannot be automatically completed on this hardware.
This article explains what is changing, what the risk is, and how to apply a validated interim remediation procedure that eliminates the primary boot failure risk before the deadline.
Who Is Affected
This article applies to DataON 5000 Series servers only. If you are running a DataON 6000 or 7000 Series, please refer to the separate guidance for those platforms.
You are affected if:
- You have one or more DataON 5000 Series servers in your environment
- Secure Boot is enabled on those servers
Check If Secure Boot Is Enabled
Before going further, confirm whether Secure Boot is actually enabled on your server. Run the following in an elevated PowerShell window:
Confirm-SecureBootUEFI
- True — Secure Boot is enabled. This article is relevant to you; continue reading.
- False — Secure Boot is disabled. No action is required from this notice.
- Error / cmdlet not recognized — The system may not support Secure Boot, or it may be disabled at the firmware level. No action is required.
What Happens Without Action
If Secure Boot is enabled and no action is taken before June 2026, here is what to expect:
| Timeframe | Impact |
|---|---|
| Before June 2026 | No change. Servers continue to boot and operate normally. |
| After June 2026 | Servers continue to boot, but can no longer receive Secure Boot security updates for boot components. |
| Future (date TBD) | Microsoft has indicated it will eventually block servers still running 2011-signed boot software from booting entirely. No date has been announced, but this is the long-term trajectory for unmitigated servers. |
The good news: DataON Engineering has validated an interim procedure that directly addresses these risks and must be completed before June 2026 while the current certificate infrastructure is still valid.
What the Interim Remediation Does
This procedure adds Microsoft's 2023 boot components to your server's firmware trust list and updates the Windows boot manager to the 2023-signed version. After completion:
- Your server will continue to boot normally after June 2026
- The primary risk (Microsoft blocking servers still running 2011-signed boot software) is eliminated
- Your deployment and imaging tools will remain compatible with this hardware
What this does not fix: After June 2026, your 5000 Series servers will still be unable to receive new Secure Boot security updates because the master key (KEK) cannot be updated on this platform. This procedure eliminates the immediate boot failure risk but does not restore full Secure Boot update capability. A hardware refresh to the DataON 8000 Series is the only complete long-term solution.
⚠️ Time Sensitive: This procedure must be completed before June 2026. After that date, the current certificate infrastructure expires and this window closes permanently.
⛔ Do Not Run the Full Deployment Command: Do not set AvailableUpdates = 0x5944 on 5000 Series servers. That command triggers the full certificate deployment including the KEK update step, which will stall permanently on this platform. This guide uses a targeted command that updates only the DB — not the KEK.
Prerequisites
- DataON 5000 Series server (Intel S2600WF) with Windows Server and Secure Boot enabled
- Administrator access (local or remote PowerShell)
- Latest Windows cumulative updates installed — run Windows Update and confirm the server is current before proceeding
- A scheduled maintenance window — this procedure requires two reboots
- If BitLocker is active on any drive: have your BitLocker recovery keys accessible before starting
- KVM/BMC (IPMI) access configured and verified — if anything goes wrong during the procedure, out-of-band access is essential for recovery without an on-site dispatch
Read Before You Start
Do not reset your BIOS to defaults after completing this procedure. The 2023 certificate is written directly to NVRAM by Windows. If the BIOS is ever reset to factory defaults, the certificate is removed and the server will fail to boot from the 2023-signed boot manager. Ensure KVM/BMC (IPMI) out-of-band access is confirmed and working before you begin — it is your only recovery path if the server becomes unbootable.
Keep your 2011-signed imaging and WinPE media for 5000 Series nodes. Do not upgrade deployment boot images to 2023-signed versions for use with these servers — the KEK was not updated, so 2023-signed external media will not boot on this platform.
This is an interim measure. After June 2026, the 5000 Series will still be unable to receive new Secure Boot security updates. A hardware refresh to the DataON 8000 Series is the only complete long-term solution.
Step 0 — Check If Already Applied
Run the following in an elevated PowerShell window. If Windows UEFI CA 2023 already appears in the result, the procedure has already been applied and no further action is needed.
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
If the result is True — stop here, already done. If False — proceed with Steps 1–5.
Step 1 — Suspend BitLocker (If Enabled)
Skip this step if BitLocker is not active on this server.
Firmware changes can trigger BitLocker's tamper protection. Suspending it for two reboots prevents an unexpected recovery key prompt. BitLocker re-enables automatically after two reboots.
Check if BitLocker is active:
manage-bde -status C:
If Protection Status shows Protection On, suspend it:
manage-bde -Protectors -Disable C: -RebootCount 2
Expected output: Key protectors are disabled for volume C:
Step 2 — Trigger the DB Certificate Update
This command sets a registry flag that tells Windows to add the 2023 Microsoft boot certificate to the server's firmware on the next reboot. It updates only the DB (allowed signatures list) — it does not touch the KEK or any other component.
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x40 /f
Expected output: The operation completed successfully.
Step 3 — Reboot the Server
Reboot the server. During this reboot, Windows writes the new certificate to the firmware's DB variable. The server may take slightly longer than usual to POST — this is normal.
Restart-Computer -Force
Wait for the server to fully restart before proceeding.
Step 4 — Update the Boot Manager
Now that the firmware trusts the 2023 Microsoft certificate, this step updates the Windows boot manager to the 2023-signed version. This is the step that eliminates the future boot failure risk.
If BitLocker was active, suspend it again:
manage-bde -Protectors -Disable C: -RebootCount 2
Trigger the boot manager update:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x100 /f
Reboot again:
Restart-Computer -Force
Step 5 — Verify the Update Completed
After the server restarts, run these checks in an elevated PowerShell window:
Check 1 — Confirm 2023 certificate is in DB:
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
Expected result: True
Check 2 — Confirm boot manager is 2023-signed:
$sig = Get-AuthenticodeSignature "$env:SystemRoot\System32\Boot\bootmgfw.efi" $sig.SignerCertificate.Subject
Expected result: contains Windows UEFI CA 2023
If Check 2 still shows Microsoft Windows Production PCA 2011, try one additional reboot and check again.
| Check | Expected | Meaning |
|---|---|---|
| UEFI CA 2023 in DB | True | Firmware trusts 2023-signed boot software ✓ |
| Boot manager signer | Windows UEFI CA 2023 | Server booting from 2023-signed boot manager ✓ |
| UEFI CA 2023 in DB | False | DB update did not apply — contact DataON support |
| Boot manager signer | PCA 2011 | Try one more reboot; contact support if still failing |
✓ Procedure Complete — If both checks return the expected results, the interim remediation is complete. Your server will continue to boot normally after June 2026 and is protected against the primary boot failure risk. Record the date this was completed for your compliance documentation.
Troubleshooting
DB check returns False after rebooting
The Windows scheduled task that applies the certificate runs every 12 hours. Trigger it manually:
Start-ScheduledTask -TaskName "\Microsoft\Windows\PI\Secure-Boot-Update"
Reboot and check again. If still False after a second attempt, contact DataON support.
Server prompted for BitLocker recovery key during reboot
Enter your recovery key to resume booting. After Windows loads, BitLocker re-enables automatically. Continue with the remaining steps — this does not indicate a problem with the procedure.
Boot manager signer still shows PCA 2011 after multiple reboots
Verify Step 2 (DB update) completed successfully first — the boot manager update requires the DB cert to be in place before it can apply. If the DB check shows True but the boot manager is still PCA 2011 after two reboots, contact DataON support.
Important Notes After Completion
- Do not reset your BIOS to defaults after completing this procedure. The 2023 certificate was written to NVRAM — if the BIOS is reset to factory defaults, the certificate is removed and the server will no longer boot from the 2023-signed boot manager. Ensure KVM/BMC access is confirmed before running this procedure.
- Keep your 2011-signed imaging media for 5000 Series nodes. Do not upgrade WinPE or deployment boot images to 2023-signed versions for these servers — the KEK was not updated, so externally-signed 2023 media will not work.
- This is an interim measure. The 5000 Series cannot receive new Secure Boot security updates after June 2026. A hardware refresh to the DataON 8000 Series is the recommended long-term path.
Warranty vs. Non-Warranty
This procedure can be self-serviced regardless of warranty status. The steps are identical for both groups.
- Under active warranty: DataON Support can walk you through the procedure or perform it remotely with your cooperation. Open a ticket at dataonsupport.dataonstorage.com.
- Out of warranty: Use this article to self-service the procedure. The steps are straightforward for any administrator with elevated PowerShell access. If you run into issues, contact DataON Support — per-incident support is available.
Contact DataON Support
- Support portal: dataonsupport.dataonstorage.com
- Email: support@dataonstorage.com
- For hardware refresh planning, contact your DataON account representative
DataON 5000 Series · Secure Boot Interim Remediation · Rev 1.0 · March 2026 · Based on Microsoft KB5062713