Overview
Microsoft's original Secure Boot certificates begin expiring in June 24, 2026. For most modern server platforms this is handled automatically via a BIOS update. The DataON S2D-5000 Series (Intel S2600WF) reached end-of-life before Intel could deliver that BIOS update, so the full certificate chain cannot be automatically completed on this hardware.
This article explains what is changing, what the risk is, and how to apply a validated interim remediation procedure that eliminates the primary boot failure risk before the deadline.
Who Is Affected
This article applies to the following DataON server models only. If you are running a DataON S2D-6000 or S2D-7000 Series, please refer to the separate guidance for those platforms.
To confirm your server model, run the following in an elevated PowerShell window:
(Get-CimInstance Win32_ComputerSystem).Model
This article applies to your server if the result begins with any of the following prefixes:
- S2D-5 (e.g. S2D-5xxx)
- AZS-1 (e.g. AZS-1xx)
- AZS-2 (e.g. AZS-2xx)
- HCI-1 (e.g. HCI-1xx)
- HCI-2 (e.g. HCI-2xx)
If the result shows a different model prefix, refer to the guidance for your platform.
You are affected if:
- Your server model matches one of the prefixes listed above
- Secure Boot is enabled on that server
Check If Secure Boot Is Enabled
Run the following in an elevated PowerShell window:
Confirm-SecureBootUEFI
- True — Secure Boot is enabled; continue reading.
- False — Secure Boot is disabled. No action required.
- Error / cmdlet not recognized — System may not support Secure Boot. No action required.
What Happens Without Action
| Timeframe | Impact |
|---|---|
| Before June 24, 2026 | No change. Servers continue to boot and operate normally. |
| After June 24, 2026 | Servers continue to boot, but can no longer receive Secure Boot security updates for boot components. |
| Future (date TBD) | Microsoft has indicated it will eventually block servers still running 2011-signed boot software from booting entirely. |
DataON Engineering has validated an interim procedure that directly addresses these risks and must be completed before June 24, 2026.
What the Interim Remediation Does
This procedure adds Microsoft's 2023 boot components to your server's firmware trust list and updates the Windows boot manager to the 2023-signed version. After completion:
- Your server will continue to boot normally after June 24, 2026
- The primary risk (Microsoft blocking servers still running 2011-signed boot software) is eliminated
- Your deployment and imaging tools will remain compatible with this hardware
What this does not fix: After June 24, 2026, your server will still be unable to receive new Secure Boot security updates because the master key (KEK) cannot be updated on this platform. A hardware refresh to the DataON 8000 Series is the only complete long-term solution.
Time Sensitive: This procedure must be completed before June 24, 2026. After that date, the current certificate infrastructure expires and this window closes permanently.
Do Not Run the Full Deployment Command: Do not set AvailableUpdates = 0x5944 on these servers. That command triggers the KEK update step, which will stall permanently on this platform.
Prerequisites
- Affected DataON server (Intel S2600WF) with Windows Server and Secure Boot enabled
- Administrator access (local or remote PowerShell)
- Latest Windows cumulative updates installed
- A scheduled maintenance window — this procedure requires up to three reboots
- BitLocker recovery keys accessible if BitLocker is active
- KVM/BMC (IPMI) access configured and verified
Read Before You Start
Do not reset your BIOS to defaults after completing this procedure. The 2023 certificate is written to NVRAM by Windows. A BIOS reset removes it and the server will fail to boot from the 2023-signed boot manager. Ensure KVM/BMC access is confirmed before you begin.
Keep your 2011-signed imaging and WinPE media for these nodes. Do not upgrade deployment boot images to 2023-signed versions — 2023-signed external media will not boot on this platform.
This is an interim measure. After June 24, 2026, these servers will still be unable to receive new Secure Boot security updates. A hardware refresh to the DataON 8000 Series is the only complete long-term solution.
Step 0 — Check If Already Applied
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
If the result is True — stop here, already done. If False — proceed with Steps 1-6.
Step 1 — Suspend BitLocker (If Enabled)
Skip if BitLocker is not active.
manage-bde -status C:
If manage-bde is not recognized, BitLocker is not installed. Skip to Step 2.
If Protection Status shows Protection On:
manage-bde -Protectors -Disable C: -RebootCount 2
Expected output: Key protectors are disabled for volume C:
Step 2 — Trigger the DB Certificate Update
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x40 /f
Expected output: The operation completed successfully.
Step 3 — Reboot the Server
Restart-Computer -Force
Wait for the server to fully restart before proceeding.
Step 4 — Update the Boot Manager
If BitLocker was active, suspend it again:
manage-bde -Protectors -Disable C: -RebootCount 2
Then trigger the boot manager update:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x100 /f
Expected output: The operation completed successfully.
Reboot again:
Restart-Computer -Force
Step 5 — Enable Revocation
If BitLocker was active, suspend it again:
manage-bde -Protectors -Disable C: -RebootCount 2
Then trigger the revocation update:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x80 /f
Expected output: The operation completed successfully.
Reboot again:
Restart-Computer -Force
Step 6 — Verify the Update Completed
After the server restarts, run the two checks below.
Check 1 — Confirm 2023 certificate is in DB:
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
Expected: True. If False, contact DataON support.
Check 2 — Confirm boot manager is 2023-signed:
(Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing' -Name WindowsUEFICA2023Capable).WindowsUEFICA2023Capable
Expected: 2. If 1, reboot and check again. If 0 or missing, contact DataON support.
Procedure Complete — If both checks return the expected results, the interim remediation is complete. Record the date completed for compliance documentation.
Troubleshooting
DB check returns False after rebooting
Start-ScheduledTask -TaskName '\Microsoft\Windows\PI\Secure-Boot-Update'
Reboot and check again. If still False, contact DataON support.
Server prompted for BitLocker recovery key during reboot
Enter your recovery key to resume booting. BitLocker re-enables automatically. Continue with remaining steps.
WindowsUEFICA2023Capable shows 1 instead of 2 after multiple reboots
Try one additional reboot. If it remains 1 after two reboots, re-run the 0x100 registry flag, suspend BitLocker, and reboot. If still 1, contact DataON support.
Important Notes After Completion
- Do not reset your BIOS to defaults. The 2023 certificate is in NVRAM — a BIOS reset removes it.
- Keep your 2011-signed imaging media for these nodes. Do not upgrade WinPE to 2023-signed versions.
- This is an interim measure. A hardware refresh to the DataON 8000 Series is the recommended long-term path.
Contact DataON Support
- Support portal: dataonsupport.dataonstorage.com
- Email: support@dataonstorage.com
- For hardware refresh planning, contact your DataON account representative
DataON S2D-5000 / AZS / HCI Series · Secure Boot Interim Remediation · Rev 1.3 · March 2026 · Based on Microsoft KB5062713