Overview
Microsoft's original Secure Boot certificates begin expiring in June 24, 2026. For most modern server platforms this is handled automatically via a BIOS update. The DataON S2D-5000 Series (Intel S2600WF) reached end-of-life before Intel could deliver that BIOS update, so the full certificate chain cannot be automatically completed on this hardware.
This article explains what is changing, what the risk is, and how to apply a validated interim remediation procedure that eliminates the primary boot failure risk before the deadline.
Who Is Affected
This article applies to the following DataON server models only. If you are running a DataON S2D-6000 or S2D-7000 Series, please refer to the separate guidance for those platforms.
To confirm your server model, run the following in an elevated PowerShell window:
(Get-CimInstance Win32_ComputerSystem).Model
This article applies to your server if the result begins with any of the following prefixes:
- S2D-5 (e.g. S2D-5xxx)
- AZS-1 (e.g. AZS-1xx)
- AZS-2 (e.g. AZS-2xx)
- HCI-1 (e.g. HCI-1xx)
- HCI-2 (e.g. HCI-2xx)
You are affected if your server model matches one of the prefixes listed above and Secure Boot is enabled.
Check If Secure Boot Is Enabled
Confirm-SecureBootUEFI
- True — Secure Boot is enabled; continue reading.
- False — Secure Boot is disabled. No action required.
- Error / cmdlet not recognized — No action required.
What Happens Without Action
| Timeframe | Impact |
|---|---|
| Before June 24, 2026 | No change. Servers continue to boot and operate normally. |
| After June 24, 2026 | Servers continue to boot, but can no longer receive Secure Boot security updates. |
| Future (date TBD) | Microsoft has indicated it will eventually block servers still running 2011-signed boot software from booting entirely. |
What the Interim Remediation Does
This procedure adds Microsoft's 2023 boot components to your server's firmware trust list and updates the Windows boot manager to the 2023-signed version.
Time Sensitive: This procedure must be completed before June 24, 2026.
Do Not Run the Full Deployment Command: Do not set AvailableUpdates = 0x5944 on these servers. That command triggers the KEK update step, which will stall permanently on this platform.
Prerequisites
- Affected DataON server (Intel S2600WF) with Windows Server and Secure Boot enabled
- Administrator access (local or remote PowerShell)
- Latest Windows cumulative updates installed
- A scheduled maintenance window — this procedure requires up to three reboots
- BitLocker recovery keys accessible if BitLocker is active
- KVM/BMC (IPMI) access configured and verified
Read Before You Start
Do not reset your BIOS to defaults after completing this procedure. The 2023 certificate is written to NVRAM by Windows. A BIOS reset removes it.
Keep your 2011-signed imaging and WinPE media for these nodes. Do not upgrade deployment boot images to 2023-signed versions.
This is an interim measure. A hardware refresh to the DataON 8000 Series is the only complete long-term solution.
Step 0 — Check If Already Applied
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
If True — already done. If False — proceed with Steps 1-6.
Step 1 — Suspend BitLocker (If Enabled)
Skip if BitLocker is not active.
manage-bde -status C:
If Protection Status shows Protection On:
manage-bde -Protectors -Disable C: -RebootCount 2
Expected output: Key protectors are disabled for volume C:
Step 2 — Trigger the DB Certificate Update
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x40 /f
Expected output: The operation completed successfully.
Step 3 — Reboot the Server
Restart-Computer -Force
Wait for the server to fully restart before proceeding.
Step 4 — Update the Boot Manager
If BitLocker was active, suspend it again:
manage-bde -Protectors -Disable C: -RebootCount 2
Trigger the boot manager update:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x100 /f
Expected output: The operation completed successfully. Then reboot:
Restart-Computer -Force
Step 5 — Enable Revocation
If BitLocker was active, suspend it again:
manage-bde -Protectors -Disable C: -RebootCount 2
Trigger the revocation update:
reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Secureboot /v AvailableUpdates /t REG_DWORD /d 0x80 /f
Expected output: The operation completed successfully. Then reboot:
Restart-Computer -Force
Step 6 — Verify the Update Completed
Check 1 — Confirm 2023 certificate is in DB:
[System.Text.Encoding]::ASCII.GetString((Get-SecureBootUEFI db).bytes) -match 'Windows UEFI CA 2023'
Expected: True. If False, contact DataON support.
Check 2 — Confirm boot manager is 2023-signed:
(Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\Servicing' -Name WindowsUEFICA2023Capable).WindowsUEFICA2023Capable
Expected: 2. If 1, reboot and check again. If 0 or missing, contact DataON support.
Procedure Complete — If both checks return the expected results, the interim remediation is complete. Record the date completed for compliance documentation.
Troubleshooting
DB check returns False after rebooting
On some systems the Windows scheduled tasks that apply certificate changes to firmware do not run automatically on reboot and must be triggered manually. Run the following two commands in an elevated PowerShell window, then reboot and check again:
Start-ScheduledTask -TaskName '\Microsoft\Windows\PI\SecureBootEncodeUEFI' Start-ScheduledTask -TaskName '\Microsoft\Windows\PI\Secure-Boot-Update'
If it still returns False after a second attempt, contact DataON support.
Server prompted for BitLocker recovery key during reboot
Enter your recovery key to resume booting. BitLocker re-enables automatically. Continue with remaining steps.
WindowsUEFICA2023Capable shows 1 instead of 2 after multiple reboots
On some systems the boot manager update task must be triggered manually. Run the following in an elevated PowerShell window, then reboot and check again:
Start-ScheduledTask -TaskName '\Microsoft\Windows\PI\SecureBootEncodeUEFI'
If the value remains 1 after two attempts, re-run the Step 4 registry command (0x100), suspend BitLocker, trigger the task above, and reboot once more. If it still does not reach 2, contact DataON support.
DBX revocation step (Step 5) not showing as applied after rebooting
After running the Step 5 registry command (0x80), the revocation update is applied by a separate Windows scheduled task. On some systems it must be triggered manually. Run the following, then reboot:
Start-ScheduledTask -TaskName '\Microsoft\Windows\PI\SecureBootUEFI'
After rebooting, re-run Check-SecureBootCerts.ps1. DBX Revocation Status should show PASS and OVERALL should show COMPLETE. If it does not, contact DataON support.
Important Notes After Completion
- Do not reset your BIOS to defaults. The 2023 certificate is in NVRAM — a BIOS reset removes it.
- Keep your 2011-signed imaging media for these nodes. Do not upgrade WinPE to 2023-signed versions.
- This is an interim measure. A hardware refresh to the DataON 8000 Series is the recommended long-term path.
Contact DataON Support
- Support portal: dataonsupport.dataonstorage.com
- Email: support@dataonstorage.com
- For hardware refresh planning, contact your DataON account representative
DataON S2D-5000 / AZS / HCI Series · Secure Boot Interim Remediation · Rev 1.4 · Updated April 2026 · Based on Microsoft KB5062713