TL;DR: Microsoft is retiring the 2011-era Secure Boot keys. Your DataON 7000-series nodes (Intel M50FCP / AZS-7xxx) need a BIOS update to install Microsoft's new 2023 Secure Boot keys — including the new KEK, which only a firmware update can deliver. Contact DataON Support to schedule this update. Before you do, confirm your BIOS is reasonably current, that you have working BMC/KVM access, and that your BitLocker recovery keys are escrowed off-box.
What is changing, and why it matters
As part of the BlackLotus mitigation (CVE-2023-24932 / Microsoft KB5025885), Microsoft is replacing the 2011-era Secure Boot certificates with a new 2023 set. Windows Server 2025 and Azure Local 24H2 use the 2023 keys. Microsoft has not announced a date for retiring the old 2011 keys, so there is no fixed deadline and no immediate risk to a node that is running normally today. This is best handled proactively during a planned maintenance window — the goal is simply to have the 2023 keys in place ahead of the eventual transition, rather than scrambling once a retirement date is set.
The update installs the following on each node:
- KEK: Microsoft Corporation KEK 2K Certificate Authority 2023
- DB: Windows UEFI CA 2023
- DB: Microsoft UEFI CA 2023
- DB: Microsoft Option ROM UEFI CA 2023
What Microsoft says about the impact
Per Microsoft's FAQ on the Secure Boot update process:
"After the Secure Boot certificates expire, devices that haven't received the newer 2023 certificates will continue to start and operate normally, and standard Windows updates will continue to install. However, these devices will no longer be able to receive new security protections for the early boot process, including updates to Windows Boot Manager, Secure Boot databases, revocation lists, or mitigations for newly discovered boot level vulnerabilities."
In short, missing the 2023 keys is not a boot-stopping emergency — your nodes keep running and keep getting normal Windows updates. What you lose is the ability to receive future early-boot security protections. That is why DataON recommends applying this proactively rather than treating it as urgent.
Why this needs a BIOS update (and not just Windows Update)
The new KEK can only be installed by firmware. A KEK change must be signed by the platform's Platform Key (PK), which is held only by the hardware vendor (Intel) — so Windows Update cannot deliver it. Windows Update can deliver the three 2023 DB entries, but only after a trusted 2023 KEK is already present. That is why the firmware update is the required first step, and why it has to come from DataON's qualified BIOS package for your 7000-series hardware.
Does this apply to me?
| Running today | Action |
|---|---|
| Windows Server 2025 / Azure Local 24H2 | Recommended. Schedule the BIOS update at your convenience. |
| Azure Stack HCI 22H2 / 23H2, planning a 24H2 upgrade | Apply before the upgrade. (22H2 / 23H2 are at or near end of support — plan the move to 24H2.) |
| Windows Server 2019 / 2022, no near-term upgrade | Optional. Talk to DataON Support — the 2023 keys are not strictly required here yet. |
What to do: contact DataON Support
Open a ticket with DataON Support to schedule the BIOS / Secure Boot update for your 7000-series cluster. DataON will provide the qualified firmware package and the full step-by-step procedure, and can walk through it with you for the first node. Please do not attempt to update Secure Boot keys through the BMC web interface — that path cannot activate the new 2023 keys.
Before you contact us — readiness checklist
Having these in place before the maintenance window makes the update smooth and avoids the most common recovery calls. Confirm each item:
BMC / KVM-over-IP access is working. The 7000-series uses OpenBMC. You will need BMC access to press F2 at POST, to watch a blank-screen firmware window during the update, and to check current firmware versions. Confirm you can log in to each node's OpenBMC web UI (
https://<bmc-ip>/) and open a remote console now.Firmware is already reasonably current. The update path expects, before moving to the target BIOS R01.02.0005: BIOS R01.02.0004 or later, BMC 2.71 or later, and CPLD v3P2 or later. If a node is below any of these, let us know. Check the BIOS version from Windows:
Get-ComputerInfo | Select-Object BiosVersion, BiosFirmwareType # Example: SE5C7411.86B.R01.02.0004Windows does not report BMC, CPLD, or FRU versions — check those in the OpenBMC web UI under Hardware → Firmware inventory, or in BIOS Setup (F2).
BitLocker recovery keys are escrowed off-box. The update changes the TPM measurements, so BitLocker-protected volumes can prompt for a recovery key. Make sure keys are stored in Active Directory / Entra ID or your documented key location and retrievable on demand. From a node that is not being updated:
Get-AsRecoveryKeyInfo | Format-Table ComputerName, PasswordID, RecoveryKeyThe cluster is healthy. No failed drives, no active storage repair jobs, and all nodes up. The update is done one node at a time with the node drained, so a healthy starting point matters.
Get-PhysicalDisk | Format-Table FriendlyName, OperationalStatus, HealthStatus Get-StorageJob # no output = no repair jobs runningYou have a maintenance window planned. Budget per node for the firmware update plus reboots, and update one node at a time. Workloads continue on the remaining nodes and storage stays online during a drain.
What to expect during the update
- A blank-screen firmware window (~13+ minutes per reboot) — the screen is blank and the blue ID LED is solid. The node may also reboot a second time on its own to update the BIOS recovery region. This is normal. Do not pull power, reset, or power-cycle during these windows.
- One mandatory BIOS Setup checkpoint. The update resets BIOS settings to factory defaults, so after the firmware reset you must press F2 and set the OS storage controller back to RAID Mode before Windows boots — otherwise the OS volume is invisible and the node will not boot. The full procedure walks through this step.
- No data loss. Only BIOS settings revert to defaults; your data and storage pool are untouched.
- Some OS-side servicing follows. On Azure Local 24H2 (release 2603+) the remaining Secure Boot servicing is handled automatically; on other versions it arrives via Windows Update. DataON will explain what applies to your environment.
Full procedure
A complete step-by-step procedure (firmware update, the separate Secure Boot key step, the mandatory BIOS Setup checkpoint, and verification) exists for the 7000-series. DataON Support will provide it when your update is scheduled — just reference this article in your ticket.