Loading...
Loading...
The older Secure Boot certificates (issued in 2011) begin expiring in June 2026.The HPE Azure Stack Hub update bundle 4.5 includes the new certificates (2023) for the HPE Azure Stack Hub Gen10 solutions.Once Secure Boot certificates expire, servers will no longer receive security updates for the early boot process (Windows boot manager, Secure Boot databases, etc).To enable new Secure Boot certificates, install the supported BIOS version on each server. Resetting "All Keys to Platform Defaults" is required to activate the new certificate after the BIOS is updated.For additional information, refer to the following URLs:Microsoft - Windows Secure Boot certificate expiration and CA updates(Revision) Microsoft Windows - Information About Windows UEFI CA 2023 Certificate
All HPE Azure Stack Hub Gen10 solutions are affected.
To mitigate and anticipate any issue, perform the following steps:Download and update the latest BIOS version.Download and update to the following Microsoft Azure Stack Hub Solution Update Bundle:HPE ProLiant for Microsoft Azure Stack Hub 4.5.0.10 Solution Update Bundle Version 4.5.0.10.Suspend BitLocker. If not, back up the BitLocker recovery password:HLH (Management node):Get the password by executing the following command:Manage-bde -protectors -get c:MAS (Compute nodes):Get the password from HLH OAW VM by executing the following PowerShell commands:$cred = Get-CredentialEnter-PSSession -ComputerName <IP Address of ERCS> -ConfigurationName PrivilegedEndpoint -Credential $credGet-AzsRecoveryKeysDrain the node if the system is in the cluster. For additional information, refer to the following URL:Microsoft Build 2026 - Powering off scale unit nodesReboot the server and press F9 to enter System Utilities.Navigate to the following path:System Configuration -> BIOS/Platform Configuration (RBSU) -> Server Security -> Secure Boot SettingsEnter the Advanced Secure Boot Options menu.Select "Reset All Keys to Platform Defaults".Notes:This is required to activate CA2023 after installing the latest BIOS.This action will delete all customer keys that were enrolled by customers.The "Reset All Keys to Platform Defaults" feature will change the Secure Boot setting from "Enabled" to "Disabled"; therefore, the user will need to enable Secure Boot again.Confirm the selection by clicking "Yes".Reboot/Power Cycle the server and press F9 to enter System Utilities.If Secure Boot is disabled, enable Secure Boot.Reboot the system.Resume the BitLocker. If BitLocker was not suspended in step 2, the BitLocker recovery screen appears at startup. Enter the recovery key.Resume the node if this system is in the cluster. For additional information, refer to the following URL:Microsoft Build 2026 - Powering on a scale unit nodeDisclaimer:One or more of the links above will take you outside the HPE website. HPE is not responsible for content outside of its domain.
Operating Systems Affected:Microsoft Windows Server 2019, Microsoft Windows Server 2022
Click on a version to see all relevant bugs
Hewlett Packard Enterprise Integration
Learn more about where this data comes from
Bug Scrub Advisor
Streamline upgrades with automated vendor bug scrubs
BugZero Enterprise
Wish you caught this bug sooner? Get proactive today.