Secure Boot CA 2023 Guide for Azure Local and Windows Server

This document provides guidance for Lenovo customers to transition Windows Server and Azure Local environments from Microsoft Secure Boot Certificate Authority (CA) 2011 to CA 2023 to maintain system security and boot integrity as CA 2011 certificates approach expiration in June 2026.

Procedures are outlined for validating the presence and activation of CA 2023 certificates within system firmware and operating system components, including minimum Lenovo UEFI firmware levels and required servicing updates.

Deployment-specific guidance spans existing environments, new installations, and Azure Local solutions, with additional coverage of recovery procedures for common failure conditions such as Secure Boot violations, recovery media incompatibility, and loss of custom Secure Boot keys.

Introduction
Check Which Certificates Are Installed
   Via PowerShell
   Via UEFI Settings
   Certificate expiration vs revocation
Update Windows Server to Secure Boot CA 2023
   Before You Start
   Scenario: Windows Server environment is already deployed
   Scenario: Windows Server environment is not yet deployed
   Scenario: Azure Local solution running Azure Stack HCI
Recovery Scenarios
   Scenario: Firmware was updated but CA 2023 keys are not present in db
   Scenario: System fails to boot after June 2026 with a Secure Boot violation
   Scenario: BitLocker recovery key prompt appears after Secure Boot key update
   Scenario: Recovery or deployment media fails to boot
   Scenario: Custom Secure Boot keys lost after Restore Factory Keys
   Scenario: Azure Local cluster node fails to rejoin cluster after CA 2023 update
References
Document history
Authors

Related product families

Product families related to this document are the following:

• Microsoft Alliance
• Microsoft Windows