Win11 UEFI Update: Why It Could Brick Your PC
The article explains the role of the legacy UEFI CA 2011 certificate, its upcoming expiration on June 24 2026, how Microsoft’s new CA 2023 certificates coexist, the risks of blacklisting, and what users should know before manually updating or relying on automatic updates to avoid a bricked system.
UEFI certificate landscape
UEFI firmware contains a certificate named CA 2011 that is used to sign Windows, Linux, GPU GOP drivers and various device firmware. The firmware verifies signatures against the certificates stored in the DB; as long as the certificate is present, signed components load.
CA 2011 expires on June 24 2026 . Microsoft introduced a newer CA 2023 certificate and, through Windows updates, writes the four CA 2023 certificates (Windows UEFI CA, Microsoft KEK 2K CA, Microsoft UEFI CA, Microsoft Option ROM UEFI CA) into the UEFI DB. Modern firmware therefore contains both the old and the new certificates. The expired CA 2011 is not currently listed in the DBX blacklist, so components signed with it continue to work.
Effect of expiration
After the expiration date the certificate still functions because UEFI checks only the presence of the certificate in the DB, not its validity period. This is analogous to Windows 7 continuing to run years after its official end‑of‑life.
Microsoft may eventually add CA 2011 to the DBX blacklist. If that occurs, any firmware, drivers or OS components signed with CA 2011 would fail Secure Boot verification and the system would not boot.
Planned revocation timeline
In 2023 Microsoft announced a plan to revoke CA 2011 to mitigate the BlackLotus vulnerability. The revocation has been delayed for three years because many devices still rely on the certificate and revoking it could break older hardware whose firmware cannot accept the new certificates. No concrete timeline has been published.
Updating the DB manually
To add the CA 2023 certificates manually one must write the certificate files into the UEFI DB (not DBX). The four certificate download URLs are:
Windows UEFI CA 2023: https://go.microsoft.com/fwlink/?linkid=2239776
Microsoft Corporation KEK 2K CA 2023: https://go.microsoft.com/fwlink/p/?linkid=2239775
Microsoft UEFI CA 2023: https://go.microsoft.com/fwlink/?linkid=2239872
Microsoft Option ROM UEFI CA 2023: https://go.microsoft.com/fwlink/?linkid=2284009
Manual import requires familiarity with UEFI/BIOS internals and a recovery method, because some motherboards have limited NVRAM (e.g., 64 KB or 128 KB) or firmware bugs that reject new certificates.
Verification tool
A Chinese‑localized detection tool (download link: https://pan.baidu.com/s/1bnXldEbXVW-ExE73gwdBSg?pwd=heu8, extraction code: heu8) checks whether the CA 2023 certificates are present in the UEFI DB.
Reference
Microsoft Secure Boot key creation and management guidance: https://learn.microsoft.com/zh-cn/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance?view=windows-11#signature-databases-db-and-dbx
Code example
来源丨
经授权转自
知彼而知己(ID:heu168)
作者
丨
知彼而知己
我已经写了好几篇文章科普
UEFI CA 2023证书更新的问题,但从评论区来看,依然有很多小伙伴的理解是错的。这个证书是否要更新确实非常重要,一定要搞清楚它的原理之后再操作,否则不要轻易操作。这次我画了一张图,我就不信还看不懂~
你的电脑主板的UEFI固件中现在有这么一个证书“CA
2011
”,同时,Windows系统、Linux、显卡GOP驱动以及各类设备固件驱动等,也使用了这个证书签名。当电脑启动时,就会检查这些证书是否匹配。看下图,只要主板中有这个证书,你的系统、PE、硬件等等都能通过验校。这个证书就是通行证!只有当这个证书被拉黑(写入UEFI的DBX)之后,那么被它签署的各类东西都会被禁用。
但是CA 2011这个证书太旧了,将于2026年6月24日过期。微软现在开始升级换代,比如最新的Windows系统都使用CA 2023证书签署。同时微软通过系统更新,将CA 2023写入主板的UEFI中。也就是说现在UEFI中存在新旧两套证书,能匹配上任何一个,都能通过验校。证书虽然过期,但微软并未将其拉黑。
有同学会问,
2026年6月24日之后,CA 2011过期了怎么办?
回答:
目前没有任何影响,
过期照样正常运行
。类比一下:Win7都“过期”多少年了,很多人不照样在正常使用。
不过,早晚会有一天,微软会把CA 2011拉入黑名单(DBX),到时候凡是通过CA 2011签署的Windows、设备
(显卡、网卡、硬盘等)
固件驱动等等都无法正常运行。
那么具体什么时候微软会吊销CA 2011证书呢?
回答:
2023年的时候,微软为了解决黑莲花病毒这个漏洞,给出的方案是吊销
CA 2011证书,但为了安全起见,分阶段实施,目前已经3年过去了,仍然未吊销该证书。因为吊销后,影响较大,很多设备
固件
由于也是CA 2011签署的,也可能会无法正常运行,微软目前还不太敢全面实施。至于最终的时间节点,目前暂无明确的公告。这个问题我在前几篇文章中已经说过了,这里再强调一下。
UEFI CA 2023到底要不要更新?
到这里应该自己就能判断了吧。
关于新证书,微软实际上提供了4个,留言区也有不少人问,怎么才算更新成功呢?上一篇文章提供的检测工具:
点击获取
。首先微软将证书准备就绪,其次还要把这些证书写入UEFI的白名单(DB)中,才算成功。有几个留言的问题比较典型,截图看一下。
留言1:
留言2:
留言3:
留言4:关于这位朋友的留言,前半句完全正确。后半句我感觉不完全正确,
微软
可以通过已授权的KEK证书合法签署DBX更新包,固件只
校验签名合法性,并不会主动
拒绝想更新的行为。但
很多老旧主板因为NVRAM空间不足(比如只有64KB或128KB),或厂商开发的固件存在Bug,会拒绝写入更新,微软确实也没办法。这也是这次证书更新非常复杂的原因所在。
微软提供的这4个证书,有详细的介绍,以及下载链接。虽然我们可以手动将这些证书导入UEFI的DB中,但一般不建议手动操作,除非你对UEFI/BIOS比较熟悉,知道失败后怎么解决。
Windows UEFI CA 2023:
https://go.microsoft.com/fwlink/?linkid=2239776
Microsoft Corporation KEK 2K CA 2023:
https://go.microsoft.com/fwlink/p/?linkid=2239775
Microsoft UEFI CA 2023:
https://go.microsoft.com/fwlink/?linkid=2239872
Microsoft Option ROM UEFI CA 2023:
https://go.microsoft.com/fwlink/?linkid=2284009
微软详细说明:
https://learn.microsoft.com/zh-cn/windows-hardware/manufacture/desktop/windows-secure-boot-key-creation-and-management-guidance?view=windows-11
#14
-signature-databases-db-and-dbx
以上的所有操作,实际上完全交给微软自动更新即可。有时手动操作失败,可能会造成电脑无法启动等问题,不过这些问题都是能解决的,不会造成电脑损坏。但是,你如果不了解其中的原理,可能一旦出现问题,也找不到解决方法,对你来说可能电脑就是变成砖了~
如果你仍然觉得很复杂,那么我的建议是,在你没有搞清楚之前,最好什么也不要做~
最后再提供一个检测工具,之前提供过它的英文版,这里是一个汉化版。
检测工具下载地址:
https://pan.baidu.com/s/1bnXldEbXVW-ExE73gwdBSg?pwd=heu8
提取码:heu8
1、
Firefox为什么掉队?15年老员工离职发声:它本来就是一款小众浏览器,别再模仿Chrome、Edge了
2、
领导撇了一眼我在组会上分享的Claude Code 实践经验,说"就这?门口的保安大爷都比你会用"
3、
4.1K Star!GSAP + AI 火了:Vue、React 高级动画一句话生成!
4、
“AI再强也只是工具!”Linus再谈AI:“氛围编程”写一次性软件可以,但撑不起需要维护35年的项目
5、
面试官皱眉:“你懂 Claude Code 主循环 Query 流程吗?” 我说:“就是一个 while 环,调模型、跑工具、再调模型”,他:就这??Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
IT Services Circle
Delivering cutting-edge internet insights and practical learning resources. We're a passionate and principled IT media platform.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
