Surface 安全启动证书
安全启动是基于统一可扩展固件接口 (UEFI) 的固件中的一项安全功能,有助于确保在设备的启动 (启动) 序列期间仅运行受信任的软件。它的工作原理是根据设备固件中存储的一组受信任的数字证书(也称为证书颁发机构或 CA)验证预启动软件的数字签名。作为行业标准,UEFI 安全启动定义了平台固件如何管理证书、对固件进行身份验证,以及作系统 (OS) 如何与此过程交互。
Windows 安全启动证书将于 2026 年到期
为了帮助确保 Windows 设备的安全,Microsoft 正在更新安全启动使用的证书,这是一项安全功能,有助于在启动期间保护设备免受恶意软件的侵害。这些证书最初于 2011 年颁发,将于 2026 年 6 月开始到期。为了保持保护,您的设备需要在此之前收到一组新的证书。对于大多数用户来说,这已经通过通过 Windows 更新提供的 Surface 更新发生,或者将来将通过常规的 Windows 安全更新发生。
这对 Surface 设备有何影响?
从 2023 年开始,Microsoft 开始更新 Surface 设备上的 UEFI 安全启动签名数据库 (DB),以包含“Windows UEFI CA 2023”证书,这些更新通过 Windows 更新安装的 UEFI 固件传递到 Surface 设备。此外,2024 年及以后生产的所有 Surface 设备均带有“Windows UEFI CA 2023”证书。对于本文中未列出的设备,适用针对 Windows 用户的一般指南。
除了更新存储在 UEFI 中的证书外,我们还更新了所有当前受支持(截至 2025 年 9 月)Surface 设备的 Surface 恢复映像。下表显示了哪些设备在 UEFI 中已存在更新的证书 (以及截至哪个版本,如果适用) 和更新的恢复映像状态。
Product Name | Minimum UEFI version with 2023 CA | Recovery image (BMR) updated with 2023 CA | Note |
|---|---|---|---|
Surface Laptop 13-inch | Any (product launched with 2023 CA) | ❌ | 2023 CA-signed BMR will be released in Nov 2025 |
Surface Pro 12-inch | Any (product launched with 2023 CA) | ✅ |
|
Surface Laptop 5G for Business | Any (product launched with 2023 CA) | ✅ |
|
Surface Laptop 7th Edition, Intel processor | Any (product launched with 2023 CA) | ✅ |
|
Surface Pro 11th Edition, Intel processor | Any (product launched with 2023 CA) | ✅ |
|
Surface Pro 11th Edition 5G | Any (product launched with 2023 CA) | ✅ |
|
Surface Pro 11th Edition, Snapdragon processor | Any (product launched with 2023 CA) | ✅ |
|
Surface Laptop 7th Edition, Snapdragon processor | Any (product launched with 2023 CA) | ✅ |
|
Surface Laptop 6 for Business | Any (product launched with 2023 CA) | ✅ |
|
Surface Pro 10 with 5G | Any (product launched with 2023 CA) | ✅ |
|
Surface Pro 10 for Business | Any (product launched with 2023 CA) | ❌ | 2023 CA-signed BMR will be released in Oct 2025 |
Surface Hub 3 | Any (product launched with 2023 CA) | ❌ | 2023 CA-signed BMR will be released in Nov 20251 |
Surface Go 4 | 8.200.143.0 | ✅ |
|
Surface Laptop Go 3 | 10.200.143.0 | ✅ |
|
Surface Laptop Studio 2 | 16.200.143.0 | ❌ | 2023 CA-signed BMR will be released in Oct 2025 |
Surface Laptop 5 | 9.200.143.0 | ✅ |
|
Surface Pro 9 | 12.200.143.0 | ✅ |
|
Surface Pro 9 with 5G | 18.7.235.0 | ❌ | 2023 CA-signed BMR will be released in Nov 2025 |
Windows Dev Kit 2023 | 12.6.235.0 | ❌ | 2023 CA-signed BMR will be released in Nov 2025 |
Surface Studio 2+ | 20.101.143.0 | ❌ | 2023 CA-signed BMR will be released in Oct 2025 |
Surface Laptop Go 2 | 26.102.143.0 | ❌ | 2023 CA-signed BMR will be released in Nov 2025 |
Surface Laptop SE | 7.9.139.0 | ✅ |
|
Surface Pro X WiFi | 10.703.140.0 | ❌ | 2023 CA-signed BMR will be released in Nov 2025 |
Surface Go 3 | 11.200.143.0 | ✅ |
|
Surface Pro 8 | 23.200.143.0 | ✅ |
|
Surface Laptop Studio | 23.200.143.0 | ✅ |
|
Surface Laptop 4 (Intel) | 23.200.143.0 | ✅ |
|
Surface Laptop 4 (AMD) | 4.200.140.0 | ❌ | 2023 CA-signed BMR will be released in Nov 2025 |
Surface Pro 7+ | 23.200.143.0 | ✅ |
|
Surface Pro 7 | 17.200.140.0 | ✅ |
|
Surface Book 3 | 17.200.140.0 | ❌ | 2023 CA-signed BMR will be released in Nov 2025 |
1Surface Hub 3 recovery images can be used with Hub 2S devices that have been migrated to Windows 11.