First published on MSDN on Jul 26, 2016
Last year, we https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/04/01/driver-signing-changes-in-windows-10/ that beginning with the release of Windows 10, all new Windows 10 kernel mode drivers must be submitted to the https://developer.microsoft.com/en-us/windows/hardware/dashboard-sign-in to be digitally signed by Microsoft. However, due to technical and ecosystem readiness issues, this was not enforced by Windows Code Integrity and remained only a policy statement.
Starting with new installations of Windows 10, version 1607, the previously defined driver signing rules will be enforced by the Operating System, and Windows 10, version 1607 will not load any new kernel mode drivers which are not signed by the Dev Portal. OS signing enforcement is only for new OS installations; systems upgraded from an earlier OS to Windows 10, version 1607 will not be affected by this change.
We’re making these changes to help make Windows more secure. These changes limit the risk of an end-user system being compromised by malicious driver software.
If you are a driver developer, here is what you need to do:
What are the exact exceptions? Are cross-signed drivers still valid?
Enforcement only happens on fresh installations, with Secure Boot on, and only applies to new kernel mode drivers:
To summarize, on non-upgraded fresh installations of Windows 10, version 1607 with Secure Boot ON, drivers must be signed by Microsoft or with an end-entity certificate issued prior to July 29th, 2015 that chains to a supported cross-signed CA.
What about existing drivers? Do I need to re-sign these drivers to get them to work with Windows 10, version 1607?
No. Existing drivers do not need to be re-signed. To ensure backwards compatibility, drivers which are properly signed by a https://msdn.microsoft.com/en-us/library/windows/hardware/ff548231(v=vs.85).aspx issued prior to July 29th, 2015 will continue to pass signing checks on Windows 10, version 1607.
What about older versions of Windows?
The changes described in this post apply only to Windows 10, version 1607. Please note that the https://developer.microsoft.com/en-us/windows/hardware/dashboard-sign-in will require all new submissions be signed with an EV Code Signing Certificate no matter what OS you plan to support with your driver package.
How do I sign drivers during development and testing?
Please see the https://msdn.microsoft.com/en-us/windows/hardware/drivers/install/signing-drivers-during-development-and-test topic on MSDN for information on how to test sign. In addition, if Secure Boot is set to OFF, then drivers signed with existing cross-signed certificates will continue to be valid.
How do I sign a driver so that it is compatible with Windows Vista, Windows 7, Windows 8, Windows 8.1, and Windows 10?
All you need to do is run the HLK tests for Windows 10 and run the HCK tests for Windows 8.1 and earlier versions as you have in the past. Then, using the Windows 10 HLK, merge the two test logs and submit your driver along with the merged HLK/HCK test results to the Windows Hardware Developer Center Dashboard portal . The portal will sign the driver correctly such that it will work on all platforms that you indicate.
What about Extended Validation Certificate Dev Portal package signing?
The portal currently requires all driver submitters to have a valid EV Code Signing Certificate registered to their account. Windows itself does not have any special requirements for drivers to be signed by EV certificates.
Last year, we https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/04/01/driver-signing-changes-in-windows-10/ that beginning with the release of Windows 10, all new Windows 10 kernel mode drivers must be submitted to the https://developer.microsoft.com/en-us/windows/hardware/dashboard-sign-in to be digitally signed by Microsoft. However, due to technical and ecosystem readiness issues, this was not enforced by Windows Code Integrity and remained only a policy statement.
Starting with new installations of Windows 10, version 1607, the previously defined driver signing rules will be enforced by the Operating System, and Windows 10, version 1607 will not load any new kernel mode drivers which are not signed by the Dev Portal. OS signing enforcement is only for new OS installations; systems upgraded from an earlier OS to Windows 10, version 1607 will not be affected by this change.
We’re making these changes to help make Windows more secure. These changes limit the risk of an end-user system being compromised by malicious driver software.
If you are a driver developer, here is what you need to do:
- Ensure that you submit new drivers to Microsoft via the https://developer.microsoft.com/en-us/windows/hardware/dashboard-sign-in .
- Begin the process of https://docs.microsoft.com/en-us/windows-hardware/drivers/dashboard/driver-signing . All drivers submitted to the portal must be signed by an EV certificate.
FAQs
What are the exact exceptions? Are cross-signed drivers still valid?
Enforcement only happens on fresh installations, with Secure Boot on, and only applies to new kernel mode drivers:
- PCs upgrading from a release of Windows prior to Windows 10 Version 1607 will still permit installation of cross-signed drivers.
- PCs with Secure Boot OFF will still permit installation of cross-signed drivers.
- Drivers signed with an end-entity certificate issued prior to July 29th, 2015 that chains to a supported cross-signed CA will continue to be allowed.
- To prevent systems from failing to boot properly, boot drivers will not be blocked, but they will be removed by the Program Compatibility Assistant. Future versions of Windows will block boot drivers.
To summarize, on non-upgraded fresh installations of Windows 10, version 1607 with Secure Boot ON, drivers must be signed by Microsoft or with an end-entity certificate issued prior to July 29th, 2015 that chains to a supported cross-signed CA.
What about existing drivers? Do I need to re-sign these drivers to get them to work with Windows 10, version 1607?
No. Existing drivers do not need to be re-signed. To ensure backwards compatibility, drivers which are properly signed by a https://msdn.microsoft.com/en-us/library/windows/hardware/ff548231(v=vs.85).aspx issued prior to July 29th, 2015 will continue to pass signing checks on Windows 10, version 1607.
What about older versions of Windows?
The changes described in this post apply only to Windows 10, version 1607. Please note that the https://developer.microsoft.com/en-us/windows/hardware/dashboard-sign-in will require all new submissions be signed with an EV Code Signing Certificate no matter what OS you plan to support with your driver package.
How do I sign drivers during development and testing?
Please see the https://msdn.microsoft.com/en-us/windows/hardware/drivers/install/signing-drivers-during-development-and-test topic on MSDN for information on how to test sign. In addition, if Secure Boot is set to OFF, then drivers signed with existing cross-signed certificates will continue to be valid.
How do I sign a driver so that it is compatible with Windows Vista, Windows 7, Windows 8, Windows 8.1, and Windows 10?
All you need to do is run the HLK tests for Windows 10 and run the HCK tests for Windows 8.1 and earlier versions as you have in the past. Then, using the Windows 10 HLK, merge the two test logs and submit your driver along with the merged HLK/HCK test results to the Windows Hardware Developer Center Dashboard portal . The portal will sign the driver correctly such that it will work on all platforms that you indicate.
What about Extended Validation Certificate Dev Portal package signing?
The portal currently requires all driver submitters to have a valid EV Code Signing Certificate registered to their account. Windows itself does not have any special requirements for drivers to be signed by EV certificates.
Updated Mar 12, 2019
Version 2.0
