Back to Home

All kernel-mode drivers for Windows 10 (1607) must now be signed by Microsoft

microsot · kernel · drivers · signing

All kernel-mode drivers for Windows 10 (1607) must now be signed by Microsoft



    Microsoft-signed drivers can be installed without the permission of the owner of the laptop, Microsoft certificate is enough (Source: xkcd.com)

    Last year, Microsoft announced that with the release of Windows 10 all new kernel-mode drivers will need to be confirmed in the Windows Hardware Developer Center , to obtain a digital signature from Microsoft. Due to a number of problems, this innovation did not enter into force, remaining only a notification.

    Now the company decided to implementthis is a change. Starting with version 1607 of the Windows 10 operating system, the OS will not load new kernel-mode drivers that are not signed in the Windows Hardware Developer Center. We are talking only about clean installations of the operating system, and not about upgrades from previous versions of Windows OS to Windows 10. In this case, version 1607 is not affected by changes in policies.

    The corporation claims that changes are required in order to make Windows a more secure operating system. According to Microsoft, with the introduction of the boot mode of only signed kernel drivers, the risk of malware being compromised by the system is significantly reduced.

    If you are a driver developer, then to sign your driver you need to do the following:
    1. Make sure that you send the Microsoft driver throughWindows Hardware Developer Center .
    2. Start the driver certification process using the Extended Validation (EV) Code Signing Certificate . All drivers that are planned to be downloaded for verification must be signed with an EV certificate.

    Microsoft has published a series of answers to additional questions that may arise from the developer or user.

    One question concerns exceptions and cross-certificate drivers:
    • As mentioned above, changes to the driver signing policy apply only to clean installations of Windows 10, and not updates from previous versions of the OS. In the latter case, cross-driver certificates are also valid;
    • PCs with Secure Boot disabled will also skip the installation of such drivers;
    • Drivers who received a cross-certificate before July 29, 2015 remain valid.

    As for other versions of Windows, the changes are relevant only for Windows 10 version 1607. At the same time, the driver can be downloaded to the Windows Hardware Developer Center only with an EV certificate.

    In any case, now, if the developer decided to check the driver on the test machine, he will have to turn off the Secure Boot mode and sign the certificate himself, installing the driver using the appropriate tool.

    Only registered users can participate in the survey. Please come in.

    How do you feel about this initiative?

    • 20.6% Positive, now the OS will definitely become safer 151
    • 52.5% Negative, it only complicates things, the OS will not be safer 385
    • 26.7% I don’t write drivers at all, so I don’t care 196

    Read Next