Windows 11/10 introduces some specific driver signing changes. All new kernel mode drivers must be digitally signed by and submitted to the Windows Hardware Developer Center Dashboard portal.
Driver Signing Changes in Windows 11/10
Starting with new installations of Windows 10 the previously defined driver signing rules will be enforced by the Operating System, and Windows will not load any new kernel mode drivers which are not signed by the Dev Portal. OS signing enforcement is only for new OS installations; systems upgraded from an earlier OS to Windows 10 will not be affected by this change.
The latest versions of Windows 11/10 will load only Kernel mode drivers signed digitally by the Dev Portal. However, the changes will affect only the new installations of the operating system with Secure Boot on. The non-upgraded fresh installations would require drivers signed by Microsoft.
Please note that you will not need to re-sign the existing drivers on your Windows PC, to get them to work on your upgraded version of Windows The drivers which are issued before July 29, 2016, and are signed by some valid signing certificate will continue to work on the Windows 10, version 1607.
The new signing policy, however, includes many exceptions, and the major ones are:
- PCs upgraded to Windows 10 Build 1607 from a previous version of Windows (for instance Windows 10 version 1511) are not affected by the change.
- PCs without Secure Boot functionality, or Secure Boot off, are not affected either.
- All drivers signed with cross-signing certificates that were issued prior to July 29, 2015, will continue to work.
- Boot drivers won’t be blocked to prevent systems from failing to boot. They will be removed by the Program Compatibility Assistant, however.
- The change affects only Windows 10 Version 1607. All previous versions of Windows are not affected.
The signing changes described by Microsoft are applicable only on version 1607 of Windows 10. Please note that the new submissions signed with an EV Code Signing Certificate are required for the Windows Hardware Developer Center Dashboard portal, regardless of which operating system you have.
As mentioned earlier the policy changes are applicable only if the Secure Boot is ON, if not, the drivers signed with existing cross-signed certificates will work.
If you are looking for some way to sign a driver compatible with all versions of Windows, you first need to run the HLK tests for the latest Windows 10 and the HCK tests for Windows 8.1 and all other older versions. All you have to do is to merge the two logs and submit the merged results of HLG and HCK tests along with the driver. You need to submit it to the Windows Hardware Developer Center Dashboard portal.
Visit MSDN to learn more about the Driver Signing changes.
What is driver signing in Windows?
When an OEM creates a driver for its hardware, the driver needs to be certified. This is done by associating it with a digital signature. Windows only installs drivers which can authenticate the driver and its integrity with a digital signature. Windows also identify the vendor of the OEM when installing the driver.
How to disable Driver Signature enforcement in Windows?
There are three options available to you to disable Driver Signature enforcement in Windows:
- Use Advanced Boot Menu
- Enable Test Signing Mode
- Disable Device Driver Signing.
You can use any one of these methods.
