Export (0) Print
Expand All

Driver Signing Policy

Starting with 64-bit versions of Windows Vista and later versions of Windows, driver code signing policy requires that all driver code have a digital signature. In addition, certain configurations of 32-bit versions of Windows Vista and later versions of Windows also require driver code to be digitally-signed in order to access next generation premium content that is controlled by the content protection policy. Windows Vista and later versions of Windows rely on digital signatures of these components to increase the safety and stability of the Microsoft Windows platform and enable new customer experiences with next generation premium content.

Digital signatures allow the administrator or end-user who is installing Windows-based software to know whether a legitimate publisher has provided the software package. When users choose to send Windows Error Reporting data to Microsoft after a fault or other error occurs, Microsoft can analyze the data to know which publishers' software was running on the system at the time of the error. Software publishers can then use the information that is provided by Microsoft to find and fix problems in their software.

The driver code signing policy starting with Windows Vista and later versions of Windows requires that the following types of drivers have digital signatures:

  • For 64-bit versions of Windows, all kernel mode software, including, but not limited to, kernel-mode device drivers.

  • For 64-bit versions of Windows, user mode drivers, such as printer drivers.

  • Drivers that stream protected content. This includes audio drivers that use Protected User Mode Audio (PUMA) and Protected Audio Path (PAP), and video device drivers that handle protected video path-output protection management (PVP-OPM) commands. Information about these requirements is outside the scope of this documentation. For more information about these requirements, see Code-signing for Protected Media Components (Windows Vista and Later).

Starting with Windows 8 UEFI Secure Boot-enabled platforms have additional signing requirements, including requirements for ARM platforms. The driver code signing policy for 32-bit versions of Windows 8 UEFI Secure Boot-enabled platforms also requires drivers have a digital signature.

The following table lists the signature requirements for different types of drivers based on processor architecture and Secure Boot state.

Secure Boot Enabled Secure Boot Disabled
x86x64ARMx86x64ARM

Kernel Mode Drivers

3rd party boot drivers

Signature Algo

SHA1 or above

Signature type

Embedded or catalog signed

Signature requirement

Standard roots trusted by CI

Signature Algo

SHA256

Signature type

Embedded

Signature requirement

Microsoft Root Authority 2010

WHQL Signature Required

Unsigned drivers allowed

Signature Algo

SHA1 or above

Signature type

Embedded or catalog signed

Signature requirement

Standard roots trusted by CI

N/A (Secure Boot cannot be disabled)

ELAM

ELAM drivers must be signed by the process described here.

Drivers

Signature Algo

SHA1 or above

Signature type

Embedded or catalog signed

Signature requirement

Standard roots trusted by CI

Signature Algo

SHA256

Signature type

Embedded

Signature requirement

Microsoft Root Authority 2010

WHQL Signature Required

Unsigned drivers allowed

Signature Algo

SHA1 or above

Signature type

Embedded or catalog signed

Signature requirement

Standard roots trusted by CI

N/A (Secure Boot cannot be disabled)

 

Be aware that this code signing policy is in addition to the Plug and Play (PnP) device installation signing requirements that affect the installation of a device driver. A developer and publisher of a driver must comply with both the driver code signing requirement for loading a kernel-mode driver and the PnP device installation signing requirements for installing a driver. Also be aware that, although an administrator can authorize the preinstallation of an unsigned kernel-mode driver on a 64-bit system, the administrator cannot subsequently load the unsigned driver during the installation of the driver for a device.

Starting with Windows Vista, driver code signing enforcement is implemented by a component known as Code Integrity. Code Integrity is a feature that improves the security of the operating system by verifying the integrity of a file every time that the image of the file is loaded into memory. The function of Code Integrity is to detect if an unsigned driver is being loaded into kernel-mode, or if a system binary file has been modified by malicious code that may have been run by an administrator.

Starting with Windows Vista, Code Integrity helps ensure that the operating system is running known, identifiable code. Code Integrity generates diagnostic events and a system audit log event when the signature of a kernel module fails to verify correctly. You can use the information logged by Code Integrity to troubleshoot driver load problems.

For development and testing purposes only, enforcement of the driver code signing policy can be temporarily disabled. For more information, see Installing an Unsigned Driver Package during Development and Test.

For general information about how to sign a driver for public release on Windows Vista and later versions of Windows, see Signing Drivers for Public Release (Windows Vista and Later).

For general information about how to test-sign a driver during development and test on Windows Vista and later versions of Windows, see Signing Drivers during Development and Test (Windows Vista and Later).

For more information about driver code signing requirements, see the Digital Signatures for Kernel Modules on Systems Running Windows Vista website.

Note  The information that is provided at that website is also applicable to Windows Server 2008and later versions of Windows.

 

 

Send comments about this topic to Microsoft

Show:
© 2014 Microsoft