Digital Signatures and PnP Device Installation (Windows Vista and Later)

On Windows Vista and later versions of Windows, Plug and Play (PnP) device installation uses the digital signature of a driver package's catalog file to do the following:

  • Verify the identity of the publisher of the driver package. Windows uses the identity to allow users to choose whether to trust a driver's publisher.

  • Determine whether the driver package was altered after it was published.

PnP device installation on Windows Vista and later versions of Windows support the following types of digital signatures for driver packages:

  • Signature types that can be used for drivers that are released to the general public:
    • Signatures generated by a Windows signing authority for:
      1. Inbox drivers
      2. Drivers certified and signed through the Windows Hardware Quality Labs (WHQL)
      3. Windows Sustained Engineering (SE) updates.
    • Signatures that are not generated by a Windows signing authority, but do comply with the following:
      1. The kernel-mode code signing policy for 64-bit versions of Windows Vista and later versions of Windows.
      2. The PnP device installation signing requirements for 32-bit and 64-bit versions of Windows Vista and later versions of Windows.

      This type of signature is generated by using a Software Publisher Certificate (SPC) that is obtained from a third-party certification authority (CA) that is authorized by Microsoft to issue such certificates.

    • Signatures that are not generated by a Windows signing authority and do not comply with the kernel-mode code signing policy, but do comply with the PnP device installation signing requirements. This type of signature can be used to sign kernel-mode drivers for 32-bit versions of Windows Vista and later versions of Windows. This type of signature is generated by using a commercial release certificate that is obtained from a CA that is a member of the Microsoft Root Certificate Program.
  • Signatures for deploying drivers only within corporate network environments, which are created by a digital certificate that is created and managed by Enterprise CA. Detailed information about how to configure an Enterprise CA is outside the scope of this documentation.

    For information about how to create an Enterprise CA, see the "Code Signing Best Practices" white paper on the Driver Signing Requirements for Windows website.

  • Signature types that can be used in-house during the development and test of drivers:

Windows Vista and later versions of Windows include the following features that provide support for signatures that are generated by third parties:

  • Administrators can control which driver publishers are trusted. Windows Vista and later versions of Windows installs drivers from trusted publishers without prompting. It never installs drivers from publishers that the administrator has chosen not to trust.

  • The driver-signing policy is always set to Warn. This eliminates the Ignore and Block options that were available in Windows Server 2003, Windows XP, and Windows 2000. An administrator must always authorize the installation of unsigned drivers or a driver from a publisher that is not yet trusted.

  • All device setup classes are treated equally. On Windows Server 2003, Windows XP, and Windows 2000, driver packages that were signed by WHQL must have an INF file that specifies a device setup class that is defined in %SystemRoot%/inf/Certclas.inf. Otherwise, Windows treats the driver package as unsigned.

  • Starting with Windows Vista, when there are several compatible drivers to choose from, the ranking algorithm that the operating system uses to select the best driver includes drivers that have third-party signatures.

    This algorithm ranks drivers in the following way:

    • If the AllSignersEqual group policy is disabled, the operating system ranks drivers that are signed with a Microsoft signature higher than drivers that are signed with a third-party signature. This ranking occurs even if a driver that is signed with a third-party signature is, in all other ways, a better match for a device.
    • If the AllSignersEqual group policy is enabled, the operating system ranks all digitally signed drivers equally.

    Note  Starting with Windows 7, the AllSignersEqual group policy is enabled by default. In Windows Vista and Windows Server 2008, the AllSignersEqual group policy is disabled by default. IT departments can override the default ranking behavior by enabling or disabling the AllSignersEqual group policy.

Before installing a driver, Windows analyzes the driver package's digital signature. If a signature is present, Windows uses the signature to validate the files in the driver package. Based on the results of this analysis, Windows categorizes the digital signature as follows:

  • Signed by a Windows signing authority. These drivers are either included in the default installation of Windows (inbox drivers), signed for release by WHQL, or signed by Windows SE.

  • Signed by a trusted publisher. These drivers have been signed by a third-party, and user has explicitly chosen to always trust signed drivers from this publisher.

  • Signed by an untrusted publisher. These drivers have been signed by a third-party, and the user has explicitly chosen to never trust drivers from this publisher.

  • Signed by a publisher of unknown trust. These drivers have been signed by a third-party, and the user has not indicated whether to trust this publisher.

  • Altered. These drivers are signed, but Windows has detected that at least one file in the driver package has been altered after the package was signed.

  • Unsigned. These drivers are either unsigned or have an invalid signature. Valid signatures must be created by using a certificate that was issued by a trusted CA.

Starting with Windows Vista, when the operating system installs a driver on a computer for the first time, it preinstalls, or stages, the driver in the driver store. To preinstall a driver, Windows copies the driver package to the driver store and saves a copy of the driver package's INF file in the system INF directory. Windows subsequently will silently install a driver for a matching device by using the copy of the driver package in the driver store. User interaction is not required when Windows installs a preinstalled driver for a device.

Whether Windows will preinstall a driver package depends on the signature category, user credentials, and user interaction, as follows:

  • Signed by a Windows signing authority or a trusted publisher. Windows silently preinstalls the driver package for system administrators and standard users (users without administrator credentials). Windows does not display any user dialog boxes.

  • Signed by an untrusted publisher. Windows does not preinstall the driver package.

  • Signed by a publisher of unknown trust. Windows displays a dialog box to a system administrator that informs the administrator that the publisher of the driver package is not yet trusted. The dialog box provides the administrator the option to install the driver package and the option to always trust the publisher. Windows does not display a dialog box to a standard user and does not preinstall the driver package for the standard user.

  • Altered or unsigned. Windows displays a dialog box that appropriately warns a system administrator that the signature could not be verified. The dialog box provides the administrator the option to install or not to install the driver package. Windows does not display a dialog box to a standard user and does not preinstall the driver package for a standard user.

For more information about driver signatures and installation, see Signature Categories and Driver Installation.

For more information about driver signing and PnP device installation on Windows Vista and later versions of Windows, download the files "Step by Step Guide to Controlling Device Installation and Usage with Group Policy.doc" and "Step by Step Guide to Device Driver Signing and Staging.doc" that are available on the Windows Vista Step-by-Step Guides for IT Professionals website.

 

 

Send comments about this topic to Microsoft

Show:
© 2014 Microsoft