Secure boot feature signing requirements for kernel-mode drivers
Platforms
Clients – Windows 8
Servers – Windows Server 2012
Description
In Windows 8 and Windows Server 2012, including WinPE, the kernel has been locked down to prevent malware introduced by boot or root kits from circumventing Windows operating system security requirements for signed drivers.
This change affects all kernel-mode drivers for devices that support unified extensible firmware interface (UEFI) Secure Boot; UEFI Secure Boot is required for Windows 8 certification for client machines, and optional for servers. It does not affect user-mode drivers.
Standard development for kernel-mode drivers involves either the use of kernel mode debugging or the boot configuration data (BCD) <testsigning> setting. Both of these are disabled when Secured Boot is on.
Manifestation
Kernel-mode drivers will not run if they are not properly signed by a trusted certification authority (CA). The operating system will not allow untrusted drivers to run and standard mechanisms like kernel debugging and testsigning will not be permitted.
Mitigation
To test drivers, you must disable Secure Boot in BIOS as well as meet the other test-signing requirements (see below).
When distributing drivers more widely they must be properly signed by a trusted CA.
Resources
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for