Skip to main content

ARM Kits policy information

A new ARM Kits policy (Microsoft-Windows-Kits-Secure-Boot-Policy .p7b) comes with the Windows SDK for Windows 8.1. This policy enables developers to use various Microsoft tools and kits on ARM devices, and at the same time, preserves the integrity of ARM devices that ship with a production policy.

The Kits policy is installed on a machine’s firmware. The Kits policy is the same as the production policy except for that it allows Microsoft Kits ARM binaries to run on an ARM device. The similarity between the two gives developers the confidence that their code and the OS and will work on retail machines that use the Kits policy.

Note: Because the Kits policy is installed in firmware, it persists on the device regardless if the device is rebooted or reimaged.


When to install the Kits policy

Install the Kits policy if you need to run ARM binaries signed with the Microsoft Windows Kits Publisher certificate on ARM devices running Windows RT 8.1. This includes ARM binaries from the Windows SDK for Windows 8.1, the Windows Hardware Certification Kit for Windows 8.1, the Windows Assessment and Deployment Kit (WADK) for Windows 8.1 and the Windows Application Certification Kit (WACK) for Windows 8.1.

Please note that the Kits policy is not required for Windows 8 RT devices.

Use these steps to determine if a file is signed with the Microsoft Windows Kits Publisher certificate:

  1. Right-click a binary file and click Properties.
  2. On the Digital Signatures tab, select the signer(s) listed on the Signature List and click Details.
  3. If the Name field in the Digital Signatures Details window says Microsoft Windows Kits Publisher, you need to install the Kits policy for this binary file on a Windows 8.1 RT device.

Note: The Kits policy might not be required for certifying devices. To certify devices, see the Windows Hardware Certification Step-by-Step Guide. Information related to the Kits policy can be found in the "Apply the Kits policy setting to ARM machines" section under the "Step 2: Install Client on the test computer(s)".


How to install the Kits policy

Run these steps one time per machine to apply the Kits policy. The Kits policy setting persists on the machine over its lifetime.

  1. Copy the folder C:\Program Files (x86)\Windows Kits\8.1\bin\arm\SecureBoot to your ARM device.
  2. Open an elevated command prompt and navigate to the newly copied folder. Then double-click InstallKitsPolicy.cmd. If that doesn’t work, right-click and click Run as administrator.
  3. When the machine reboots, follow the instructions on the screen.
  4. If you have a keyboard, use the Down key to select Accept and Install, and press Enter. If you don’t have a keyboard, use the Volume Down button to select Accept and install and press the Windows button.

Note: If you need to cancel the installation, press ESC. If you don’t have a keyboard, reboot the computer using the power button.


How to check if an ARM device already has the Kits policy

The simplest way to check if the kits policy is installed is to check for a watermark on the desktop. When a Kits policy is installed, a watermark appears in the lower-right corner of the desktop that says “SecureBoot isn’t configured correctly.” This message indicates that Secure Boot is using the Kits policy instead of the standard production policy

The best way to confirm if the Kits policy is installed is to use the Get-SecureBootPolicy PowerShell cmdlet:

  1. Open a Windows PowerShell window with administrative privileges.
  2. Run the Get-SecureBootPolicy cmdlet.
  3. If the output of Get-SecureBootPolicy lists the Publisher as being 639F31B2-D82F-4C0B-9FCC-6F51DB62377A, the Kits policy was installed successfully.


Deleting the Kits policy

Deleting the Kits policy restores the device to full retail configuration for new devices. You might want to restore a device to test that an app works on a new device from a retailer.

  • You can remove the Kits policy by running the DeleteKitsPolicy.cmd in a command prompt with administrative privileges. DeleteKitsPolicy.cmd comes with the SDK. You’ll need to reboot to complete the deletion; however, nothing is required of you after the reboot.

Note: ARM Kits content will no longer work if the Kits policy is deleted.