Digital Signatures and PnP Device Installation (Windows Vista and Later)

On Windows Vista and later versions of Windows, Plug and Play (PnP) device installation uses the digital signature of a driver package's catalog file to do the following:

• Verify the identity of the publisher of the driver package. Windows uses the identity to allow users to choose whether to trust a driver's publisher.

• Determine whether the driver package was altered after it was published.

PnP device installation on Windows Vista and later versions of Windows support the following types of digital signatures for driver packages:

• Signature types that can be used for driver packages that are released to the general public:

  • Signatures generated by a Windows signing authority for:
    1. Inbox driver packages
    2. Driver packages certified and signed through the Windows Hardware Quality Labs (WHQL)
    3. Windows Sustained Engineering (SE) updates.
  • Signatures that are not generated by a Windows signing authority but do comply with the PnP device installation signing requirements.

• Signatures for deploying driver packages only within corporate network environments, which are created by a digital certificate that is created and managed by Enterprise CA. Detailed information about how to configure an Enterprise CA is outside the scope of this documentation.

  For information about how to create an Enterprise CA, see Code Signing Best Practices.

• Signature types that can be used in-house during the development and test of drivers:

  • Signatures generated by the WHQL test signature program
  • Signatures generated by a MakeCert test certificate
  • Signatures created by a commercial test certificate that is obtained from a CA that is a member of the Microsoft Root Certificate Program
  • Signatures generated by an Enterprise CA test certificate

Windows Vista and later versions of Windows include the following features that provide support for signatures that are generated by third parties:

• Administrators can control which driver publishers are trusted. Windows Vista and later versions of Windows installs drivers from trusted publishers without prompting. It never installs drivers from publishers that the administrator has chosen not to trust.

• The driver-signing policy is always set to Warn. This eliminates the Ignore and Block options that were available in Windows Server 2003, Windows XP, and Windows 2000. An administrator must always authorize the installation of unsigned drivers or a driver from a publisher that is not yet trusted.

• All device setup classes are treated equally. On Windows Server 2003, Windows XP, and Windows 2000, driver packages that were signed by WHQL must have an INF file that specifies a device setup class that is defined in %SystemRoot%/inf/Certclas.inf. Otherwise, Windows treats the driver package as unsigned.

• Starting with Windows Vista, when there are several compatible driver packages to choose from, the ranking algorithm that the operating system uses to select the best driver package includes driver packages that have third-party signatures.

  This algorithm ranks driver packages in the following way:

  • If the AllSignersEqual group policy is disabled, the operating system ranks driver packages that are signed with a Microsoft signature higher than driver packages that are signed with a third-party signature. This ranking occurs even if a driver package that is signed with a third-party signature is, in all other ways, a better match for a device.
  • If the AllSignersEqual group policy is enabled, the operating system ranks all digitally signed driver packages equally.

  Note Starting with Windows 7, the AllSignersEqual group policy is enabled by default. In Windows Vista and Windows Server 2008, the AllSignersEqual group policy is disabled by default. IT departments can override the default ranking behavior by enabling or disabling the AllSignersEqual group policy.

Before installing a driver package, Windows analyzes the driver package's digital signature. If a signature is present, Windows uses the signature to validate the files in the driver package. Based on the results of this analysis, Windows categorizes the digital signature as follows:

• Signed by a Windows signing authority. These driver packages are either included in the default installation of Windows (inbox drivers), signed for release by WHQL, or signed by Windows SE.

• Signed by a trusted publisher. These driver packages have been signed by a third-party, and user has explicitly chosen to always trust signed driver packages from this publisher.

• Signed by an untrusted publisher. These driver packages have been signed by a third-party, and the user has explicitly chosen to never trust driver packages from this publisher.

• Signed by a publisher of unknown trust. These driver packages have been signed by a third-party, and the user has not indicated whether to trust this publisher.

• Altered. These driver packages are signed, but Windows has detected that at least one file in the driver package has been altered after the package was signed.

• Unsigned. These driver packages are either unsigned or have an invalid signature. Valid signatures must be created by using a certificate that was issued by a trusted CA.

Starting with Windows Vista, when the operating system installs a driver package on a computer for the first time, it preinstalls, or stages, the driver in the driver store. Windows subsequently will silently install a driver package for a matching device by using the copy of the driver package in the driver store. User interaction is not required when Windows installs a preinstalled driver package for a device.

Whether Windows will preinstall a driver package depends on the signature category, user credentials, and user interaction, as follows:

• Signed by a Windows signing authority or a trusted publisher. Windows silently preinstalls the driver package for system administrators and standard users (users without administrator credentials). Windows does not display any user dialog boxes.

• Signed by an untrusted publisher. Windows does not preinstall the driver package.

• Signed by a publisher of unknown trust. Windows displays a dialog box to a system administrator that informs the administrator that the publisher of the driver package is not yet trusted. The dialog box provides the administrator the option to install the driver package and the option to always trust the publisher. Windows does not display a dialog box to a standard user and does not preinstall the driver package for the standard user.

• Altered or unsigned. Windows displays a dialog box that appropriately warns a system administrator that the signature could not be verified. The dialog box provides the administrator the option to install or not to install the driver package. Windows does not display a dialog box to a standard user and does not preinstall the driver package for a standard user.

For more information about driver signatures and installation, see Signature Categories and Driver Installation.