Table of contents
Collapse the table of content
Expand the table of content

Overview of Installing Private Builds of Inbox Drivers

Last Updated: 7/25/2016

Starting with Windows Vista, when a Plug and Play (PnP) device is installed on a computer system, Windows selects a driver based on several factors, such as the hardware ID or compatible ID, date, and version. Windows analyzes these factors to assign a rank that indicates how well the driver matches the device. The lower the rank, the better a match the driver is for the device.

Also, starting with Windows Vista, if a driver has a signature from a Windows signing authority (Microsoft signature), Windows ranks it better than another driver for the same device that was signed with:

  • A third-party release signature. This type of signature is generated by using a Software Publisher Certificate that is obtained from a third-party certification authority (CA) authorized by Microsoft to issue such certificates.

  • A Microsoft signature for a Windows version that is earlier than the LowerLogoVersion value of the driver's device setup class.

The Microsoft signature types include the following:

  • Premium WHQL signatures and standard WHQL signatures

  • Signatures for inbox drivers

  • Windows Sustained Engineering (Windows SE) signatures

  • A WHQL signature for a Windows version that is the same or later than the Windows version that is specified by the LowerLogoVersion value that is set for the device setup class of a driver

Note Even if a driver that has a third-party signature is a better match for the device, Windows selects the driver that has a Microsoft signature. Using a publisher identity certificate [PIC] for the third-party signature does not change this behavior.

Starting with Windows Vista, the AllSignersEqual Group Policy controls how Windows ranks Microsoft-signed drivers and third party-signed drivers. When AllSignersEqual is enabled, Windows treats all Microsoft signatures and third-party signatures as equal with respect to rank when selecting the driver that is the best match for a device.

Note In Windows Vista and Windows Server 2008, the AllSignersEqual Group Policy is disabled by default. Starting with Windows 7, this Group Policy is enabled by default.

To install a private build of an inbox driver, you must do the following:

  • Build a private version of the inbox driver. You must ensure that the private build outranks the Microsoft-signed version when signatures are treated equally. The private build must also be digitally signed by using tools that are provided with the WDK.

    For more information, see Creating a Private Build of an Inbox Driver.

  • Enable the AllSignersEqual Group Policy on the target system so that the operating system views all Microsoft signature types and third-party signatures as equal in rank when it selects the driver that is the best match for a device.

    For more information, see Configuring Windows to Rank Driver Signatures Equally.

For more information about how Windows ranks drivers, see How Windows Selects Drivers.

Send comments about this topic to Microsoft

© 2016 Microsoft