PnP Device Installation Signing Requirements
The driver signing requirements for Plug and Play (PnP) device installation depend on the version of Windows and on whether the driver is being signed for public release or by a development team during the development and test of the driver. All 64-bit versions of Windows enforce kernel-mode code signing requirements that determine whether a kernel-mode driver can be loaded.
PnP Signing Requirements for Public Release of a Driver
A valid WHQL release signature verifies that the driver complies with the requirements of the HCK, verifies the identity of the publisher, and verifies that the driver has not been altered.
To be considered signed by PnP device installation, the catalog file of the driver package must be signed by WHQL or signed by a third-party release certificate (a Software Publisher Certificate (SPC) or a commercial release certificate). A WHQL release signature should be used if one can be obtained. A third-party release signature verifies the identity of the publisher and that the driver has not been altered. However, unlike a WHQL release signature, a third-party release signature does not verify driver functionality.
Also be aware that for 64-bit versions of Windows Vista and later versions of Windows, the kernel-mode code signing policy further requires that a kernel-mode driver be signed by WHQL or by an SPC.
For more information about release-signing, see Signing Drivers for Public Release.
PnP Signing Requirements for Development and Test of a Driver
In 64-bit versions of Windows Vista and later versions of Windows, a driver must have a WHQL test signature or must be signed by a test certificate. For more information about test-signing drivers, see Signing Drivers during Development and Test.