Understanding Device Drivers and Deployment
Applies To: Windows 7, Windows Server 2008 R2
This content applies to Windows 7. For Windows 8 content, see Windows Deployment with the Windows ADK.
When you're planning to add drivers to Windows® 7, it's important to understand digital signature requirements and driver ranking. You should also plan how you'll manage and add the drivers. This topic includes basic information about each of these subjects.
In This Topic
Digital Signature Requirements
Digital Signature Requirements
Signed device drivers are a key security feature in Windows. Drivers that are installed on x64-based computers must have a digital signature. Although it isn't required, we recommend making sure that drivers are signed before you install them on x86-based and Itanium-based computers.
All boot-critical drivers must contain embedded signatures. A digital signature isn't required for Plug and Play (PnP) drivers. But when an unsigned PnP driver is installed on a running operating system, administrator credentials are required, and you can't install such drivers on 64-bit operating systems.
There are two ways that a driver can be signed:
Kernel mode and boot-critical drivers are digitally signed via a method called embedded signing. By using embedded signatures, every binary in the driver package is signed. Embedded signatures improve boot loading performance. For drivers that are not PnP, signatures should be embedded so that they're not lost during an upgrade of the operating system.
Digitally signed PnP drivers contain a catalog (.cat) file that is digitally signed. The catalog file contains a hash of all the files in the driver's .inf file for installation. A signed catalog file is all that's necessary to correctly install most PnP drivers.
Either of these sources can sign drivers:
Windows Hardware Quality Labs (WHQL), which makes sure that your drivers qualify for the Windows Logo Program. WHQL creates a signed driver catalog. For boot-critical drivers, you should add more embedded signatures instead of relying on the catalog. Embedded signatures in boot-critical driver image files optimize boot performance of the operating system by eliminating the need to locate the appropriate catalog file when the operating system loader verifies the driver signature.
A certification authority (CA), by using a Software Publishing Certificate (SPC). For boot-critical and x64-based kernel drivers, Microsoft provides an additional certificate that can be used to cross-sign the drivers. Drivers that aren't boot critical don't have to be cross-signed by Microsoft or embedded. You can use the Windows Kernel Mode Code Signing process if you need the flexibility of signing the drivers yourself. For information about digital signatures for kernel modules on x64-based systems, see 64-Bit Driver Guidelines.
For testing, you can also use test certificates.
If you have received an unsigned driver from a vendor for testing, you can use a test signature to validate the driver and to test the installation. Test signing is the act of digitally signing an application by using a private key and a corresponding code-signing certificate that's trusted only in the confines of a test environment.
These are the primary ways to generate such test-signing certificates:
Developers can generate their own self-signed certificates.
A CA can issue certificates.
For either option, test-signing certificates must be clearly identified as appropriate only for testing. For example, the word "test" can be included in the certificate subject name, and additional legal disclaimers can be included in the certificate. Production certificates that are issued by commercial CAs must be reserved for signing only public beta releases and public final releases of software and internal line-of-business software.
For more information, see Driver Signing Requirements for Windows.
When you're adding test-signed driver packages to Windows, consider these points:
You must install the test certificates on a running operating system. You can't install them offline.
The certificate of the CA that issued the test certificate must be inserted in the Trusted Root Certification Authorities certificate store.
If the test certificate is self-signed—for example, by using the Certificate Creation Tool (MakeCert)—the test certificate must be inserted in the Trusted Root Certification Authorities certificate store.
The test certificate that's used to sign the driver package must be inserted in the Trusted Publishers certificate store.
You must add test certificates online (to a booted instance of the Windows image) before you can use the Deployment Image Servicing and Management (DISM) command-line tool to add test-signed drivers offline.
DISM validates WHQL certifications only for boot-critical drivers. But, a DISM command-line option can override this behavior. For more information, see Driver Servicing Command-Line Options.
To install and verify test-signed drivers on 64-bit operating systems, set the Windows boot configuration to test mode by using the BCDEdit tool on the destination computer. Test mode verifies that the driver image is signed, but certificate path validation doesn't require the issuer to be configured as a trusted root authority. For the PnP driver installation and ranking logic to treat the driver correctly, the test certificate must be stored in the trusted certificate store of the operating system image. For information about test mode during development, see 64-Bit Driver Guidelines.
If an unsigned or invalid boot-critical device driver is installed on an x64-based computer, the computer will not boot. The unsigned or invalid boot-critical device driver will cause a Stop error. You should remove the driver from either the critical device database (CDDB) or its reflected location in the image. If you're performing an upgrade, make sure that unsigned drivers and their associated applications, services, or devices are removed or updated with a signed driver.
If you don't enable test mode by using BCDEdit, and you have a test-signed driver installed, your computer will not boot. If you use DISM to remove the driver, all instances of the reflected driver package might not be removed. So, we recommend that you don't deploy images that have test-signed drivers installed.
If you're adding multiple drivers, you should create separate folders for each driver or driver category. This makes sure that there are no conflicts when you add drivers that have the same file name. After the driver is installed on the operating system, it's renamed to Oem*.inf to ensure unique file names in the operating system. For example, the staged drivers named MyDriver1.inf and MyDriver2.inf are renamed to Oem0.inf and Oem1.inf after they're installed.
When you specify a device-driver path in an answer file, all .inf drivers in the specified directory and subdirectories are added to the driver store of the Windows image. For example, if you want all of the drivers in the C:\MyDrivers\Networking, C:\MyDrivers\Video, and C:\MyDrivers\Audio directories to be available in your Windows image, specify the device-driver path, C:\MyDrivers, in your answer file. If you aren't using an answer file, you can use the /recurse command in DISM. For more information about the /recurse command, see Driver Servicing Command-Line Options. This command makes sure that all drivers in each subdirectory will be added to the driver store in your Windows image.
If all drivers in the specified directory and subdirectories are added to the image, you should manage the answer file or your DISM commands and these directories carefully. Do your best to address concerns about increasing the size of the image through unnecessary driver packages.
You can add device drivers to a Windows image at various phases of deployment. You can add them offline to an operating system image before deployment, during an automated deployment of the Windows image by using an unattended answer file (Unattend.xml) and Windows Setup, or after deployment on a running operating system. For more information, see Understanding Servicing Strategies.
When you add a driver to an offline image, it's either staged or reflected in the image:
Drivers that aren't boot critical are staged. In other words, they're added to the driver store of the offline image. When the computer is started, PnP detects the driver and finishes the installation.
Boot-critical drivers are reflected on the system. In other words, the CDDB and the registry will be changed, and files will be copied to the system according to what's specified in the .inf file.
Offline servicing (before deployment)
Offline servicing occurs when you modify a Windows 7 image entirely offline without booting the operating system. You can add, remove, and enumerate drivers on an offline Windows image by using the DISM command-line tool. DISM is installed with Windows 7 and is also distributed in the Windows OEM Preinstallation Kit (Windows OPK) and the Windows Automated Installation Kit (Windows AIK). For more information about DISM, see the Deployment Image Servicing and Management Technical Reference
Methods for adding device drivers offline include these:
- Using DISM commands to add or remove drivers on a mounted or applied Windows or Windows Preinstallation Environment (Windows PE) image.
You can't use DISM to remove inbox drivers (drivers that are installed on Windows by default). You can use it only to remove third-party or out-of-box drivers.
- Using DISM commands to apply an unattended answer file to a mounted or applied Windows image.
For more information, see Add and Remove Drivers Offline.
If you're using DISM, you can add only .inf drivers to an offline Windows image. Drivers that display the Designed for Windows logo are provided as .cab files. You must expand the .cab file before you install the .inf file if you're using DISM for the installation. You must install a driver that's packaged as a .exe file or another file type on a running Windows operating system. To run a .exe or Windows Installer (.msi) driver package, you can add a custom command to an answer file to install the driver package. For more information, see Add a Custom Command to an Answer File. You can also use the OCSetup tool to install .msi files on a running operating system.
Windows Setup and an answer file
You can use an unattended answer file to add drivers to an image when you use Windows Setup for deployment. In this answer file, you can specify the path of a device driver on a network share (or a local path). You accomplish this by adding the Microsoft-Windows-PnpCustomizationWinPE or Microsoft-Windows-PnpCustomizationNonWinPE components and specifying the configuration passes where you want to install them. When you run Windows Setup and specify the name of the answer file, out-of-box drivers are staged (added to the driver store on the image), and boot-critical drivers are reflected (added to the image so that they'll be used when the computer boots). Setup uses the answer file. By adding device drivers during the windowsPE or offlineServicing configuration passes, you can add out-of-box device drivers to the Windows image before the computer starts. You can also use this method to add boot-critical device drivers to a Windows image. For more information, see Add Device Drivers by Using Windows Setup. For more information about how Windows Setup works, see the Windows Setup Technical Reference.
If you want to add boot-critical drivers to Windows PE, use the windowsPE configuration pass to reflect the drivers before the Windows PE image is booted. The difference between adding boot-critical drivers during the windowsPE configuration pass and adding them during the offlineServicing configuration pass is that during the windowsPE configuration pass, boot-critical drivers are reflected for Windows PE to use. During the offlineServicing configuration pass, the drivers are staged to the driver store on the Windows image.
Methods for adding device drivers by using Windows Setup include these:
Using an answer file to add drivers during the offlineServicing configuration pass of Setup
Using an answer file to add drivers during the windowsPE configuration pass of Setup
For Windows Server® 2008 R2, placing drivers in the $WinPEDriver$ directory to be installed automatically during setup of the operating system in Setup
For more information about these and other configuration passes, see Windows Setup Configuration Passes.
When you're using Windows Deployment Services for deployment in Windows Server 2008 R2, you can add device drivers to your server and configure them to be deployed to clients as part of a network-based installation. You configure this functionality by creating a driver group on the server, adding packages to it, and then adding filters to define which clients will install those drivers. You can configure drivers to be installed based on the client's hardware (for example, manufacturer or BIOS vendor) and the edition of the Windows image that's selected during the installation. You can also configure whether clients install all packages in a driver group or only the drivers that match the installed hardware on the client. For more information about how to implement this functionality, see the Windows Deployment Services documentation.
Running operating system
You can use the PnPUtil tool to add or remove drivers on a running operating system. Alternatively, you can use an answer file to automate the installation of the drivers when the computer is booted in audit mode. These methods can be helpful if you want to maintain a simple Windows image, and then add only the drivers that are required for a specific hardware configuration. For more information about how to use audit mode, see Customize Windows in Audit Mode.
Methods for adding device drivers online to a running operating system include these:
Using PnPUtil to add or remove PnP drivers. For more information, see Use PnPUtil at a command line to install a Plug and Play device.
Using an answer file to automate the installation of PnP drivers when the computer is booted in audit mode. For more information, see Add a Driver Online in Audit Mode.
One of the most common issues in deploying drivers happens when a driver is successfully imported into the driver store but, after the system is online, PnP finds a higher-ranking driver and installs that driver instead.
The Windows PnP manager ranks these driver package properties in order of importance:
PnP ID match
For example, if a device has a better PnP ID match but is unsigned, a signed driver with a compatible ID match takes precedence. An older driver can outrank a newer driver if the older driver has a better PnP ID match or signature.
For more information about driver ranking, see How Windows Ranks Drivers.
These websites provide more information about device-driver requirements:
For more information about PnP driver deployment, see PnP Device Installation Signing Requirements.
For more information about digital signatures and developing drivers, see the relevant page on the Windows Hardware Developer Central website.