File signing LSA plugins and UEFI firmware

The Hardware Dev Center Dashboard lets you to digitally sign Local Security Authority (LSA) plugins and UEFI firmware binaries, enabling them to be installed on windows devices.

Important

  • File signing requires an extended validation (EV) code signing certificate.

  • All LSA and UEFI submissions must be a single, signed CAB library file, and contain all files required for signing.

    • This file should contain no folders and only the binaries or .efi files to be signed.
  • UEFI FIRMWARE ONLY - The CAB file signature must match the Authenticode certificate for your organization.

    • Depending on your certificate provider, you may need to use SignTool or an external process.
    • EFI ByteCode (EBC) files must be compiled using the /ALIGN:32 flag for processing to succeed.
  • LSA PLUGINS ONLY - The CAB file signature must match the EV code signing certificate for your organization.

Creating a new UEFI or LSA submission

  1. Sign in to the dashboard with your Microsoft account and click Hardware certification.

  2. On the File Signing Services page, click Submit New UEFI or Submit New LSA.

    Note

    You may be prompted to sign a legal agreement before creating a new file signing submission. Review and complete the agreement to continue. Every organization only needs to sign the agreement once.

  3. On the submission page, upload the CAB file you want to submit, and click Submit.

  4. Once your submission has been processed, you’ll receive a notification with your submission ID.

Managing your file signing submission

After signing in to the Hardware Dev Center Dashboard, you can manage your firmware submission like any other dashboard submission.

Microsoft UEFI CA Signing Policy Updates

Pre-Submission Testing for UEFI Submissions