Driver Signing Policy
Starting with new installations of Windows 10, version 1607, Windows will not load any new kernel mode drivers which are not signed by the Dev Portal. To get your driver signed, follow these steps:
- Get an EV Code Signing Certificate. All drivers submitted to the portal must be signed by an EV certificate.
- Submit your new driver to the Windows Hardware Developer Center Dashboard portal.
Cross-signed drivers are still permitted if any of the following are true:
- The PC was upgraded from an earlier release of Windows to Windows 10, version 1607.
- Secure Boot is off.
- Driver was signed with cross-signing certificate issued prior to July 29th 2015.
For more info, see Driver Signing Changes in Windows 10, version 1607.
Signing a driver for earlier versions of Windows
To sign a driver for Windows Vista, Windows 7, Windows 8, Windows 8.1, and Windows 10, follow these steps:
- Run the HLK tests for Windows 10.
- Run the HCK tests for Windows 8.1 and earlier versions.
- Using the Windows 10 HLK, merge the two test logs.
- Submit your driver and the merged HLK/HCK test results to the Windows Hardware Developer Center Dashboard portal.
Before Windows 10, the following types of drivers require an Authenticode certificate used together with Microsoft’s cross-certificate for cross-signing:
- Kernel-mode device drivers
- User-mode device drivers
- Drivers that stream protected content. This includes audio drivers that use Protected User Mode Audio (PUMA) and Protected Audio Path (PAP), and video device drivers that handle protected video path-output protection management (PVP-OPM) commands. For more information, see Code-signing for Protected Media Components.
Starting in Windows 8, Secure Boot is on by default. when Secure Boot is on, Windows loads only drivers that are digitally signed. The following table lists the signature requirements for different types of drivers based on processor architecture and Secure Boot state. The table applies to both third party boot drivers and device drivers.
|Secure Boot Enabled||Secure Boot Disabled|
SHA1 or above
Microsoft Root Authority 2010
WHQL signature required
Unsigned drivers allowed
SHA1 or above
Embedded or catalog signed
Standard roots trusted by Code Integrity
For info about signing an ELAM driver, see Early launch antimalware.
In addition to driver code signing, you also need to meet the PnP device installation signing requirements for installing a driver. For more info, see Plug and Play (PnP) device installation signing requirements.