Driver Signing Policy

Starting with new installations of Windows 10, version 1607, Windows will not load any new kernel mode drivers which are not signed by the Dev Portal. To get your driver signed, follow these steps:

  1. Get an EV Code Signing Certificate. An EV Code Signing Certificate is required to establish a Dashboard account.
  2. Submit your new driver to the Windows Hardware Developer Center Dashboard portal.

There are two different ways to submit drivers to the portal. For production drivers, you should submit HLK/HCK test logs, as described below. For testing, you can submit your drivers for attestation signing, which does not require HLK testing, but produces a package signed only for Windows 10.

Exceptions

Cross-signed drivers are still permitted if any of the following are true:

  • The PC was upgraded from an earlier release of Windows to Windows 10, version 1607.
  • Secure Boot is off in the BIOS.
  • Drivers was signed with an end-entity certificate issued prior to July 29th 2015 that chains to a supported cross-signed CA.

For more info, see Driver Signing Changes in Windows 10, version 1607.

Signing a driver for all client versions of Windows

To sign a driver for Windows Vista, Windows 7, Windows 8, Windows 8.1, and Windows 10, follow these steps:

  1. Run the HLK tests (Windows 10), or the HCK tests (Windows 8.1 and earlier versions).
  2. Using the Windows 10 HLK, merge the two test logs.
  3. Submit your driver and the merged HLK/HCK test results to the Windows Hardware Developer Center Dashboard portal.

Signing a driver for earlier versions of Windows

Before Windows 10, version 1607, the following types of drivers require an Authenticode certificate used together with Microsoft's cross-certificate for cross-signing:

  • Kernel-mode device drivers
  • User-mode device drivers
  • Drivers that stream protected content. This includes audio drivers that use Protected User Mode Audio (PUMA) and Protected Audio Path (PAP), and video device drivers that handle protected video path-output protection management (PVP-OPM) commands. For more information, see Code-signing for Protected Media Components.

Signing requirements by version

The following table shows signing policies for client operating system versions.

To load on Windows Server 2016, drivers must pass HLK tests and be signed by the Hardware dashboard portal. Windows Server does not load attestation signed drivers.

Note that Secure Boot does not apply to Windows Vista and Windows 7.

Applies to: Windows Vista, Windows 7; Windows 8+ with Secure Boot off Windows 8, Windows 8.1, Windows 10, versions 1507 and 1511 with Secure Boot on Windows 10, version 1607+ with Secure Boot on
Architectures: 64-bit only, no signature required for 32-bit 64-bit, 32-bit 64-bit, 32-bit
Signature required: Embedded or catalog file Embedded or catalog file Embedded or catalog file
Signature algorithm: SHA1 SHA1 SHA2 or SHA1
Certificate: Standard roots trusted by Code Integrity Standard roots trusted by Code Integrity Microsoft Root Authority 2010, Microsoft Root Certificate Authority, Microsoft Root Authority

In addition to driver code signing, you also need to meet the PnP device installation signing requirements for installing a driver. For more info, see Plug and Play (PnP) device installation signing requirements.

For info about signing an ELAM driver, see Early launch antimalware.

See Also