Kernel-Mode Code Signing Requirements

Starting with Windows Vista, the kernel-mode code signing policy controls whether a kernel-mode driver will be loaded. The signing requirements depend on the version of the Windows operating system and on whether the driver is being signed for public release or by a development team during the development and test of a driver. There are also signing requirements that pertain to the installation of a PnP device and driver.

Virtual drivers have the same requirements as actual hardware drivers. In other words, they must comply with the requirements for the OS version for which they are targeted.

For info about signing and dashboard submission, see Get drivers signed by Microsoft for multiple Windows versions.

Kernel-Mode Code Signing Requirements for Public Release of a Driver

Note

Starting with Windows 10, version 1607, Windows will not load any new kernel mode drivers which are not signed by the Microsoft through the Hardware Dev Center. Valid signatures can be obtained by either Hardware Certification or Attestation.

64-bit versions of Windows starting with Windows Vista
The kernel-mode code signing policy requires that a kernel-mode driver be signed as follows:

  • A kernel-mode boot-start driver must have an embedded Software Publisher Certificate (SPC) signature. This applies to any type of PnP or non-PnP kernel-mode boot-start driver.

  • A non-PnP kernel-mode driver that is not a boot-start driver must have either a catalog file with an SPC signature or the driver file must include an embedded SPC signature.

  • A PnP kernel-mode driver that is not a boot-start driver must have either an embedded SPC signature, a catalog file with a WHQL release signature, or a catalog file with an SPC signature. Although the kernel-mode code signing policy does not require that the catalog file of a PnP driver be signed, PnP device installation treats a driver as signed only if the catalog file of the driver is also signed.

32-bit versions of Windows
Windows Vista and later versions of Windows enforce the kernel-mode driver signing policy only for the following drivers:

Kernel-Mode Code Signing Requirements during Development and Test

64-bit versions of Windows starting with Windows Vista
The kernel-mode code signing policy requires that a kernel-mode driver be test-signed and that test-signing is enabled. A test signature can be a WHQL test signature or generated in-house by a test certificate. Drivers must be test-signed as follows:

  • A kernel-mode boot-start driver must have an embedded test signature. This applies to any type of PnP or non-PnP kernel-mode driver.

  • A kernel-mode driver that is not a boot-start driver must have either a test-signed catalog file or the driver file must include an embedded test signature. This applies to any type of PnP or non-PnP kernel-mode driver.

32-bit versions of Windows
Windows Vista and later versions of Windows enforce the kernel-mode driver signing policy only for the following drivers: