Overview of Installing Private Builds of Inbox Drivers

Starting with Windows Vista, when a Plug and Play (PnP) device is installed on a computer system, Windows selects a driver based on several factors, such as the hardware ID or compatible ID, date, and version. Windows analyzes these factors to assign a rank that indicates how well the driver matches the device. The lower the rank, the better a match the driver is for the device.

Also, starting with Windows Vista, if a driver has a signature from a Windows signing authority (Microsoft signature), Windows ranks it better than another driver for the same device that was signed with:

  • A third-party release signature. This type of signature is generated by using a Software Publisher Certificate that is obtained from a third-party certification authority (CA) authorized by Microsoft to issue such certificates.

  • A Microsoft signature for a Windows version that is earlier than the LowerLogoVersion value of the driver's device setup class.

The Microsoft signature types include the following:

  • Premium WHQL signatures and standard WHQL signatures

  • Signatures for inbox drivers

  • Windows Sustained Engineering (Windows SE) signatures

  • A WHQL signature for a Windows version that is the same or later than the Windows version that is specified by the LowerLogoVersion value that is set for the device setup class of a driver

Note Even if a driver that has a third-party signature is a better match for the device, Windows selects the driver that has a Microsoft signature. Using a publisher identity certificate [PIC] for the third-party signature does not change this behavior.

Starting with Windows Vista, the AllSignersEqual Group Policy controls how Windows ranks Microsoft-signed drivers and third party-signed drivers. When AllSignersEqual is enabled, Windows treats all Microsoft signatures and third-party signatures as equal with respect to rank when selecting the driver that is the best match for a device.

Note In Windows Vista and Windows Server 2008, the AllSignersEqual Group Policy is disabled by default. Starting with Windows 7, this Group Policy is enabled by default.

To install a private build of an inbox driver, you must do the following:

  • Build a private version of the inbox driver. You must ensure that the private build outranks the Microsoft-signed version when signatures are treated equally. The private build must also be digitally signed by using tools that are provided with the WDK.

    For more information, see Creating a Private Build of an Inbox Driver.

  • Enable the AllSignersEqual Group Policy on the target system so that the operating system views all Microsoft signature types and third-party signatures as equal in rank when it selects the driver that is the best match for a device.

    For more information, see Configuring Windows to Rank Driver Signatures Equally.

For more information about how Windows ranks drivers, see How Windows Selects Drivers.