Device Driver Packages

You can add driver packages to a Windows image before, during, or after you deploy the image. When planning how to add driver packages to your Windows deployment, it's important to understand how driver packages are added to the image, how driver ranking affects deployment, and the digital signature requirements for driver packages.

Adding Driver Packages

You can add driver packages to a Windows image:

For more information, see Understanding Servicing Strategies.

Add driver packages before deployment on an offline Windows image by using DISM

Offline servicing occurs when you modify a Windows image entirely offline without booting the operating system. You can add, remove, and enumerate driver packages on an offline Windows image by using the DISM command-line tool. DISM is installed with Windows and is also distributed in the Windows Assessment and Deployment Kit (Windows ADK). For more information about DISM, see the DISM - Deployment Image Servicing and Management Technical Reference for Windows.

When you add a driver package to an offline image, it's either staged or reflected in the image:

  • Boot-critical driver packages are reflected. In other words, they are added to the Driver Store and then the files are copied into the image according to what's specified in the .inf file as the destination of the files. The system completes installation tasks during the initial boot, including updating the registry.

  • Driver packages that aren't boot critical are staged. In other words, they're added to the Driver Store. After Windows starts, PnP detects the device and installs the matching driver package from the Driver Store.

You can use DISM commands to add or remove driver packages on a mounted or applied Windows or Windows Preinstallation Environment (Windows PE) image.

Note

You can't use DISM to remove inbox driver packages (driver packages that are installed on Windows by default), except for some network drivers. You can use it only to remove third-party or out-of-box driver packages.

You can also use DISM commands to apply an unattended answer file to a mounted or applied Windows image.

For more information, see Add and Remove Drivers to an Offline Windows Image.

If you're using DISM, you can add only .inf driver packages to an offline Windows image. Driver packages that display the Designed for Windows logo are provided as .cab files. You must expand the .cab file before you install the .inf file if you're using DISM for the installation. You must install a driver package that's packaged as a .exe file or another file type on a running Windows operating system. To run a .exe or Windows Installer (.msi) driver package, you can add a custom command to an answer file to install the driver package. For more information, see Add a Custom Command to an Answer File.

Add driver packages during an automated deployment by using Windows Setup and an answer file

You can use an unattended answer file to add driver packages to an image when you use Windows Setup for deployment. In this answer file, you can specify the path of a driver package on a network share (or a local path). You accomplish this by adding the Microsoft-Windows-PnpCustomizationWinPE or Microsoft-Windows-PnpCustomizationNonWinPE components and specifying the configuration passes where you want to install them. When you run Windows Setup and specify the name of the answer file, out-of-box driver packages are staged (added to the Driver Store on the image), and boot-critical driver packages are reflected (added to the image so that they'll be used when the computer boots). Setup uses the answer file. By adding driver packages during the windowsPE or offlineServicing configuration passes, you can add out-of-box driver packages to the Windows image before the computer starts. You can also use this method to add boot-critical driver packages to a Windows image. For more information, see Add Device Drivers to Windows During Windows Setup. For more information about how Windows Setup works, see the Windows Setup Technical Reference.

If you want to add boot-critical driver packages to Windows PE, use the windowsPE configuration pass to reflect the driver packages before the Windows PE image is booted. The difference between adding boot-critical driver packages during the windowsPE configuration pass and adding them during the offlineServicing configuration pass is that during the windowsPE configuration pass, boot-critical driver packages are reflected for Windows PE to use. During the offlineServicing configuration pass, the driver packages are staged to the Driver Store on the Windows image.

Methods for adding driver packages by using Windows Setup include these:

  • Using an answer file to add driver packages during the offlineServicing configuration pass of Setup.
  • Using an answer file to add driver packages during the windowsPE configuration pass of Setup.
  • For Windows Server, placing driver packages in the $WinPEDriver$ directory to be installed automatically during the windowsPE configuration pass of Setup. All drive letters with a value of C or greater are scanned for a $WinPEDriver$ directory. The drive must be accessible to the hard disk during Setup. Make sure that the drive does not require a storage driver to be loaded before it can be accessed.

For more information about these and other configuration passes, see Windows Setup Configuration Passes.

When you're using Windows Deployment Services for deployment in Windows Server, you can add driver packages to your server and configure them to be deployed to clients as part of a network-based installation. You configure this functionality by creating a driver group on the server, adding packages to it, and then adding filters to define which clients will install those driver packages. You can configure driver packages to be installed based on the client's hardware (for example, manufacturer or BIOS vendor) and the edition of the Windows image that's selected during the installation. You can also configure whether clients install all packages in a driver group or only the driver packages that match the installed hardware on the client. For more information about how to implement this functionality, see the Windows Deployment Services documentation.

Add driver packages after deployment on a running operating system by using PnPUtil or an answer file

You can use the PnPUtil tool to add or remove driver packages on a running operating system. Alternatively, you can use an answer file to automate the installation of the driver packages when the computer is booted in audit mode. These methods can be helpful if you want to maintain a simple Windows image, and then add only the driver packages that are required for a specific hardware configuration. For more information about how to use audit mode, see Boot Windows to Audit Mode or OOBE.

Methods for adding driver packages online to a running operating system include these:

Driver packages for S mode

Driver packages in Windows S mode must meet certain requirements. See Windows 10 S driver requirements to learn about the types of driver packages you can add to Windows in S mode.

Managing Driver Folders

If you're adding multiple driver packages, you should create separate folders in your source location for each driver package or driver package category. This makes sure that there are no conflicts when you add driver packages that have the same file name. After the driver package is installed on the operating system, it's renamed to Oem*.inf to ensure unique file names in the operating system. For example, the staged drivers named MyDriver1.inf and MyDriver2.inf may be renamed to Oem0.inf and Oem1.inf after they're installed.

When you specify a device-driver path in an answer file, all .inf driver packages in the specified directory and subdirectories are added to the Driver Store of the Windows image. For example, if you want all of the driver packages in the C:\MyDrivers\Networking, C:\MyDrivers\Video, and C:\MyDrivers\Audio directories to be available in your Windows image, specify the device-driver path, C:\MyDrivers, in your answer file. If you're not using an answer file, you can use the /recurse command in DISM. For more information about the /recurse command, see DISM Driver Servicing Command-Line Options. This command makes sure that all driver packages in each subdirectory will be added to the Driver Store in your Windows image.

If all driver packages in the specified directory and subdirectories are added to the image, you should manage the answer file or your DISM commands and these directories carefully. Do your best to address concerns about increasing the size of the image through unnecessary driver packages.

Understanding Driver Ranking

One of the most common issues in deploying driver packages happens when a driver package is successfully imported into the driver store but, after the system is online, PnP finds a better-ranking driver and installs that driver instead.

The Windows PnP manager ranks these driver package properties in order of importance:

  1. Signing
  2. PnP ID match
  3. Driver date
  4. Driver version

For example, if a driver package has a better PnP ID match but is unsigned, a signed driver package that has a compatible ID match takes precedence. An older driver package can outrank a newer driver package if the older driver package has a better PnP ID match or signature.

For more information about driver package ranking, see How Windows Ranks Drivers.

Understanding Digital Signature Requirements

Signed driver packages are a key security feature in Windows. Driver packages that are installed on x64-based computers must have a digital signature. Although it isn't required, we recommend making sure that driver packages are signed before you install them on x86-based computers.

All boot-critical driver binary files must contain embedded signatures. For example, kernel mode .sys files that are critical for accessing the boot disk.

There are two ways that a driver binary file can be signed:

  • Boot-critical kernel mode driver binary files are digitally signed via a method called embedded signing. Embedded signatures improve boot loading performance. For driver binary files that are not part of a PnP driver package, signatures should be embedded so that they're not lost during an upgrade of the operating system.

  • Digitally signed PnP driver packages contain a catalog (.cat) file that's digitally signed. The catalog file contains a hash of all the files in the driver package's .inf file for installation. A signed catalog file is all that's required to correctly install most PnP driver packages.

Either of these sources can sign driver packages:

  • Windows Hardware Quality Labs (WHQL), which makes sure that your driver packages qualify for the Windows Hardware Certification Program. WHQL creates a signed driver package catalog. For boot-critical driver binary files, you should add embedded signatures instead of relying on the catalog. Embedded signatures in boot-critical driver binary files optimize boot performance of the operating system by eliminating the requirement to locate the appropriate catalog file when the operating system loader verifies the driver signature.

  • A certification authority (CA), by using a Software Publishing Certificate (SPC). For boot-critical and x64-based kernel driver binary files, Microsoft provides an additional certificate that can be used to cross-sign the driver binary files. Driver binary files that aren't boot critical don't have to be cross-signed by Microsoft or embedded. You can use the Windows Kernel Mode Code Signing process if you need the flexibility of signing the driver binary files yourself. For information about digital signatures for kernel modules on x64-based systems, see 64-Bit Driver Guidelines.

For testing, you can also use test certificates.

If you have received an unsigned driver package from a vendor for testing, you can use a test signature to validate the driver package and to test the installation. Test signing is the act of digitally signing an application by using a private key and a corresponding code-signing certificate that's trusted only in the confines of a test environment.

These are the primary ways to generate such test-signing certificates:

  • Developers can generate their own self-signed certificates.
  • A CA can issue certificates.

For either option, test-signing certificates must be clearly identified as appropriate only for testing. For example, the word "test" can be included in the certificate subject name, and additional legal disclaimers can be included in the certificate. Production certificates that are issued by commercial CAs must be reserved for signing only public beta releases and public final releases of software and internal line-of-business software.

For more information, see Requirements for Device Driver Signing and Staging.

When you're adding test-signed driver packages to Windows, consider these points:

  • You must install the test certificates on a running operating system. You can't install them offline.

  • The certificate of the CA that issued the test certificate must be inserted in the Trusted Root Certification Authorities certificate store.

    [note]  If the test certificate is self-signed—for example, by using the Certificate Creation Tool (MakeCert)—the test certificate must be inserted in the Trusted Root Certification Authorities certificate store.

  • The test certificate that's used to sign the driver package must be inserted in the Trusted Publishers certificate store.

  • You must add test certificates online (to a booted instance of the Windows image) before you can use the Deployment Image Servicing and Management (DISM) command-line tool to add test-signed driver packages offline.

  • DISM validates WHQL certifications only for boot-critical driver packages. But, a DISM command-line option can override this behavior. For more information, see DISM Driver Servicing Command-Line Options.

  • To install and verify test-signed driver packages on 64-bit operating systems, set the Windows boot configuration to test mode by using the BCDedit tool on the destination computer. Test mode verifies that the driver image is signed, but certificate path validation doesn't require the issuer to be configured as a trusted root authority. For the PnP driver installation and ranking logic to treat the driver package correctly, the test certificate must be stored in the trusted certificate store of the operating system image. For information about test mode during development, see 64-Bit Driver Guidelines.

Caution

If an unsigned or invalid boot-critical driver package is installed on an x64-based computer, the computer will not boot. The unsigned or invalid boot-critical driver package will cause a Stop error. You should remove the driver package from the image. If you're performing an upgrade, make sure that unsigned driver packages and their associated applications, services, or devices are removed or updated with a signed driver package.

If you don't enable test mode by using BCDedit, and you have a test-signed driver package installed, your computer will not boot. If you use DISM to remove the driver package, all instances of the reflected driver package might not be removed. So, we recommend that you don't deploy images that have test-signed driver packages installed.

Additional Resources

These websites provide more information about driver package requirements:

Add a Device Driver Path to an Answer File

Add a Driver Online in Audit Mode

DISM Driver Servicing Command-Line Options

Add and Remove Drivers to an Offline Windows Image

Add Device Drivers to Windows During Windows Setup

Maintain Driver Configurations when Capturing a Windows Image

BCDboot Command-Line Options

Deployment Troubleshooting and Log Files