Secure Boot Microsoft

In April of last year, Microsoft announced that future kernel mode drivers would need to be digitally signed by the Windows Hardware Developer Center Dashboard portal. In addition, subsequent submissions have needed a valid EV signing certificate.

Since then, Microsoft has been very lax on the issue. The rules were policy only and were not enforced by Windows Code Integrity. Starting with new Windows 10 version 1607 installs, this will no longer be the case.

The conditions will now enforce on an OS level, and the platform will refuse to load any kernel mode drivers that don’t meet requirements. This does not apply to users who are upgrading from an earlier Windows version to 1607.

“We’re making these changes to help make Windows more secure,” says content developer Joshua Baxter,“these changes limit the risk of an end-user system being compromised by malicious driver software.”

Exceptions

As mentioned earlier, the restrictions only apply to fresh installs. The user also needs to enable Secure Boot, or the checks will not run.

Microsoft lists all other exceptions in the FAQ:

  • “PCs upgrading from a release of Windows prior to Windows 10 Version 1607 will still permit installation of cross-signed drivers.
  • PCs with Secure Boot OFF will still permit installation of cross-signed drivers.
  • Drivers signed with cross-signing certificate issued prior to July 29th 2015, when the initial policy went into place, will continue to be allowed.
  • To prevent systems from failing to boot properly, boot drivers will not be blocked, but they will be removed by the Program Compatibility Assistant.”

The company encourages developers to submit new drivers to the Windows Hardware Developer Portal. They also need to begin the EV certificate process by following this documentation.