Microsoft has changed the rules for signing kernel drivers in Windows 10, version 1607 (Anniversary Update). Here are some further details.
Last year Microsoft announced that after the release of Windows 10 that kernel mode drivers for this OS must be submitted to the Windows Hardware Developer Center Dashboard portal (Dev Portal) to be digitally signed by Microsoft. The goal was to assure code integrity. Due to readiness issues, this wasn’t enforced in Windows 10 RTM and version 1511.
But with Windows 10, version 1607, the new driver signing rules will be enforced by the Operating System. Windows 10 will not load kernel drivers not signed by Microsoft. So driver developers are forced to submit their drivers to Microsoft to be digitally signed.
But wait, there are a couple of exceptions from this rule in Windows 10, version 1607 – so you still can use cross-signed drivers for a while.
- The new driver signing rules only happens on fresh installations, with Secure Boot on, and only applies to new kernel mode drivers.
- Kernel mode drivers with cross-signing certificate issued before 29. July 2015 will continue to be allowed.
- Systems upgrading from a release of Windows prior to Windows 10 Version 1607 will still permit installation of cross-signed drivers.
- Systems (PCs) with Secure Boot OFF will still permit installation of cross-signed drivers.
- To prevent systems from failing to boot properly, boot drivers will not be blocked, but they will be removed by the Program Compatibility Assistant. Future versions of Windows will block boot drivers.
On non-upgraded fresh installations of Windows 10, version 1607 with Secure Boot ON, drivers must be signed by Microsoft or with cross-signed certificates issued prior to July 29th, 2015. Further details may be found in this technet article.