[German]Microsoft will end support for root certificates with kernel-mode signing capabilities in the Microsoft Trusted Root program in the first half of 2021. This means that cross-signed drivers from vendors, that have not been updated, will no longer be able to be loaded or installed under Windows 10.
Advertising
I came across the topic again at the end of the year through a discussion on Twitter. The discussion was held in German, but it covers the changes in driver signing for Windows 10 in the first half of 2021.
Drivers must be properly digitally signed
Back in 2015, there was a Techcommunity post Driver Signing changes in Windows 10 that pointed out the driver signing changes for Windows 10 and was last updated in March 2019. Windows 10 will not load new kernel-mode drivers that are not signed by the portal. For a transition period, however, drivers could still be digitally signed with other certificates (cross-signing).
Root certificates with kernel-mode signing functions become invalid
But the whole thing is coming to an end now, because in 2021 Microsoft will end support for root certificates with kernel-mode signing in the Microsoft Trusted Root program. Drivers with cross-signed certificates will then lose their trust status. The colleagues from German site deskmodder.de pointed out this circumstance in this article at the end of November 2020. From Feburary 22, 2021 to April 15, 2021, drivers with cross-signed certificates, depending on the certificate, lose their trust status and can neither be installed nor loaded.
Problem: Old drivers with third-party signature
Since drivers are now updated via Windows Update, most vendors that were potentially affected should deliver an updated version signed by the Microsoft portal. The problem, however, becomes old hardware that is supported by digitally signed drivers for which the vendors no longer provide a driver update. This hardware will then no longer work due to the lack of drivers.
How to check the driver? How to mitigate?
Martin Brinkmann pointed out on ghacks.com in this article that you can use the tool SignTool.exe, which is included in Visual Studio, to check in a command prompt window, whether drivers are still running after the date given above. To do this, enter the following command:
Advertising
signtool verify /v /kp <treiber-name.sys>
Here <driver-name.sys> stands for the driver in question. If drivers are found that are on strike, there is (still) the possibility to do this strict driver check under Windows 10 with the command:
bcdedit.exe /set nointegritychecks on
to generally deactivate it. However, this reduces the security of the system, since the integrity of the installed drivers is no longer checked. With the command:
bcdedit.exe /set nointegritychecks off
the strict driver signature check can be reactivated when Windows 10 loads. By the way, the whole thing has no impact on Windows 8.1 and Windows Server 2012 R2, since the changes refer to Windows 10 and its server counterparts.
