Configure devices and device drivers

  • 2/7/2017

Skill: Driver signing

One of the reasons Windows 10 is more secure than earlier versions of Windows is that kernel mode drivers must now be submitted to and digitally signed by the Windows Hardware Developer Center Dashboard portal. Windows 10 will not load kernel mode drivers that the portal has not signed.

To ensure backward compatibility, drivers that are properly signed by a valid cross-signing certificate will continue to pass signing checks on Windows 10.

Windows 10 also introduces a new Universal Windows driver, which is designed to work on all OneCoreUAP-based editions of Windows, such as Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), Windows 10 Mobile, and Windows 10 Internet of Things Core (IoT Core).

A Universal Windows driver has access to the trusted kernel and has a very limited range of the interfaces that are available to a Windows driver. OEMs can supplement the driver functionality by including additional software, but this will be external to the driver. Windows 10 security is more robust by locking down the kernel to signed drivers and encouraging developers to use the Universal Windows driver model,

For information about how to build, install, deploy, and debug a Universal Windows driver for Windows 10, see Getting Started With Universal Windows Drivers.

If you have a specific need to install an unsigned driver—for example, if you are a developer and work with drivers, and you want to test the driver functionality without having to sign the driver digitally each time—you can invoke a special boot-time configuration setting that bypasses the security the Windows 10 driver enforcement model provides. To load an unsigned driver (not recommended), you can follow these steps.

  1. Log out of Windows 10.

  2. On the logon screen, click the Power button, hold down the Shift key, and click Restart.

  3. On the Choose An Option screen, choose Troubleshoot.

  4. Choose Advanced Options.

  5. On the Advanced Options screen, select Startup Settings and click Restart.

    Advanced Boot Options appears.

  6. Choose Disable Driver Signature Enforcement, as shown in Figure 3-14.

    FIGURE 3-14

    FIGURE 3-14 Disable Driver Signature Enforcement

  7. Install the unsigned driver and then restart the computer.