Microsoft has just published a new Channel 9 Video that explains many of our long-standing questions about driver signing. The video was made during last month’s PlugFest that took place at MSFT.
The basic policy is “New drivers must be signed by Microsoft” — This will be enforced starting in Windows Anniversary Edition (RS1) and Server 2016. Everything else is an exception to this rule.
So, what are the exceptions? They are:
- Old drivers signed with a certificate issued prior to 29 July 2015 will work if cross-signed.
- Systems that are upgraded will work with drivers that are cross-signed.
- If Secure Boot is OFF, drivers with cross-signing will work.
- There will be a registry key (designed for use during testing) to allow cross-signed drivers to load even on systems with Secure Boot enabled. No, the registry key has not been announced yet.
For Windows Client systems, you can use Attestation Signing to be able to load your drivers on Win10 Anniversary Update. And yes… this will work even on systems that have Secure Boot enabled.
For Windows Server systems, Attestation Signing is not an option. As we’ve been hearing for quite a long time, if you want to run on Windows Server 2016 systems (and you don’t fit one of the exceptions listed previously) you will need to pass the HLK tests.
Watch the video. It’s got a lot more detail than the above, especially lots of good stuff about Server 2016 requirements, Azure, and storage testing requirements. Very good stuff, and sort of boring, but well worth the hour it’ll take you to watch the entire video.
Again, here’s the link: