Starting in Windows 10 version 1607, new kernel mode drivers will not be loaded unless they have been signed by Microsoft, the company announced.
The change, the Redmond-based tech giant says, will affect all new operating system installations, but will not affect users who are upgrading from older Windows versions. In fact, Microsoft says, drivers signed with a valid cross-signing certificate issued before July 29, 2015 do not need to be re-signed.
Microsoft announced in April last year that Windows 10 would require kernel mode drivers to be submitted to the Windows Hardware Developer Center Dashboard portal to be digitally signed. However, the company didn’t enforce the policy until now, “due to technical and ecosystem readiness issues,” Microsoft’s Joshua Baxter reveals.
Starting in version 1607, Windows 10 Code Integrity will enforce the new policy on kernel drivers and will block them from loading unless they have been properly signed, but only on new installations with Secure Boot on. Version 1607 is the platform’s Anniversary Update, scheduled to start rolling out on August 2.
The change, Baxter explains, should improve security in Windows 10 by limiting the risk of an end-user system being compromised by malicious drivers. However, he notes that the enforcement will happen only on fresh installations with Secure Boot on, and that it applies to new kernel mode drivers only.
Basically, computers upgrading from previous Windows releases will still benefit from the installation of cross-signed drivers, the same as those with Secure Boot OFF. Drivers signed with cross-signing certificate issued prior to July 29, 2015, when the initial policy went into place, will still be allowed. Previous versions of Windows will not be affected.
“To prevent systems from failing to boot properly, boot drivers will not be blocked, but they will be removed by the Program Compatibility Assistant. Future versions of Windows will block boot drivers,” Baxter notes.
Developers are encouraged to head to the Windows Hardware Developer Center Dashboard portal to sign their drivers to ensure compatibility. According to Microsoft, all new submissions need to be signed with an EV Code Signing Certificate, even if the developer is targeting older versions of Windows with their driver package.
To sign drivers to ensure they are compatible with Windows 10 and previous Windows releases (Vista through Windows 8.1), developers need to run the HLK tests for Windows 10 and the HCK tests for Windows 8.1 and earlier versions, then using the Windows 10 HLK, merge the two test logs and submit the results, along with the driver, to the portal.
“The portal will sign the driver correctly such that it will work on all platforms that you indicate,” Baxter explains.
Related: Windows Information Protection to Address Data Leaks in Windows 10
Related: Researchers Use Disk Cleanup to Bypass UAC on Windows 10