Examining Windows 10 Anniversary Update's Driver Signing Enforcement Policyby Brett Howse on October 14, 2016 1:00 PM EST
- Posted in
- Operating Systems
- Windows 10
Windows 10 Anniversary Update came out at the beginning of August, with plenty of new user-facing features. There were also plenty of changes under the hood as well, including a change in policy regarding how Windows 10 handles device drivers.
When the 64-bit versions of Windows launched over a decade ago, as a security measure Microsoft decided to require that all kernel mode drivers must be signed to be loaded. Under the aptly named cross-signing requirement, hardware vendors would need to get a certificate from one of the major certificate authorities, and use that to sign their drivers. The idea being that by enforcing signing restrictions, it would be much harder for malware to masquerade as legitimate drivers.
This however didn't go quite as well as planned. In particular, malware authors begun stealing driver signing certificates from hardware vendors, allowing them to distribute malware that was for all practical purposes authentic as far as the operating system was concerned. As a result, when Windows 10 initially launched, Microsoft decided to take things one step further and require that not only would kernel mode drivers need to be signed, but that they would need to be WHQL signed by Microsoft.
With that said however, Microsoft's plans hit a snag. There were technical complications to this decision, as well as a problem with the ecosystem being ready for this change. So for Windows 10, WHQL signing was a policy statement and not something that was enforced.
Now with the rollout of the Windows 10 Anniversary Update (version 1607) this policy is no longer just policy, but an enforced requirement: in a fully secure x64 system, all kernel mode drivers must be signed by Microsoft. But, as with all rules, there are exceptions. The new requirement does not affect anyone who has upgraded from a previous build of Windows 10, and therefore it only affects new clean installs of Windows 10 1607. Furthermore the policy is only enforced if Secure Boot is enabled, so for those that require the ability to run traditionally (non-Microsoft) signed kernel mode drivers, one possible work around is to disable Secure Boot. As a backwards compatibility measure, Microsoft is also allowing the installation of drivers signed with end-entity certificates issued before July 29, 2015 which are signed by a supported CA. Finally, to prevent boot issues, boot drivers will not be blocked at this time, but the will be blocked in future versions of Windows.
An example of a warning notice for a driver now blocked under Windows 10 Anniversary Update
Getting to heart of matters then, the additional signing requirements for Windows 10 piqued our curiosity on driver compatibility, and as a result we've gone and taken a quick look at how this change impacts the average user. In practice, it shouldn’t impact very many people at all, as many hardware vendors only ship WHQL (Microsoft signed) drivers to begin with. But there is one particular segment of hardware manufacturers that still semi-regularly release non-WHQL drivers, and that's the GPU vendors. Both AMD and to a lesser extent NVIDIA periodically release beta, hotfix, and other types of drivers that aren't WHQL signed. The obvious question then is raised: will users still be able to run these non-WHQL driver releases under Windows 10 Anniversary Update?
To answer that question, we reached out to both companies for comment, and while only NVIDIA got back to us, they are not too concerned:
"All of our Game-Ready driver releases are fully WHQL certified, so this shouldn’t significantly impact GeForce users at all." - NVIDIA Spokesperson
As NVIDIA only releases the occasional non-WHQL hotfix driver, they are less likely to be impacted to begin with. And indeed, they haven't had a hotfix release since before the release of Windows 10 Anniversary Update. AMD on the other hand has had a couple such releases, so we decided to simply see what would happen if you installed a non-WHQL driver release on a Secure Boot enabled system.
As it turns out, even AMD driver releases marked as non-WHQL are still sent to Microsoft for signing. And as a result they install on Windows 10 Anniversary Update just fine. Now to be technically accurate, AMD could always ship an unsigned driver if they deem it necessary. But as we can see, some thought has been put into this, and the company isn't releasing any drivers that won't install under Windows 10 Anniversary Update. Nor, do I expect that NVIDIA would ship unsigned hotfix drivers either.
The net impact to the average user then is essentially zero. Having drivers that are signed by Microsoft but not fully WHQL does blur the line between what is and isn't really WHQL. But because all drivers are being signed regardless of WHQL status, it means that non-WHQL drivers are just as usable under Windows 10 Anniversary Update as they were before with the original release of Windows 10. This, ultimately, was the conclusion we expected to find. But it's nice to be able to confirm what we've already suspected.
Source: Microsoft Hardware Certification Blog
Post Your CommentPlease log in or sign up to comment.
View All Comments
seamonkey79 - Saturday, October 15, 2016 - linkWhich prevents the need for such a patch.
sheh - Saturday, October 15, 2016 - linkIt can be a memory-patch.
Samus - Sunday, October 16, 2016 - linkIf you just turn off secure boot I don't think driver validation is required. This driver verification is for secure environments since it operates at the software level (it isn't like an execute disable bit that happens in hardware, but hardware support is obviously required at the BIOS level for this all to work.)
Its important to point out Mac OSX has had this style of driver verification since Snow Leopard, and they now have SOFTWARE verification in Sierra (which for the moment can be bypassed in control center)
BrokenCrayons - Friday, October 14, 2016 - linkYou could argue that it's not Microsoft's problem to ensure your business' printers have WHQL drivers. That responsiblity falls on the printer manufacturer. It's also part and parcel with running legacy equipment that things will eventually break and wind up unsupported.
It stinks when stuff like that happens and I totally sympathize with you. When something like this happens and established systems start breaking unexpectedly it makes being an info tech employee a pretty miserable prospect. Explaining to budget-minded managers that they need to purchase new printers because of something Microsoft did to make their operating system "more secure" doesn't make for a fun day at the office. Add grumpy end users wondering why they have to walk to a printer in another department because theirs happened to be one of the legacy ones puts you between two groups of unhappy people. And you end up stuck there throwing your hands up in the air going, "I can't do anything about it!" Yup, that's a hide-under-the-desk-to-cry sort of position.
knightspawn1138 - Friday, October 14, 2016 - linkThe problem came from drivers that were actually signed, and WHQL signed, but internally didn't mark themselves as "packaged" drivers for printers. When Microsoft pushed an update that activated this signed driver enforcement, our drivers stopped installing over the network. It took me almost a full day to figure out how to modify the print server so the drivers would install again.
Microsoft doesn't document the repercussions of their (somewhat) arbitrary decisions to lock some "features" into the on or off position. As much as I love Windows 10, this is becoming more problematic while they refine the Win10 experience. Same goes for the Win10 controls and options that still can't be controlled through Group Policy, only registry hacks (that we have to begrudgingly push through GPO's).
Nexing - Saturday, October 15, 2016 - linkThis is certainly tragic. Not only printers but almost the entire Audio/musical hardware released. These are complete industries going to have problems with Windows 10. Mostly composed of professionals because big firms will have IT guys, like several of you here, to fix it up ...on a day's lapse, whereas some unique keyboards, mixing boards, etc. have costed years, decades to be acquired and now won't install in W10. If our recently forced (non uninstallable) W7's programmed tasks are indication of what is to come, such would be a war field with this issue plus wasted time on something that should instead be an easy working OS tool, not an intruding wall progressively asphyxiating us.
NXTwoThou - Friday, October 14, 2016 - linkAt least with the Insider build from last Friday(haven't had to install anything new yet since the most recent), you can still do Settings->Update & Security->Recovery->Advanced Startup-Restart Now. Then select Troubleshoot, Advanced options, Startup Settings, then Restart button. Finally use option 7 "Disable driver signature enforcement". Sure, it's a lot of steps, but it's what I had to do to get the drivers working for our CNC machine. You only have to do it when installing, once installed, they continue to work.
Donkey2008 - Sunday, October 16, 2016 - linkThank you for these instructions.
extide - Friday, October 14, 2016 - linkAre you sure? Because I kind of find it hard to believe that printer drivers would be kernel level drivers and not user level. I guess other stranger things are true, though.
Klimax - Saturday, October 15, 2016 - linkThey'd have to be very old. IIRC at best for XP, but likely bit older. It used to be popular way to write them. And it had predictable effect on system stability.