Examining Windows 10 Anniversary Update's Driver Signing Enforcement Policy
by Brett Howse on October 14, 2016 1:00 PM EST- Posted in
- Software
- AMD
- Operating Systems
- Windows
- Microsoft
- NVIDIA
- Windows 10
Windows 10 Anniversary Update came out at the beginning of August, with plenty of new user-facing features. There were also plenty of changes under the hood as well, including a change in policy regarding how Windows 10 handles device drivers.
When the 64-bit versions of Windows launched over a decade ago, as a security measure Microsoft decided to require that all kernel mode drivers must be signed to be loaded. Under the aptly named cross-signing requirement, hardware vendors would need to get a certificate from one of the major certificate authorities, and use that to sign their drivers. The idea being that by enforcing signing restrictions, it would be much harder for malware to masquerade as legitimate drivers.
This however didn't go quite as well as planned. In particular, malware authors begun stealing driver signing certificates from hardware vendors, allowing them to distribute malware that was for all practical purposes authentic as far as the operating system was concerned. As a result, when Windows 10 initially launched, Microsoft decided to take things one step further and require that not only would kernel mode drivers need to be signed, but that they would need to be WHQL signed by Microsoft.
With that said however, Microsoft's plans hit a snag. There were technical complications to this decision, as well as a problem with the ecosystem being ready for this change. So for Windows 10, WHQL signing was a policy statement and not something that was enforced.
Now with the rollout of the Windows 10 Anniversary Update (version 1607) this policy is no longer just policy, but an enforced requirement: in a fully secure x64 system, all kernel mode drivers must be signed by Microsoft. But, as with all rules, there are exceptions. The new requirement does not affect anyone who has upgraded from a previous build of Windows 10, and therefore it only affects new clean installs of Windows 10 1607. Furthermore the policy is only enforced if Secure Boot is enabled, so for those that require the ability to run traditionally (non-Microsoft) signed kernel mode drivers, one possible work around is to disable Secure Boot. As a backwards compatibility measure, Microsoft is also allowing the installation of drivers signed with end-entity certificates issued before July 29, 2015 which are signed by a supported CA. Finally, to prevent boot issues, boot drivers will not be blocked at this time, but the will be blocked in future versions of Windows.
An example of a warning notice for a driver now blocked under Windows 10 Anniversary Update
Getting to heart of matters then, the additional signing requirements for Windows 10 piqued our curiosity on driver compatibility, and as a result we've gone and taken a quick look at how this change impacts the average user. In practice, it shouldn’t impact very many people at all, as many hardware vendors only ship WHQL (Microsoft signed) drivers to begin with. But there is one particular segment of hardware manufacturers that still semi-regularly release non-WHQL drivers, and that's the GPU vendors. Both AMD and to a lesser extent NVIDIA periodically release beta, hotfix, and other types of drivers that aren't WHQL signed. The obvious question then is raised: will users still be able to run these non-WHQL driver releases under Windows 10 Anniversary Update?
To answer that question, we reached out to both companies for comment, and while only NVIDIA got back to us, they are not too concerned:
"All of our Game-Ready driver releases are fully WHQL certified, so this shouldn’t significantly impact GeForce users at all." - NVIDIA Spokesperson
As NVIDIA only releases the occasional non-WHQL hotfix driver, they are less likely to be impacted to begin with. And indeed, they haven't had a hotfix release since before the release of Windows 10 Anniversary Update. AMD on the other hand has had a couple such releases, so we decided to simply see what would happen if you installed a non-WHQL driver release on a Secure Boot enabled system.
As it turns out, even AMD driver releases marked as non-WHQL are still sent to Microsoft for signing. And as a result they install on Windows 10 Anniversary Update just fine. Now to be technically accurate, AMD could always ship an unsigned driver if they deem it necessary. But as we can see, some thought has been put into this, and the company isn't releasing any drivers that won't install under Windows 10 Anniversary Update. Nor, do I expect that NVIDIA would ship unsigned hotfix drivers either.
The net impact to the average user then is essentially zero. Having drivers that are signed by Microsoft but not fully WHQL does blur the line between what is and isn't really WHQL. But because all drivers are being signed regardless of WHQL status, it means that non-WHQL drivers are just as usable under Windows 10 Anniversary Update as they were before with the original release of Windows 10. This, ultimately, was the conclusion we expected to find. But it's nice to be able to confirm what we've already suspected.
Source: Microsoft Hardware Certification Blog
Facebook
Twitter
RSS
85 Comments
View All Comments
JasonMZW20 - Saturday, October 15, 2016 - link
This is definitely for DRM and Universal Windows Platform apps with security on the side.If I run an unsigned video or audio driver, UWP apps refuse to load DRM material and say that the driver installed is unsupported or my system is currently unsupported.
Never mind that UWP apps sound terrible, as they bypass all of my sound card's processing and features. Bass and treble control? What's that? It's all generic. My SB X-Fi Titanium (PCIe) has a UAA component to use generic MS drivers, and I'm sure I'll be forced to use them at some point.
Alexvrb - Saturday, October 15, 2016 - link
That could very well be Creative's fault or the game developer. Their drivers are godawful. Even the latest drivers for my newer and better-supported-on-Win10 Sound Blaster Z-series card have some minor issues. I don't know if you noticed but Creative has virtually killed off their sound "card" business. Look at their support website as an example. You have to click on "Sound Blaster" which pictures an external unit. Then you have to click on the tiny lettering at the bottom "If your product is not listed above, please click here". It's like hey you with the unsupported crap, down here.It's a shame too because the sound cards themselves are very good and far superior in terms of sound quality, compared to most onboard solutions.
nevcairiel - Saturday, October 15, 2016 - link
Was anyone really surprised big names like AMD or NVIDIA are not affected by this? If they can't figure it out, how would anyone?What I would really have liked is a look at how small independent companies are supposed to handle this gracefully, especially if they provide software-only drivers (say loopback audio devices ala Virtual Audio Cable and similar things), because those are those that are really stuck trying to figure it out, not huge companies like AMD or NVIDIA.
Achaios - Sunday, October 16, 2016 - link
This update is BS as is all the additional "security" BS. If you are a small fish, you don't need any of these fancy "security" features, and if you are a big fish, you have your IT dept. working on custom solutions to protect you.Happily sailing on Windows 7 and will be for years to come.
marty1980 - Sunday, October 16, 2016 - link
The only device I've had problems with on Win10 is a generic Xbox controller USB adapter. The driver isn't signed and so I have to turn off driver signing in order to use my 360 controllers with my PC.Eventually this will work itself out as I move onto PS4 and XBO controllers on PC, but for now I have to completely disable driver signing to play.
The best approaches for driver certifications require online connectivity (think: SSL certs). But that's a huge problem when a common driver to be installed is for networking adapters.
Microsoft having to sign every driver is a burden. Who is going to pay for that if not the device manufacturers?
Do we need driver signing?
Yes: protect users down to the lowest common denominator
No: let users choices have their consequences
Maybe: if it can be done in a low cost, efficient manner that is widely accepted by the industry
Alexvrb - Monday, October 17, 2016 - link
Wait, you're using a generic adapter for wireless 360 controllers? Interesting... the nice thing about the XB1 controllers is that they're dual wired/wireless. If you don't have/want the wireless adapter, you can just use a regular USB to micro USB cable.marty1980 - Monday, October 17, 2016 - link
The PC in question isn't well positioned for tethered accessories. Wireless is kind of a necessity. But yes, I bought a cheap-o adapter years ago off Amazon. It works great once the driver is loaded, so I've never bought a replacement.I did mention that eventually I will move onto XB1 and/or PS4 controllers. Though I still won't be using them wired. So I will need new adapters and I'm likely to just buy the official Sony and Microsoft adapters this time to avoid driver issues.
Alexvrb - Tuesday, October 18, 2016 - link
Right, I was just saying for those who prefer wired for their PCs, it's nice to be able to use the same controller. I previously had one wired 360 controller for my PC and the other was wireless and used on the 360. I like the simplicity, no resyncing of the wireless controller needed. With the XB1 controller all I have to do is plug in an mUSB so I don't mind using the same controller.But yeah there are cases even for PCs where wireless is the only way to go. The newer XB1 receiver is pretty decent. Can do something like up to 8 controllers at a time so if it's being used for HTPC there's lots of possibilities. Personally I'd fire up Yabause (Saturn emulator) for Saturn Bomberman 8 player matches! Bring your own controller. :P Yes I know there was even a 10 player map but only the one, whereas there were 7 or 8 fields total that could do 8 players IIRC. So 8 is perfect.
jeffwilsontech - Sunday, October 16, 2016 - link
I support this policy change by Microsoft even though it broke some functionality on my system recently.Following the release of 1607, I did a fresh install on my Precision workstation at work. I'm an IT pro/dev and decided to go full best-practices with my workstation build, so I built my workstation to not only utilize Secure Boot, TPM 2 and the latest Ring -1 Hyper-v technique to protect against pass the hash attacks. This essentially makes my workstation OS a VM with an ultra-light and highly-segmented OS that boots and stores hashes of my credentials.
Anyway, all went well: Firepro drivers installed without a hitch (Microsoft handled it) and soon enough I was able to install my tools.
One program I use daily is http debugger pro. Like Fiddler, HTTP debugger Pro offers me the ability to decrypt TLS connections and inspect HTTP traffic hitting my machine. To do this, HTTP Debugger PRo installs a driver in windows/system32. As you can imagine, .sys files located in system32 are important and version 1607 didn't like the SHA-1, standard DV signature on HTTP Debugger Pro's .sys file. So it barfed, refused to let me use the driver, and I couldn't decrypt HTTPS traffic.
I reported the problem to the dev and working with him over the next month we got it working. I felt bad for the guy because he had to fork out some serious cash to purchase an EV certificate to sign his driver. I offered to give him a couple extra bucks on top of the cost of the software but he refused.
Ultimately he produced a build of the software that satisfied the strict new requirements from Microsoft and I couldn't be happier. I hate software -security software in particular- that requires me to weaken the security posture of my machine and thereby my organization.
I expect this policy change will hit small devs as well, not just big guys like Nvidia and AMD.
erple2 - Sunday, October 16, 2016 - link
Wait, what? They're requiring an EV cert? That seems excessive.