Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

Upcoming OSR Seminars:

Writing WDF Drivers I: Core Concepts, Nashua, NH 15-19 May, 2017
Writing WDF Drivers II: Advanced Implementation Tech., Nashua, NH 23-26 May, 2017
Kernel Debugging and Crash Analysis, Dulles, VA 26-30 June, 2017
Windows Internals & Software Driver Development, Nashua, NH 24-28 July, 2017


Go Back   OSR Online Lists > ntdev
Welcome, Guest
You must login to post to this list
  Message 1 of 12  
10 Mar 17 14:16
Andrii Chabykin
xxxxxx@gmail.com
Join Date: 13 Jan 2014
Posts To This List: 29
Secure Boot vs non-PnP driver

Hi, Gentlemen. When I try to start my device driver (control device + WFP callouts), I get an error from Windows: A digitally signed driver is required. I'm aware of the Windows 10 Anniversary Update with Secure Boot enabled. Fine, I need a HCK signature or remove timestamp during sign process. Why does my PNP driver installs and works as expected? Shouldn't it suffer from the same restrictions (it's signed by the same certificate, not HCK approved). Thank you.
  Message 2 of 12  
10 Mar 17 15:52
Doron Holan
xxxxxx@microsoft.com
Join Date: 08 Sep 2005
Posts To This List: 10065
Secure Boot vs non-PnP driver

Is your non pnp driver embed signed? Bent from my phone ________________________________ From: xxxxx@lists.osr.com <xxxxx@lists.osr.com> on behalf of xxxxx@gmail.com <xxxxx@gmail.com> Sent: Friday, March 10, 2017 11:17:02 AM To: Windows System Software Devs Interest List Subject: [ntdev] Secure Boot vs non-PnP driver Hi, Gentlemen. When I try to start my device driver (control device + WFP callouts), I get an error from Windows: A digitally signed driver is required. I'm aware of the Windows 10 Anniversary Update with Secure Boot enabled. Fine, I need a HCK signature or remove timestamp during sign process. Why does my PNP driver installs and works as expected? Shouldn't it suffer from the same restrictions (it's signed by the same certificate, not HCK approved). Thank you. --- NTDEV is sponsored by OSR Visit the list online at: <http://www.osronline.com/showlists.cfm?list=ntdev> MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers! Details at <http://www.osr.com/seminars> To unsubscribe, visit the List Server section of OSR Online at <http://www.osronline.com/page.cfm?name=ListServer> --
  Message 3 of 12  
10 Mar 17 16:20
Andrii Chabykin
xxxxxx@gmail.com
Join Date: 13 Jan 2014
Posts To This List: 29
Secure Boot vs non-PnP driver

Hi Doron, sys and cat files are both signed. So, yes, it is embed signed.
  Message 4 of 12  
11 Mar 17 07:18
Jason Stephenson
xxxxxx@live.co.uk
Join Date: 13 Jul 2015
Posts To This List: 47
Secure Boot vs non-PnP driver

I was under the impression that Win10 AU (and WinServer16) drivers only needed to be attestation signed unless the WHQL device guard code policy is enforced? (https://technet.microsoft.com/en-us/itpro/windows/keep-secure/deploy-code-integr ity-policies-policy-rules-and-file-rules)
  Message 5 of 12  
11 Mar 17 14:15
prabhakar vinayagam
xxxxxx@gmail.com
Join Date: 29 Jan 2016
Posts To This List: 83
Secure Boot vs non-PnP driver

It's a common that when you go for a higher version of developing drivers for Windows flavours, it's required to get a sign for cat and sys file using sign tool and certification from vendor where you can generate the signature for a driver and after your driver were works fine after passing the hlk test cases and need to certified from msdn or else it look like a false driver. If you required to load the driver please select the disable driver signature enforcement in advanced system settings . Regards, Prabhakar On 11 Mar 2017 5:49 p.m., <xxxxx@live.co.uk> wrote: > I was under the impression that Win10 AU (and WinServer16) drivers only > needed to be attestation signed unless the WHQL device guard code policy is > enforced? (https://technet.microsoft.com/en-us/itpro/windows/keep- > secure/deploy-code-integrity-policies-policy-rules-and-file-rules) > > --- > NTDEV is sponsored by OSR > > Visit the list online at: <http://www.osronline.com/ > showlists.cfm?list=ntdev> <...excess quoted lines suppressed...> --
  Message 6 of 12  
16 Mar 17 15:38
Andrii Chabykin
xxxxxx@gmail.com
Join Date: 13 Jan 2014
Posts To This List: 29
Secure Boot vs non-PnP driver

Guys, I can load the driver on MY machine :). I want to load it on ANY machine. I thought that if there is a Secure Boot policy - all drivers should not load (if they fail to qualify). And I got surprised by my PNP driver actually loaded and working just fine whereas my non-PNP driver is not allowed to load/start.
  Message 7 of 12  
17 Mar 17 10:53
Eric Berge
xxxxxx@gmail.com
Join Date: 17 Oct 2011
Posts To This List: 15
Secure Boot vs non-PnP driver

There are several aspects of this: To test your driver on Windows 10 AU with secure boot, be sure that you installed from a Windows 10 AU installer. Installing WIndows 10 RTM and then upgrading to AU will not enforce the requirement to be either Attestation or HLK signed by Microsoft. Note that Windows 10 does not require HLK signing for Windows 10, just Windows Server 2016. You mention HCK above but that only refers to pre-Windows 10 systems, so I believe you meant HLK in this case. The requirement is for Attestation or HLK signing. (An interesting fact about Server 2016 is that Attestation signed drivers work under Secure Boot on Server 2016 but Microsoft, in my experience, has refused to admit this. This leads me to the conclusion that to protect yourself you want to get to HLK signing before Microsoft releases a new version of Server 2016 that drops the support for Attestation signed drivers.) The above said, I do find it confusing that your non-PNP driver fails to load whereas the PNP driver loads successfully. My experience is limited to working with non-PNP drivers and based on following other's experience here my expectation is that PNP drivers have to pass more stringent conditions to load (perhaps in validation of the platforms supported in the cat file during load?) but, again, since I don't work with PNP drivers others can give better specifics on this than I can.
  Message 8 of 12  
17 Mar 17 17:09
Andrii Chabykin
xxxxxx@gmail.com
Join Date: 13 Jan 2014
Posts To This List: 29
Secure Boot vs non-PnP driver

Guys, I can load the driver on MY machine :). I want to load it on ANY machine. I thought that if there is a Secure Boot policy - all drivers should not load (if they fail to qualify). And I got surprised by my PNP driver actually loaded and working just fine whereas my non-PNP driver is not allowed to load/start.
  Message 9 of 12  
20 Mar 17 10:30
Gabe Jones
xxxxxx@ni.com
Join Date: 19 Mar 2012
Posts To This List: 41
Secure Boot vs non-PnP driver

A few things to check: * Is your PNP driver signed with a certificate that predates Win10 RTM, whereas the non-PNP driver is signed with a newer cert? * Is your PNP driver a boot start driver, while your non-PNP driver is not? * Have you checked the Code Integrity event logs for anything interesting? (From Event Viewer: Applications and Services Logs->Microsoft->Windows->CodeIntegrity)
  Message 10 of 12  
20 Mar 17 16:23
Andrii Chabykin
xxxxxx@gmail.com
Join Date: 13 Jan 2014
Posts To This List: 29
Secure Boot vs non-PnP driver

They are both signed with the same certificate. My PNP driver is SERVICE_DEMAND_START CodeIntegrity error record says Windows is unable to verify the image integrity of the file \Device\HarddiskVolume4\Program Files (x86)\ProductName\bin\DriverName.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. Wild guess is that it requires inf/cat files to be installed into the store.
  Message 11 of 12  
20 Mar 17 16:53
Andrii Chabykin
xxxxxx@gmail.com
Join Date: 13 Jan 2014
Posts To This List: 29
Secure Boot vs non-PnP driver

Update: certificates are different, my bad, as always. PNP driver is signed with an old (something like Mar-2015) certificate. That's why it loads...
  Message 12 of 12  
28 Mar 17 10:54
Michael Johansen
xxxxxx@yahoo.dk
Join Date: 03 Jun 2013
Posts To This List: 19
Secure Boot vs non-PnP driver

Have the same problem here. Newer cert and non-PNP driver not loading on a secure boot windows 10 x64, with or without timestamp in the signature. I am having a hard time finding info on what the correct procedure is to get this driver working without removing secure boot etc.
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 09:58.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license