MS Hardware Dashboard

NTDEV
1

I am hoping someone on this list might be able to help me navigate
Microsoft’s new Driver Attestation process. It seems to me that with Windows
10 1703, Microsoft has turned the corner from benign neglect to actively
discouraging developers not working on C# .NET apps for iPhone. I am very
frustrated.

I have a virtual disk driver (pure software, no hardware) that runs on
Windows 10, but only if I enable testing mode using “bcdedit /set
testsigning on”. This is not acceptable for release, I need to be able to
run with Secure Boot enabled.

  1. I paid $800 for my MSDN subscription, I am using VS2017 and the
    latest SDK, WDK, etc.
  2. I paid $300 for my Class3 code signing certificate, I am signing the
    driver. My previous Class3 certificate, which allowed my drivers to load
    using the “grandfather” clause expired, forcing me to start using the Driver
    Attestation route.
  3. I paid $1000 for my EV certificate. Acquiring this was a trial, but
    now I have my USB signing dongle.
  4. I have read many OSR threads about driver signing,
    https://www.osronline.com/showthread.cfm?link=285511 was especially helpful.
  5. I created an account on sysdev.microsoft.com for my company (nlited)
  6. I signed the test executable using my EV certificate and it was
    accepted by the sysdev site.
  7. When I followed the link to submit my driver to be counter-signed,
    there was a curt 1-line message telling me sysdev has been shut down and
    redirecting me to developer.microsoft.com/dashboard/hardware.
  8. I created an “Azure Directory” (AD) for my company using the same
    account I used for the sysdev site.
  9. The “Hardware dashboard” refuses to let me sign in, and gives me no
    explanation or feedback. When I try to create a new account it tells me my
    company is already registered. I cannot use a different name because my EV
    key is locked to my company name.
  10. I created a support ticket with Microsoft. For the last 3 weeks I
    have received an email every other day with exactly the same text, “there is
    still an ongoing investigation with the Hardware support engineers.” I am
    now convinced this is just a bot designed to string me along. There is no
    link for Hardware support anywhere on the Hardware Dashboard site.

I have a working driver that I can’t deliver because Microsoft won’t let me.
Please note, this is a problem with the Hardware Dashboard site - I haven’t
been able to get to the point where I can even upload my driver. I am sure I
will have many more hurdles after this, but Microsoft won’t even let me in
the front door.

Please, any help navigating this would be greatly appreciated. Even just a
link to a real Hardware support person would help.

Sincerely,

A Very Frustrated Windows Developer.

2

xxxxx@nlited.com wrote:

 

  1. I paid $800 for my MSDN subscription, I am using VS2017 and the
    latest SDK, WDK, etc.
  2. I paid $300 for my Class3 code signing certificate, I am signing
    the driver. My previous Class3 certificate, which allowed my
    drivers to load using the “grandfather” clause expired, forcing me
    to start using the Driver Attestation route.
  3. I paid $1000 for my EV certificate. Acquiring this was a trial,
    but now I have my USB signing dongle.

You do not need both a code-signing cert and an EV cert.  The EV cert
can do code-signing.

  1. The “Hardware dashboard” refuses to let me sign in, and gives me
    no explanation or feedback. When I try to create a new account it
    tells me my company is already registered. I cannot use a
    different name because my EV key is locked to my company name.
  2. I created a support ticket with Microsoft. For the last 3 weeks I
    have received an email every other day with exactly the same text,
    “there is still an ongoing investigation with the Hardware support
    engineers…” I am now convinced this is just a bot designed to
    string me along. There is no link for Hardware support anywhere on
    the Hardware Dashboard site.

What do you see when you log in to the “hardware dashboard”?  What
browser are you using?  The MVP site, for example, does not work in
Chrome, but does work in Edge and Firefox.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

3

I feel for you. I’m not sure you’re going to get much HELP here, but I can surely commiserate.

We had two folks here at OSR that COULD login to the Developer Hardware Dashboard site, and two who could not. This persisted for about a year. Last month, the two folks who previously could NOT login can now login. We didn’t do anything, and we don’t know why. We’re happy… but would feel better if we knew what changed.

Just to be clear, you ARE trying to sign in here:

https:

Not someplace else, right?



Too funny! I JUST was going to advise EXACTLY the opposite. I always use Chrome. I just finished doing my MVP profile updates using Chrome, and I’ve done all my hardware dashboard attestation signing submissions using Chrome.

I have yet to find anything that works in Edge, for any useful meaning of the word “works”… but that’s my experience.

:slight_smile:

Peter
OSR
@OSRDrivers</https:>

4

At last a live human being!

You do not need both a code-signing cert and an EV cert.? The EV cert can
do code-signing.

I already had the code-signing cert, and I understand that the EV cert is
required, so now I have both. This brings up an interesting point: From some
previous threads, it sounds as though I need the EV cert to *create* my
Hardware Dashboard account but I can then add my Class3 cert(s) to the
account *sign* my drivers using the (cheaper and more accessible) Class3
cert. Is it safe to say that once my account is actually working, I no
longer need the EV cert? (That is, the EV cert is simply a $1000 single-use
NRE required by Microsoft goons?)

What do you see when you log in to the “hardware dashboard”?? What browser
are you using?? The MVP site, for example, does not work in Chrome, but does
work in Edge and Firefox.

I am signing in using the URL
https: using IE
11.0.46, I have also tried using InPrivate and FireFox with the same
results.

I am prompted to select a sign in account (and password). I then see a page
titled “Dashboard” with a lot of “Developer programs” including “Hardware”.
If I click the stylized person icon I see my account info with a link to
“Sign out”. All the developer programs have links to “Get started”.

When I click the Hardware “Get started” link I see a page titled “Get
started with the Hardware Developer Program”. I still see my account info in
the upper right corner. The only options are “Next” and “Cancel” so I click
“Next”.

This takes me to a page titled “Registration - Work account (Azure AD)”.
There are two links, “Sign in to Azure AD” and “Create a new directory for
free”. Clicking “Sign in to Azure AD” takes me back to the “Get started with
the Hardware Developer Program”. Clicking “Create a new directory for free”
takes me to a form, but if I enter my company info it tells me “that account
already exists”. I can’t use a different name because the name is dictated
by my EV certificate.

This becomes an infinite loop of despair.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.


NTDEV is sponsored by OSR

Visit the list online at:
http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:></http:></https:>

5

>This becomes an infinite loop of despair

Sic transit gloria mundi…

Peter
OSR
@OSRDrivers

6

toH, joH, Qap bot SoH?

-----Original Message-----
From: xxxxx@lists.osr.com
On Behalf Of xxxxx@osr.com
Sent: Monday, March 19, 2018 12:29 PM
To: Windows System Software Devs Interest List
Subject: RE:[ntdev] MS Hardware Dashboard

>This becomes an infinite loop of despair

Sic transit gloria mundi…

Peter
OSR
@OSRDrivers


NTDEV is sponsored by OSR

Visit the list online at:
http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software
drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at
http:</http:></http:></http:>

7

xxxxx@nlited.com wrote:

I already had the code-signing cert, and I understand that the EV cert is
required, so now I have both. This brings up an interesting point: From some
previous threads, it sounds as though I need the EV cert to *create* my
Hardware Dashboard account but I can then add my Class3 cert(s) to the
account *sign* my drivers using the (cheaper and more accessible) Class3
cert.

True.   You are not actually required to sign the drivers at all.  All
you need to sign is the package you send.  Microsoft will do their own
signing.

Is it safe to say that once my account is actually working, I no
longer need the EV cert? (That is, the EV cert is simply a $1000 single-use
NRE required by Microsoft goons?)

As long as you need the EV cert, why would you renew the non-EV cert?  I
was going to do so just so I could have a non-dongle cert, but my old
vendor, GlobalSign, will no longer issue any code-signing certs without
a dongle.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

8

>

Is it safe to say that once my account is actually working, I no
longer need the EV cert?

That is true NOW.

But please be aware that it took a major effort involving us here at OSR and several OEMs to get this concession from MSFT at the last minute. It seems the powers that be are desirous of requiring the EV Cert even for the submission signature. So… there’s no telling when the accommodation allowing us to use *any* registered CERT for a submission will be reversed.

Like Mr. Roberts said: Just keep the EV and ditch the other non-EV cert.

Peter
OSR
@OSRDrivers

9

>> Is it safe to say that once my account is actually working, I no

> longer need the EV cert? (That is, the EV cert is simply a $1000
> single-use NRE required by Microsoft goons?)

As long as you need the EV cert, why would you renew the non-EV cert? I was going to do so just so I could have a non-dongle cert, but my old vendor, GlobalSign, will no longer issue any code-signing certs without a dongle.

The USB key is a real nuisance, making sure it is available and connected to whichever machine I am using. I would very much prefer to use a Class3 certificate (which can be installed on multiple machines) to sign the drivers. Also, I can use different Class3 certificates for different projects, but AFAICT MS allows only one EV certificate per company.

However, all this is moot because Microsoft won’t let me sign in to the Hardware Dashboard. Microsoft has effectively put me out of business. :frowning:

10

>The USB key is a real nuisance, making sure it is available and connected to whichever machine I am using. I would very much prefer to use a Class3 certificate (which can be installed on multiple machines) to sign the drivers. Also, I can use different Class3 certificates for different projects, but AFAICT MS allows only one EV certificate per company.

To clarify, I would *very*much* prefer to leave the USB key containing the EV certificate locked up in my safe and only use Class3 certificates, even if those Class3 certs required the EV cert to create/register. I laud Peter’s efforts on this front and it would be impossible for me to emphasize strongly enough just how stupid the EV requirement for driver signing would be. But MS doesn’t care about individual developers, so I’m sure it will happen.

NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>

11

>As long as you need the EV cert, why would you renew the non-EV cert? I was going to do so just so I could have a non-dongle cert, but my old vendor, GlobalSign, will no longer issue any code-signing certs without a dongle.

Having just been through this, my experience is that Comodo is the current low-cost leader in certificates (both Class3 code-signing and EV). My Class3 is from Symantec only because I am grandfathered in on a low renewal price. My EV is from Comodo, but a stand-alone Class3 code-signing cert was an option.

12

TL;DR: I am now able to sign in and submit my driver. MS rejects it with an
empty report. I have no clue what needs to be fixed.

I am documenting everything in the hope it will help someone else, and the
good karma will come back to help me.

I received another email from the Microsoft support bot:

I hope you are having a nice day.

After further research we were able to confirm that you will not be
able to use the domain ‘nlited’ as it’s currently in use by another
account.

If you know the person of the company that has used the domain, you
can have that AAD added to the Hardware account or have the user added
to your account.

If you create a new AAD for a Hardware account you will need to use
a different domain. Please let me know if you have any further
questions or if this case may be marked as complete.

I am filled with dismay that Microsoft support will try to solve this
problem by sending an email once every 3 days for the next 10 years.

The last line prompted me to try to create a new Azure AD account using a
different domain name. I expected this to fail, complaining that either the
contact info or the EV certificate was already in use. But this time I paid
closer attention to what was happening. The site let me create a new Azure
AD domain “nlited1.onmicrosoft.com”, which included creating a new user
xxxxx@nlited1.onmicrosoft.com”. The site then dumped me back to the “Get
Started” page.

This time it dawned on me that I had created a whole new class of accounts
under the nlited1.onmicrosoft.com domain. I signed out of the my SysDev
account and this time I selected “Some other account” from the sign in
dialog and entered the “@nlited1.onmicrosoft.com”. This allowed me to enter
the inner sanctum. With this new knowledge, I went back through my notes and
found the original account “@nlited.onmicrosoft.com” and I was finally able
to sign in.

At this point I don’t know whether to feel sad, stupid, ashamed, or angry.
If the Hardware Dashboard site had given even the slightest indication *why*
it was silently rejecting my sign in I would have known to try a different
account and I would have eventually tried the onmicrosoft.com account.
Unfortunately, I became fixated on the sign in failure, and without any
information from the site I assumed it was a site bug. As I was also busy on
other things, this festered for *three weeks* of frustration. If any of the
support technicians (or bots) would have simply told me to look for a new
onmicrosoft.com” account, I would have quickly solved the problem.

At least now I can move forward again.

I went through the process to register my EV certificate. (Apparently any
information from SysDev was not migrated.) I was then able to find my way to
the page to upload my driver. (The EV certificate is from Comodo, the Class3
certificate is from Symantec.)

I added my Class3 certificate by signing the test file:
cd “C:\Program Files (x86)\Windows Kits\10\App Certification Kit”
signtool sign /s MY /n nlited /i Symantec Signable.bin

CREATING THE CAT

I need to package the driver into a .cat package that includes:

  • CryptDisk.inf: This provides the package information.
  • CryptDriver2.sys: The driver binary to be signed.

NOTE: I am only including the 64bit driver. The unsigned driver runs fine on
Windows 10 1703, I am using it now.

Create a “fake” inf file:

[Version]
Signature = “$Windows NT$”
Class = USB
ClassGUID = {36FC9E60-C465-11CF-8056-444553540000}
Provider = %Mfg%
DriverVer = 03/20/2018,3.1.0.1172
CatalogFile = CryptDisk.cat

[SourceDisksNames]
3426=Our Disk

[SourceDisksFiles]
CryptDriver2.sys=3426,\64

[SourceDisksFiles.NTamd64]
CryptDriver2.sys=3426,\64

[DestinationDirs]
xxxx.copy

[Manufacturer]
%Mfg%=nlited,NTamd64

[nlited]
%DeviceDesc% = xxxx, ROOT\FAKE_0001

[nlited.NTamd64]
%DeviceDesc% = xxxx, ROOT\FAKE_0001

[xxxx.NT]
CopyFiles= xxxx.copy

[xxxx.NTamd64]
CopyFiles= xxxx.copy

[xxxx.copy]
CryptDriver2.sys

[Strings]
Mfg=“nlited systems inc.”

Add the WDK tools to the PATH:
PATH=“C:\Program Files (x86)\Windows Kits\10\x86\bin”;%PATH%
PATH=“C:\Program Files (x86)\Windows Kits\10\App Certification Kit”;%PATH%

Copy the files to a staging directory:
xcopy /y Bin\CryptDisk.inf Out\winx64Release\cat\
xcopy /y Out\winx64Release\CryptDriver2.sys Out\winx64Release\cat\64\

Build the .cat file:
inf2cat /driver:Out\winx64Release\cat /os:10_X64 /uselocaltime

Inf2Cat complained “DriverVer missing or incorrect.” The date must be
specified as MM/DD/YYYY with 2 digits for month and
day. The version should match the “File version” from the Explorer
Properties/Details page, 3.1.0.1172.

Following instructions from href=“https://www.osronline.com/showthread.cfm?link=275229”>OSROnline

I created an option file “MakeCab.txt”:

.option explicit
.set CabinetFileCountThreshold=0
.set FolderFileCountThreshold=0
.set FolderSizeThreshold=0
.set MaxCabinetSize=0
.set MaxDiskFileCount=0
.set MaxDiskSize=0
.set Cabinet=on
.set Compress=on
.set CabinetNameTemplate=CryptDisk.cab
.set DestinationDir=Package
.set DiskDirectoryTemplate=.
cat\CryptDisk.inf
.set DestinationDir=cat\64
cat\64\CryptDriver2.sys

And built the .cab:
makecab /f …..\Bin\MakeCab.txt
Cabinet Maker - Lossless Data Compression Tool

103,995 bytes in 2 files
Total files: 2
Bytes before: 103,995
Bytes after: 49,960
After/Before: 48.04% compression
Time: 0.17 seconds ( 0 hr 0 min 0.17 sec)
Throughput: 590.45 Kb/second

And signed the .cab:
signtool sign /s my /n nlited /i symantec /t
http://timestamp.VeriSign.com/scripts/timstamp.dll CryptDisk.cab
I can verify the signature using File Explorer.

I uploaded the signed .cab to the Hardware Dashboard. HINT: Each submission
should have an easy to recognize, unique name link “CryptDisk
20180321-1420”.

MS complained that “This submission does not include symbols.” This appears
to be optional. I clicked OK to continue.

After about 10 minutes, it passed “Scanning” and failed “Validation”. The
downloaded report was an empty (0 bytes) file. I have no clue what went
wrong or how to fix it.

I tried to submit a trouble ticket, but this routed me back to the generic
Microsoft Support page which won’t accept my nlited.onmicrosoft.com
account.

Sincerely,
A Very Frustrated Windows Developer

13

xxxxx@nlited.com wrote:

TL;DR: I am now able to sign in and submit my driver. MS rejects it with an
empty report. I have no clue what needs to be fixed.
Copy the files to a staging directory:
xcopy /y Bin\CryptDisk.inf Out\winx64Release\cat\
xcopy /y Out\winx64Release\CryptDriver2.sys Out\winx64Release\cat\64\

Build the .cat file:
inf2cat /driver:Out\winx64Release\cat /os:10_X64 /uselocaltime

Inf2Cat complained “DriverVer missing or incorrect.” The date must be
specified as MM/DD/YYYY with 2 digits for month and
day. The version should match the “File version” from the Explorer
Properties/Details page, 3.1.0.1172.

And you fixed that?

Your directory structure will need to look like this:
    cat\CryptDisk.cat
    cat\CryptDisk.inf
    cat\64\CryptDriver2.sys

Is that what you have?  From your makecab file, I’m afraid you have this:

    CryptDisk.cat
    cat\CryptDisk.inf
    cat\64\CryptDriver2.sys

which won’t work.  Also, you haven’t included the CAT file in the
cabinet.  My example (from the link above) didn’t include a CAT file,
but I think they now require one, even though they replace it.  Add the
cat file to the makecab.txt.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

14

> And you fixed that?
Yes, I just mentioned it as something that could be easily overlooked.

Your directory structure will need to look like this:
cat\CryptDisk.cat
cat\CryptDisk.inf
cat\64\CryptDriver2.sys

Is that what you have? From your makecab file, I’m afraid you have this:

CryptDisk.cat
cat\CryptDisk.inf
cat\64\CryptDriver2.sys

which won’t work. Also, you haven’t included the CAT file in the cabinet. My example (from the link above) didn’t include a CAT file, > but I think they now require one, even though they replace it. Add the cat file to the makecab.txt.

The .cat file is in the same “cat” directory as the .inf, but it was not included in the .cab. If that were the problem, I would expect it to be rejected in the “acceptance” step.

I added the .cat to the MakeCab.txt options, which is now:

.option explicit
.set CabinetFileCountThreshold=0
.set FolderFileCountThreshold=0
.set FolderSizeThreshold=0
.set MaxCabinetSize=0
.set MaxDiskFileCount=0
.set MaxDiskSize=0
.set Cabinet=on
.set Compress=on
.set CabinetNameTemplate=CryptDisk.cab
.set DestinationDir=Package
.set DiskDirectoryTemplate=.
cat\CryptDisk.cat
cat\CryptDisk.inf
.set DestinationDir=cat\64
cat\64\CryptDriver2.sys

I submitted it at 16:44, and it passed “acceptance” and “preparation”.
It passed “scanning” at 16:51.
It failed “validation” at 16:52.

The error report is another blank 0-byte file. Adding the .cat file seemed to have no effect.

Is there a way to print the contents and structure of the .cab file?

15

xxxxx@nlited.com wrote:

I submitted it at 16:44, and it passed “acceptance” and “preparation”.
It passed “scanning” at 16:51.
It failed “validation” at 16:52.

The error report is another blank 0-byte file. Adding the .cat file seemed to have no effect.

Hmm, I think I knew that.

Is there a way to print the contents and structure of the .cab file?

Do you have “7zip”?  It can list cab files.

Can you send me the “cab” file?  I’d like to try submitting it here.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

16

xxxxx@nlited.com wrote:

OK, so 7z reports that the top-level directory is “Package”, which seems strange.

Because that’s what the directive file that you copied from my message
said to do:
   .set DestinationDir=Package
 

Date Time Attr Size Compressed Name

2018-03-21 13:58:36 …A 1120 Package\CryptDisk.cat
2018-03-21 13:58:26 …A 665 Package\CryptDisk.inf
2018-03-20 14:43:54 …A 103320 cat\64\CryptDriver2.sys

2018-03-21 13:58:36 105105 56751 3 files

Ah, that’s wrong.   Change this:
    .set DestinationDir=cat\64
to this:
    .setDestinationDir=Package\64


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

17

OK, now it passes Validation and catalog creation. Waiting for sign…

-----Original Message-----
From: xxxxx@lists.osr.com On Behalf Of xxxxx@probo.com
Sent: Wednesday, March 21, 2018 5:17 PM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] MS Hardware Dashboard

xxxxx@nlited.com wrote:
> OK, so 7z reports that the top-level directory is “Package”, which seems strange.

Because that’s what the directive file that you copied from my message said to do:
.set DestinationDir=Package

> Date Time Attr Size Compressed Name
> ------------------- ----- ------------ ------------ ------------------------
> 2018-03-21 13:58:36 …A 1120 Package\CryptDisk.cat
> 2018-03-21 13:58:26 …A 665 Package\CryptDisk.inf
> 2018-03-20 14:43:54 …A 103320 cat\64\CryptDriver2.sys
> ------------------- ----- ------------ ------------ ------------------------
> 2018-03-21 13:58:36 105105 56751 3 files

Ah, that’s wrong. Change this:
.set DestinationDir=cat\64
to this:
.setDestinationDir=Package\64


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.


NTDEV is sponsored by OSR

Visit the list online at: http:

MONTHLY seminars on crash dump analysis, WDF, Windows internals and software drivers!
Details at http:

To unsubscribe, visit the List Server section of OSR Online at http:</http:></http:></http:>

18

Woot! Passed sign and finalize. I am downloading and verifying…

19

Woot! Woot! I appear to have a signed driver!
Now I need to refigure my system for secure boot and try to load it…

20

It works.

I need to take a moment to bask in my small victory, before I start banging my head against the next thing.

Thank you for your help. I hope my trail of breadcrumbs helps someone avoid my misteakes.

Sincerely,

A Momentarily Happy Windows Developer.