Driver Problems? Questions? Issues?
Put OSR's experience to work for you! Contact us for assistance with:
  • Creating the right design for your requirements
  • Reviewing your existing driver code
  • Analyzing driver reliability/performance issues
  • Custom training mixed with consulting and focused directly on your specific areas of interest/concern.
Check us out. OSR, the Windows driver experts.

Upcoming OSR Seminars:

Writing WDF Drivers I: Core Concepts, Nashua, NH 15-19 May, 2017
Writing WDF Drivers II: Advanced Implementation Tech., Nashua, NH 23-26 May, 2017
Kernel Debugging and Crash Analysis, Dulles, VA 26-30 June, 2017
Windows Internals & Software Driver Development, Nashua, NH 24-28 July, 2017


Go Back   OSR Online Lists > ntdev
Welcome, Guest
You must login to post to this list
  Message 1 of 17  
04 Mar 16 16:39
Mark Roddy
xxxxxx@gmail.com
Join Date: 25 Feb 2000
Posts To This List: 3985
Win10 Build 14271 and Code Integrity Enforcement

Perhaps I missed the discussion here but it appears that recent insider builds of Win10 client have turned on signing enforcement. Ugh. Mark Roddy --
  Message 2 of 17  
04 Mar 16 17:26
Tom McDermott
xxxxxx@gmail.com
Join Date: 03 Jun 2014
Posts To This List: 57
Win10 Build 14271 and Code Integrity Enforcement

Build 14271 is an early release of Redstone 1. Microsoft has selected Windows 10 Redstone 1 release as the vehicle where they will begin enforcement of the previously announced Attestation policy, with a slight twist. If the Win10 RS1 target is an upgrade, it will accept any driver that already installs and loads correctly. ONLY if the RS1 installation is a new installation will non-Microsoft drivers be blocked if they were signed with a cert issued after July 29th, 2015.
  Message 3 of 17  
04 Mar 16 18:24
ntdev member 165779
xxxxxx@designerware.com
Join Date:
Posts To This List: 32
Win10 Build 14271 and Code Integrity Enforcement

I have Build [Version 10.0.14279] inside Virtualbox (VM) and it still work= s with my cross signed drivers that I just compiled today (3/4/16) and sign= ed with a certificate that was issued 11/15? Not sure what that means, but= it boots and the drivers pass. -----Original Message----- From: xxxxx@lists.osr.com [mailto:bounce-603907-165779@lists= .osr.com] On Behalf Of xxxxx@gmail.com Sent: Friday, March 04, 2016 5:26 PM To: Windows System Software Devs Interest List Subject: RE:[ntdev] Win10 Build 14271 and Code Integrity Enforcement Build 14271 is an early release of Redstone 1. Microsoft has selected Wind= ows 10 Redstone 1 release as the vehicle where they will begin enforcement = of the previously announced Attestation policy, with a slight twist. If the Win10 RS1 target is an upgrade, it will accept any driver that alrea= dy installs and loads correctly. ONLY if the RS1 installation is a new ins= tallation will non-Microsoft drivers be blocked if they were signed with a = cert issued after July 29th, 2015. --- NTDEV is sponsored by OSR Visit the list online at: <http://www.osronline.com/showlists.cfm?list=3Dnt= dev> MONTHLY seminars on crash dump analysis, WDF, Windows internals and softwar= e drivers! Details at <http://www.osr.com/seminars> To unsubscribe, visit the List Server section of OSR Online at <http://www.= osronline.com/page.cfm?name=3DListServer>
  Message 4 of 17  
04 Mar 16 19:17
Tom McDermott
xxxxxx@gmail.com
Join Date: 03 Jun 2014
Posts To This List: 57
Win10 Build 14271 and Code Integrity Enforcement

Tim, perhaps it is because earlier versions of the same drivers were already installed pre-Redstone, thus it considers not only the OS to be an upgrade, but also your pre-existing drivers to be just an upgrade, and bypasses the enforcement. Just a guess on my part. In any event, MSFT has managed to make an already confusing issue even more confusing.
  Message 5 of 17  
05 Mar 16 10:02
Mike Berhan
xxxxxx@bustrace.com
Join Date: 14 Feb 2005
Posts To This List: 11
Win10 Build 14271 and Code Integrity Enforcement

<quote>If the Win10 RS1 target is an upgrade, it will accept any driver that already installs and loads correctly. ONLY if the RS1 installation is a new installation will non-Microsoft drivers be blocked if they were signed with a cert issued after July 29th, 2015.</quote> Is there an ISO available for a new installation? I can upgrade to build 14279, but I would like to try a clean install. The Microsoft URL now redirects to the standard Windows 10 download: https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewiso
  Message 6 of 17  
05 Mar 16 12:18
Aleh Kazakevich
xxxxxx@mail.ru
Join Date: 27 Jul 2015
Posts To This List: 44
Win10 Build 14271 and Code Integrity Enforcement

> Mark Roddy wrote: > > Perhaps I missed the discussion here but it appears that recent insider > builds of Win10 client have turned on signing enforcement. Thanks for the information. Indeed, Windows 10 build 14279 cannot load cross-signed driver, error 577. But with my old certificate issued in the 2013 everything works fine. Tested on the Hyper-V Generation-2 with Secure Boot enabled.
  Message 7 of 17  
05 Mar 16 12:49
ntdev member 165779
xxxxxx@designerware.com
Join Date:
Posts To This List: 32
Win10 Build 14271 and Code Integrity Enforcement

Is there a clean ISO out there someplace? I have the latest and my cross s= igned drivers still load. But, I've just been upgrading it since Windows 7= in the VM. I don't have my drivers loaded as I use a clean copy and then = test off copies loading the drivers. But, Windows has been upgraded never = the less and it would be nice to have a clean build that demonstrates this = behavior. -----Original Message----- From: xxxxx@lists.osr.com [mailto:bounce-603947-165779@lists= .osr.com] On Behalf Of xxxxx@mail.ru Sent: Saturday, March 05, 2016 12:17 PM To: Windows System Software Devs Interest List Subject: RE:[ntdev] Win10 Build 14271 and Code Integrity Enforcement > Mark Roddy wrote: > > Perhaps I missed the discussion here but it appears that recent=20 > insider builds of Win10 client have turned on signing enforcement. Thanks for the information. Indeed, Windows 10 build 14279 cannot load cross-signed driver, error 577. But with my old certificate issued in the 2013 everything works fine. Tested on the Hyper-V Generation-2 with Secure Boot enabled.=20 --- NTDEV is sponsored by OSR Visit the list online at: <http://www.osronline.com/showlists.cfm?list=3Dnt= dev> MONTHLY seminars on crash dump analysis, WDF, Windows internals and softwar= e drivers! Details at <http://www.osr.com/seminars> To unsubscribe, visit the List Server section of OSR Online at <http://www.= osronline.com/page.cfm?name=3DListServer>
  Message 8 of 17  
05 Mar 16 15:48
Peter Viscarola (OSR)
xxxxxx@osr.com
Join Date:
Posts To This List: 5913
List Moderator
Win10 Build 14271 and Code Integrity Enforcement

<quote> Is there a clean ISO out there someplace? </quote> I don't know if this helps, but I'm not aware of a public ISO that's available for download from Microsoft for ANY Redstone build. What's MOST frustrating about this is the lack of clear and timely communication on this topic from Redmond. We have to figure this out as we go? C'mon boys... Can the PM who's making the calls on this not just... TWEET something? Put a couple of lines in a blog somewhere? Throw a web page up on SYSDEV? SOMEthing? Just imagine how much time, effort, and annoyance is being unnecessarily expended by community members world-wide trying to figure this out. Worse, it's not engendering good feelings for MSFT in the community. Last summer, James Murray was kind enough to offer up his valuable time to answer questions for us. That was outstanding, super helpful, and I was glad to be able to help with communications. But is that really how we all want to be handling communication on this important policy issue? (I smell a blog post borne of frustration percolating). Peter OSR @OSRDrivers
  Message 9 of 17  
07 Mar 16 10:12
Mark Roddy
xxxxxx@gmail.com
Join Date: 25 Feb 2000
Posts To This List: 3985
Win10 Build 14271 and Code Integrity Enforcement

New information from our testing indicates that signing enforcement is only enabled in secure boot mode. If secure boot is off whql/attestation-only is not being enforced, even on new installs. It would really be helpful if MSFT would clearly state what the policy is and when it is going be enforced. Mark Roddy On Sat, Mar 5, 2016 at 3:47 PM, <xxxxx@osr.com> wrote: > <quote> > Is there a clean ISO out there someplace? > </quote> > > I don't know if this helps, but I'm not aware of a public ISO that's > available for download from Microsoft for ANY Redstone build. > > What's MOST frustrating about this is the lack of clear and timely > communication on this topic from Redmond. We have to figure this out as we > go? C'mon boys... Can the PM who's making the calls on this not just... <...excess quoted lines suppressed...> --
  Message 10 of 17  
07 Mar 16 10:38
Bo Brantén
xxxxxx@acc.umu.se
Join Date: 16 Jun 2015
Posts To This List: 28
Win10 Build 14271 and Code Integrity Enforcement

On Mon, 7 Mar 2016, Mark Roddy wrote: > New information from our testing indicates that signing enforcement is only > enabled in secure boot mode. If secure boot is off whql/attestation-only is > not being enforced, even on new installs. It would really be helpful if > MSFT would clearly state what the policy is and when it is going be > enforced. That the new type of signing only is enforced when secure boot is turned on was mentioned by Microsoft Program Manager James Murray in the OSR Q&A with him in July 2015: https://www.osr.com/blog/2015/07/24/questions-answers-windows-10-driver-signing/ Bo Branten
  Message 11 of 17  
07 Mar 16 11:34
Gabe Jones
xxxxxx@ni.com
Join Date: 19 Mar 2012
Posts To This List: 41
Win10 Build 14271 and Code Integrity Enforcement

To add my experiences: I updated to build 14279 on a Secure Boot-capable PC. I then went into the "Reset this PC" setting and told it to reset, preserving nothing, hoping that this is equivalent to a "new install." I installed one of our drivers that was signed in the traditional manner using our EV cert that was issued after Win 10 RTM. It failed to load with a Code 31. I then updated the driver to one that I had signed using the portal. It loaded successfully.
  Message 12 of 17  
07 Mar 16 11:40
Gabe Jones
xxxxxx@ni.com
Join Date: 19 Mar 2012
Posts To This List: 41
Win10 Build 14271 and Code Integrity Enforcement

Correction: Code 52, not code 31.
  Message 13 of 17  
07 Mar 16 11:46
Tom McDermott
xxxxxx@gmail.com
Join Date: 03 Jun 2014
Posts To This List: 57
Win10 Build 14271 and Code Integrity Enforcement

<quote> I don't know if this helps, but I'm not aware of a public ISO that's available for download from Microsoft for ANY Redstone build. What's MOST frustrating about this is the lack of clear and timely communication on this topic from Redmond. We have to figure this out as we go? C'mon boys... Can the PM who's making the calls on this not just... TWEET something? Put a couple of lines in a blog somewhere? Throw a web page up on SYSDEV? SOMEthing? Just imagine how much time, effort, and annoyance is being unnecessarily expended by community members world-wide trying to figure this out. Worse, it's not engendering good feelings for MSFT in the community. </quote> Peter, I agree that the documentation of these signing policy issues has been at best horrible, and mostly nonexistent. The only reason I have any inkling of what's coming is that we happen to have an open support ticket with WDK Support. But the information that we do receive is never presented with any certainty, but is always "very fluid and subject to change". As to a clean installable build of Redstone, even the support group is claiming that they themselves are unable to get their hands on one to test this issue. Hard to believe, isn't it?
  Message 14 of 17  
07 Mar 16 11:53
Mark Roddy
xxxxxx@gmail.com
Join Date: 25 Feb 2000
Posts To This List: 3985
Win10 Build 14271 and Code Integrity Enforcement

Great! perhaps one web page with ALL THE RULEZ instead of a mishmash of byzantium proportions would be a good idea? Mark Roddy On Mon, Mar 7, 2016 at 10:37 AM, Bo Branten <xxxxx@acc.umu.se> wrote: > On Mon, 7 Mar 2016, Mark Roddy wrote: > > New information from our testing indicates that signing enforcement is only >> enabled in secure boot mode. If secure boot is off whql/attestation-only >> is >> not being enforced, even on new installs. It would really be helpful if >> MSFT would clearly state what the policy is and when it is going be >> enforced. >> > <...excess quoted lines suppressed...> --
  Message 15 of 17  
10 Mar 16 14:46
Alan Adams
xxxxxx@novell.com
Join Date: 20 Dec 2010
Posts To This List: 21
Win10 Build 14271 and Code Integrity Enforcement

Bo Branten <xxxxx@acc.umu.se> wrote: > On Mon, 7 Mar 2016, Mark Roddy wrote: > > > New information from our testing indicates that signing enforcement is only > > enabled in secure boot mode. If secure boot is off whql/attestation-only is > > not being enforced, even on new installs. It would really be helpful if > > MSFT would clearly state what the policy is and when it is going be > > enforced. > > That the new type of signing only is enforced when secure boot is turned > on was mentioned by Microsoft Program Manager James Murray in the OSR Q&A <...excess quoted lines suppressed...> So is the correct conclusion here that what's /actually/ changing in Build 14271 and later is that Secure Boot will be enabled by default, if the machine is Secure Boot capable? Or am I still missing a piece of that picture. Maybe that it applies to all editions rather than just Enterprise, or similar? Or applies to more drivers than just boot-mode drivers? Because isn't Secure Boot -- if enabled on a machine where the firmware supports it -- /always/ rejecting non-Microsoft-signed boot-mode drivers? Meaning it's "the point" of that feature, and true even if we were discussing Windows 8.1 instead of Windows 10? Meaning the fact that Secure Boot would do that is not what's new; the fact that Secure Boot applies is what's actually new? Alan Adams Client for Open Enterprise Server Micro Focus xxxxx@microfocus.com
  Message 16 of 17  
10 Mar 16 15:17
Bo Brantén
xxxxxx@acc.umu.se
Join Date: 16 Jun 2015
Posts To This List: 28
Win10 Build 14271 and Code Integrity Enforcement

On Thu, 10 Mar 2016, Alan Adams wrote: >> https://www.osr.com/blog/2015/07/24/questions-answers-windows-10-driver-signing/ > So is the correct conclusion here that what's /actually/ changing in > Build 14271 and later is that Secure Boot will be enabled by default, > if the machine is Secure Boot capable? To be more clear; if secure boot is enabled from the beginning is up to the manufaturer, what is new in build 14271 is that Microsoft does check if the driver is portal signed and not only cross signed, whoever this extended check is only done on systems that has secure boot enabled as was told in the OSR Q&A. Bo Branten
  Message 17 of 17  
10 Mar 16 17:19
Alan Adams
xxxxxx@novell.com
Join Date: 20 Dec 2010
Posts To This List: 21
Win10 Build 14271 and Code Integrity Enforcement

Bo Branten <xxxxx@acc.umu.se> wrote: > On Thu, 10 Mar 2016, Alan Adams wrote: > > >> https://www.osr.com/blog/2015/07/24/questions-answers-windows-10-driver-signing/ > > > So is the correct conclusion here that what's /actually/ changing in > > Build 14271 and later is that Secure Boot will be enabled by default, > > if the machine is Secure Boot capable? > > To be more clear; if secure boot is enabled from the beginning is up to > the manufaturer, what is new in build 14271 is that Microsoft does check <...excess quoted lines suppressed...> Thanks for the additional clarifications. That "cross-signed" had previously qualified (not just actual Microsoft-signed drivers) sounds like a significant point I was incorrect on as well. Alan Adams Client for Open Enterprise Server Micro Focus xxxxx@microfocus.com
Posting Rules  
You may not post new threads
You may not post replies
You may not post attachments
You must login to OSR Online AND be a member of the ntdev list to be able to post.

All times are GMT -5. The time now is 03:28.


Copyright ©2015, OSR Open Systems Resources, Inc.
Based on vBulletin Copyright ©2000 - 2005, Jelsoft Enterprises Ltd.
Modified under license