Windows 10 Version 1607 Changes Driver Signing Policy

Subject: General Tech | August 1, 2016 - 06:33 PM |
Tagged: windows 10, microsoft

Remember, folks, that “the road to Hell is paved with good intentions”. Microsoft has been trying to shed their stigma as a giant source of malware, but all solutions have side-effects, and those side-effects can have damaging consequences. When you believe that you or someone else is doing good, that is when you should be extra cautious, not less. It's a source of complacency.

View Full Size

With tomorrow's Windows 10 Anniversary Update, Microsoft will require kernel-mode drivers to be signed by them on systems with Secure Boot enabled. This change will not affect PCs that have been upgraded from a previous version of Windows, including Windows 10 1507 and Windows 10 1511. That said, this could be a concern for those (like me) who are planning to clean install soon.

To me, this doesn't look like it will be that big of a deal. Hobbyists should be able to manage with either disabling Secure Boot, if their system allows it, or by fitting their driver around the user-mode framework. It might cause an issue with hotfix graphics drivers, though, which are pushed out before getting signed by Microsoft.

Also, if Microsoft changes their driver signing policy in the future, then this is could be (Update @ 7:30pm ET: original verbage was a little too strong) huge leverage against anyone attempting to circumvent it (such as implementing a graphics API that outperforms whatever DirectX version they have at the time -- see how Vulkan is not allowed on MacOSX). Even if you trust Microsoft now, you need to think about what Microsoft in 10+ years can do if they choose to.

Source: Microsoft

Video News

August 1, 2016 | 07:12 PM - Posted by DJ (not verified)


So if you have windows 10, Nvidia releases a game ready driver that has yet to be signed by M$, gamers, plenty of which have no clue was secure boot is, won't be able to use such drivers. Sounds like a great plan!

August 1, 2016 | 07:16 PM - Posted by BlueRay (not verified)

This is what happens when you have a strong monopoly in one particular market. That single player can do whatever he leaves in the stadium since he is alone or his opponents are weak enough to not pose a threat. MS keep doing controversial things and follows shady paths with unclear vision. See the privacy concerns, the removal of the traditional search and the combination with Cortana. The ”nerfs” of the Pro version.Yhe UWP vision, the free upgrade with never ends and now this. What exactly they want to do I don't know. Maybe they do not know either.Maybe they are experimenting. Really weird decisions. I was planning for a clean install tomorrow as I'm not fan of the update system. Time will tell.

August 1, 2016 | 08:00 PM - Posted by arbiter

Safety and secure doesn't always mean easy. want to protect a computer you gotta give a some things to keep it that way. Having drivers signed means no randomly made driver can install it self and do what ever it wants like monitor everything you do, keylog and screen shot all your info.

August 2, 2016 | 04:47 AM - Posted by Anonymous (not verified)

"no randomly made driver can install it self and do what ever it wants like monitor everything you do, keylog and screen shot all your info"
Windows 10 is already doing all that

August 1, 2016 | 08:58 PM - Posted by Anonymous (not verified)

This is what happens when you have an illegal monopolistic vertical market integration/monetization scheme of the third party OEM PC/Laptop market by M$. And not enough gamers and PC/Laptop users are asking their elected officials to do their jobs and stop/reign in the monopolies. There are the legal Justice Department agencies tasked with enforcing the antitrust laws already on the books, but until enough folks start complaining and calling for these companies to be brought up on antitrust charges, M$ will continue its monopolistic land grab on the end users’ Third Party OEM produced PC/Laptop hardware.

M$ will be doing its DR DOS fixing scheme all over again, with UWP, windows “Secure” BOOT, and other methods to take over your third party PC/Laptop hardware via windows 10, and any new PC/Laptop third party OEM made PC/Laptop hardware that comes with windows 10 factory installed. Better hope that new Laptop even has a method provided to turn OFF windows secure boot in your new laptops UEFI firmware as the “Option” for new PC/Laptop OEM hardware is that the OEM does not have to provide for any M$ windows secure [OFF] switch in any new third party OEM PC’s/laptop’s UEFI firmware that comes with windows 10 factory installed.

The PC/laptop market is contracting so expect there to be plenty of attempts to completely monetize as much of the OS/application ecosystems via the new closed OS/Application Business model that M$ is attempting to force onto the PC/Laptop market with its windows 10 and that windows 10 EULA. Expect that every little facet of the third Party OEM windows OS/application ecosystem to be slowly and insidiously closed up to provide M$ with plenty of revenue growth at the expense of the PC/Laptop end users’ privacy, and control over their own PC/laptop hardware, and that includes ads in the OS, and forced bloatware pushed out by forced updates, bloatware that can not be uninstalled.

Tim and Gabe are spot on, and more Linux/Vulkan gaming is what needs to be done to counter M$’s attempts at closing things up, so supporting the Steam OS and gaming ecosystem is very important. Hopefully there will be some more Steam Machine offerings with some AMD Zen/Polaris options to keep the markets for OEM gaming PCs more affordable.

August 1, 2016 | 10:01 PM - Posted by bria5544 (not verified)

Until someone makes Linux so easy, the uneducated and elderly can use it, it'll never catch on. I despise using Linux as each flavor has its own unique idiosyncrasies and nothing just works. Drivers are a nightmare, software installation is a nightmare, and heaven forbid something goes wrong cause you'll spend hours or days trying to figure it out; only to give up because you've completely broken your PC.

August 2, 2016 | 04:57 AM - Posted by Anonymous (not verified)

"Easy" varieties of Linux, like Ubuntu, already exist. Most of those elderly/casual users do very little on their computers - if all you do is browse facebook and check email, then Linux isn't really any harder than Windows. Sure, drivers and general troubleshooting can be a problem, but those users would struggle with drivers and troubleshooting on Windows as well. The real issue with Linux is, and has been for a long time, software support, but that's irrelevant for the 90% of users that don't need anything specific.

March 12, 2017 | 09:42 PM - Posted by Anonymous (not verified)

Poor reasoning. Window trolls and MS fanboys tire me with their pretzel logic. If every facet of human life was played out by 'Gates Rules' we would either be lined up to take public oaths of allegiance to Him in stadiums lined with the four-square colors of Windows or loaded on trains bound for 're-education camps'. Or worse. Laughable? Perhaps...
People who have no knowledge of or experience with sociopathic behavior, also have little understanding of the sociopath's goals which are flexible and far-ranging. When left unchallenged and unchecked their goals ultimately tear apart the fabric of fair society. All sociopaths ultimately create their own moral universe and place themselves at the godhead as did Hitler, Mao, Stalin, Pol Pot, Idi Amin, Jimmy Jones and so many others. Be they big or small, they have left indelible marks on human history and seldom for the good and history also shows us that left unchecked by by authority or ballot, they ultimately become the authority and only the bullet is left to stop them.

August 1, 2016 | 08:54 PM - Posted by Goofus Maximus (not verified)

Hmm. I think at least Microsoft should allow OEM and chip makers to have the ability to sign their own drivers, and just pop up an "are you sure" security warning for non WHQL drivers.

August 1, 2016 | 09:42 PM - Posted by Anonymous (not verified)

Microsoft is a malware company not a software company. There was no need for Windows 10. What happened to Windows 9?

Millions of people did not upgrade their Windows 7/8.1 systems. I still keep my windows 8.1 on one of the partition. I rarely use it. I have no need for it. I am just keeping it so that it can waste some disk space.

People have no idea what Microsoft is doing to their PCs.

July 29th passed and millions did not upgrade. Not only that earth keeping spinning and the sun keep shining.

I have serious doubt that Microsoft will be developing OS in 10 years.

August 2, 2016 | 02:42 AM - Posted by Hakuren

That's basically it. Proverbial last nail in the coffin for 10. I can sell or destroy (pleasure is priceless!) that useless USB stick. Never actually used 10 extensively (only tested in closed environment) because huge majority of software I use at work simply doesn't work. Nobody will ever bother to get M$ certification anyway. So I can dispose of that POS. Thanks M$ for finally solving my dilemma!

Now only AMD's Zen is hope of folks who want to stay on 7/8/8.1 because Intel already committed to enforced 10 restriction.

August 2, 2016 | 03:08 AM - Posted by Anonymous (not verified)

This is just another brick in the wall.

August 2, 2016 | 04:37 AM - Posted by Anonymous (not verified)

"Microsoft has been trying to shed their stigma as a giant source of malware"
I doubt it, given that they are now the world's largest developer and distributor of malware.

August 2, 2016 | 08:33 AM - Posted by cosmicvibes

At least someone is thinking about what Microsoft might do 10+ years from now:

“Now, a couple of years ago, we started to get pretty worried that maybe that openness was going to be challenged, that there was success in proprietary platforms in living rooms and in mobile, and that was going to cause the entire industry to step away from the opportunity of openness,” he said. if only more gamers and developers could get behind SteamOS/Linux we could ensure an open alternative. Alas, I am not hopeful. Without the games, they won't move. Without all the big games, few of the tech channels seem interested in talking about the Linux ports.

Hopefully Microsoft won't think to create some kind of "Universal Windows Platform" that allows developers of Xbox games to port them to PC easily and vice-versa. Of course these can work with Steam. Steam for Windows. If you set off on the UWP path when developing the Xbox/PC version.... why bother with Linux....

August 2, 2016 | 10:49 AM - Posted by Palorim12 (not verified)

Hasn't Apple already been doing something like this with Kext signing? Where's the outrage there?

August 2, 2016 | 12:33 PM - Posted by Anonymous (not verified)

Exactly this. People are shocked that MS would follow Apple's lead in as many areas as they can since you know they have billions in the bank.

August 2, 2016 | 01:19 PM - Posted by Palorim12 (not verified)

Also, is Secure Boot that big of a deal? I have it disabled on most of my systems so they boot faster.

August 2, 2016 | 04:44 PM - Posted by Anonymous (not verified)

I see this argument a lot; it's become the standard Microsoft apologist response: Apple/Google/etc already do X, so you can't complain about Microsoft doing X. It's always been a terrible argument, one company doing something wrong does not justify everyone else also doing it wrong. In fact, Microsoft doing these things is especially dangerous because Microsoft is much harder to avoid than those other companies: if you want widespread software support, Windows is really the only place you can get it.

There's a reason I've been using Windows for 20 years, and not Mac: because I've liked the way Windows does things, compared to how alternatives do them, so windows emulating those alternatives that I've avoided is a bad thing.

Also, Mac users, in general, don't care about anything regarding their computer - if they can access facebook, they're happy. Whatever is happening underneath is irrelevant, so they are unlikely to produce outrage about anything.

August 3, 2016 | 11:24 AM - Posted by Palorim12 (not verified)

Then just disable Secure Boot. Boom, problem solved.

August 3, 2016 | 04:41 AM - Posted by Anonymous (not verified)

There's a reason Apple only has a 5% market share on desktop PC's you know.

August 2, 2016 | 03:50 PM - Posted by Robert Osorio (not verified)

I akso disable secure boot on al! My systems. It's a PITA when you need to use bootable tools, and it's overhead I don't need or want.

Techies like us will disable it, and non techies (who arguably need tge protection) won't.

I'm more concerned with MS neutering group policy settings in Win10 Pro.

August 3, 2016 | 11:18 AM - Posted by Palorim12 (not verified)

I updated to the anniversary edition and my group policy setting that skips the lock screen and logs me in automatically is still there.

August 3, 2016 | 11:23 AM - Posted by Palorim12 (not verified)

Also wanna add, i have Windows 10 Pro.

August 3, 2016 | 11:23 AM - Posted by Palorim12 (not verified)

Also wanna add, i have Windows 10 Pro.

August 3, 2016 | 07:50 AM - Posted by Goofus Maximus (not verified)

Ugh. I updated to the anniversary edition, started fixing everything it broke for no apparent reason, but lost the battle when trying to get my files to default to local instead of OneDrive in "This PC" where OneDrive does NOT belong! In the end, I couldn't log in to my own computer, so I finally had to bite the bullet and restore from a month old system image, after much hassle finding the thumb drive with the correct version of windows. Cortana and OneDrive make this the hassleversary edition to me!

August 4, 2016 | 12:05 AM - Posted by anonymus (not verified)

updated to the anniversary edition, Windows would not load drivers for GPU(Nvidia), Keyboard(corsair) or mouse(corsair), and killed my USB 3.0 ports completely. Took an hour just to put in my password.

Seems like the new version wants to turn a desktop into a
tablet or something I don't want it to be

Guessing everyone knows about the driver signing issue which will force small dev companies to pay to sign there drivers...

PS back on whatever was before 1607

August 5, 2016 | 12:29 PM - Posted by Anonymous (not verified)

An important clarifications here: Kernel mode driver signing has been enforced since Windows Vista 64bit. This includes Windows 7 64bit. The change here is that the level of signing is being changed going forward (older drivers grandfathered in) and it now being enforced for 32bit Windows 10 as well. The change to signing is the requirement of Extended Validation for the signature.

Basically, if you've been running 64bit Vista or above, then you've already been dealing with enforced driver signing. If you have not experienced any problems, then you are unlikely to going forward.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote><p><br>
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options

This question is for testing whether you are a human visitor and to prevent automated spam submissions.