Windows 10 Enforces Unsigned Driver Ban

Windows 10 Anniversary Update (version 1607) is out now and the new iteration introduces a security feature promised by Microsoft before the operating system’s release last year. Effective as of the 1607 update, Windows 10 will no longer load unsigned kernel mode drivers in an effort to prevent users from accidentally installing malicious software. The delay in implementing the policy was, according to Microsoft, “due to technical and ecosystem readiness issues, this was not enforced by Windows Code Integrity and remained only a policy statement.”

Only newly installed drivers will be subject to this prohibition, so unsigned drivers installed in Windows 10 prior to the 1607 update will be unaffected. Fresh installations of Windows 10 Anniversary Update, though, will implement the policy immediately.

“Starting with new installations of Windows 10, version 1607, the previously defined driver signing rules will be enforced by the operating system,” Microsoft writes on its blog, “and Windows 10, version 1607 will not load any new kernel mode drivers which are not signed by the Dev Portal. OS signing enforcement is only for new OS installations; systems upgraded from an earlier OS to Windows 10, version 1607 will not be affected by this change.”

In order for a driver to become signed, it must be submitted to Microsoft, via the Dev Portal, for approval, and its developer must obtain an Extended Validation (EV) Code Signing Certificate. The process is a mere formality for established software development companies, but drivers developed by independent creators or older programs with expired certificates are likely to become locked out in Windows 10.