How do I allow cross-signed kernel drivers in Windows 10 version 1607 with secure boot enabled?

13

7

Windows 10 Version 1607 (aka Anniversary Update) is now enforcing the tightened kernel driver certification which was already announced 2015 as a requirement for Windows 10. The new rule is that all Windows 10 drivers must be digitally signed by Microsoft, no more cross signing! Kernel driver developers must now use an Extended Validation (EV) code signing certificate and submit their drivers to the Windows Hardware Developer Center Dashboard Portal where the drivers will be signed by Microsoft after passing certain tests.

However, there are exceptions to that rule. Cross-signed kernel drivers are still accepted by Windows 10 version 1607 if any of the following is true:

  • The driver is signed with a certificate that was issued before 29th of July 2015
  • The driver is a boot up driver
  • Secure Boot is Off
  • The Windows 10 version 1607 System was upgraded and not directly installed
  • A secret registry key is set that allows cross-signed drivers to load even on systems with Secure Boot enabled

In my company we do have the issue that several drivers are now disabled on systems that received a clean Windows 10 version 1607 installation, and even certain Intel drivers are affected. In addition, highly secured KVM virtual machines that use the TianoCore UEFI BIOS with secure boot enabled now don't load the VirtIO network and balloon drivers because of digital signature errors.

And I can confirm that the drivers work fine on systems with secure boot disabled and on Windows 10 systems that were upgraded (in-place) to version 1607, even with secure boot enabled.

Now I'm wondering what the name and value of that secret registry is that was announced by Microsoft in the following video at 00 h 11 m 00 s:

Channel 9 - Plugfest28 - Driver-Certification-on-Windows-Client-and-Server

... and then finally we are actually going to have a registry key ... and this registry key is ... you know ... intended just for testing so we definitely don't want you to ... setting this registry key as you install the driver and ... the registry key essentially mimics the same behavior as if you have an upgraded system ...

That key was never announced by Microsoft and because of the following message in OSR's ntdev list I believe this will never happen:

I hate to say this, but since you asked: The registry key information is only available under NDA. Which means it'll probably turn-up in lots of places online eventually, but until that time WE WILL NOT be discussing it here.

And this leaves me at my actual Super User question:

What is that secret registry key that tells Windows 10 version 1607 that it was upgraded from a previous version?

gollum

Posted 2016-08-15T11:14:16.563

Reputation: 355

If I were to hazard to guess. The same key that has always been used when you upgrade from a previous version of Windows to a newer version of Windows. – Ramhound – 2016-08-15T12:45:22.367

1@Ramhound ... which would be ? – gollum – 2016-08-15T12:46:06.523

Any hint of who is using that key? Its existence suggests it is given to outside parties for use in certain situations. If that's true, wouldn't it make sense to approach Microsoft to ask to be one included among them? – None – 2016-08-15T14:56:01.120

@Will Microsoft is using that key in order to not apply the stricter driver signing policy on Windows 10 systems which have performed the in-place anniversary update (they don't want to disable systems that have been working before the update). On the other hand the existence of this key might be considered a security risk because it can nuke the stricter policy which people might want to have in place eventually. – gollum – 2016-08-15T17:42:52.247

Have you tried this one?

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Driver Signing]

Change the BehaviorOnFailedVerify key value to "0". – HackSlash – 2018-04-19T20:19:10.850

Answers

0

you can try the TESTSIGNING Boot Configuration Option

Bcdedit.exe -set TESTSIGNING ON

Make sure to disable the Secure Boot and boot to OS to execute bcedit commands, once done you can reboot to OS with secure boot enabled

The TESTSIGNING boot configuration option determines whether Windows Vista and later versions of Windows will load any type of test-signed kernel-mode code. This option is not set by default, which means test-signed kernel-mode drivers will not load by default on 64-bit versions of Windows Vista and later versions of Windows.

Note After you change the TESTSIGNING boot configuration option, restart the computer for the change to take effect.

Ashish Namdev

Posted 2016-08-15T11:14:16.563

Reputation: 9

Testsigning mode is not an option since the kernel would load drivers that are signed by any certificate and the validation is not required to chain up to a trusted root certification authority. Basically the question is about making a freshly installed system behave like an upgraded system with regard to the driver signature validation policy. – gollum – 2018-09-19T10:55:27.853

Asked: 2016-08-15T11:14:16.563

Viewed: 1 620 times

Active: 2020-01-12T08:50:16.847