DigiCert KnowledgeBase - Technical Support-hero

Knowledge Base

Signing Kernel Mode Drivers

Solution ID : SO090921145952
Last Modified : 10/01/2024

Solution

The process for kernel mode drivers has changed as of April 2021. Microsoft will no longer allow kernel mode drivers to be signed solely by a publicly-trusted CA certificate. Microsoft now requires a kernel mode driver to be signed first by a publicly-trusted CA certificate, and then submitted for signing by Microsoft through the Microsoft development portal. More details can be found here.

Microsoft's new process for driver submissions

Starting in 2021, Microsoft will be the sole provider of production kernel-mode code signatures. Microsoft has implemented a new process for signing kernel-mode driver packages. You will need to sign any new kernel-mode driver packages by following Microsoft's updated Hardware Submission instructions. See Partner Center for Windows Hardware.

PREVENT EMAIL TAMPERING AND PHISHING WITH A DIGICERT S/MIME CERTIFICATE.

Create a new hardware submission

To prepare your hardware for the Windows Hardware Compatibility Program for Windows 10 (or the separate certification program for previous operating systems), you must create and submit an .hlkx file (for Windows 10) or .hckx file (for previous operating systems). This file is created using the Windows HLK Studio (or Windows HCK Studio, for previous operating systems) and contains all of the test results, drivers, and symbols for your product. Submitting this file allows the dashboard to review your test results, evaluate any drivers tested, and return Microsoft digitally signed catalog files.

To create a submission file

For information about creating and digitally signing an .hlkx file, see the Windows HLK Getting Started Guide.

For information about creating and digitally signing an .hckx file, see the Windows HCK Getting Started Guide.

To submit a file

  1. Sign in to the Partner Center, and then select Submit new hardware. This loads the submission creation wizard.
  2. In the Packages and signing properties section, choose a name for your driver submission. This name can be used to search for and organize your driver submissions. Note: If you share your driver with another company, they will see this name.
  3. Either drag and drop, or browse to the .hlkx/.hckx file that you want to submit. The file will begin to upload.
  4. It is at this point that the submission portal determines what Product Type is being submitted. Then, at the Submission page, the portal presents any questionnaire that may be required for a product being submitted for Windows Server certification. For all products submitted for Windows Server certification or signing where the submission portal presents a questionnaire, you must complete the questionnaire. The submission will not complete unless the questionnaire is completed.
  5. If you wish to test a driver prior to release, you can select the checkbox labled "Perform test-signing for Win10 and above" OR "Perform test-signing for OS below Win10 (legacy)". Test-signed drivers are similar to drivers signed for public release, but do not require HLK testing. They are also not distributed through Windows Update, but can be downloaded from the hardware submission site. They can be installed on test machines only. For more information about test-signing driver packages, see WHQL Test Signature Program and How to test-sign a driver package.
  6. Select Request Signatures as applicable. This option allows you to specify which operating system signatures (including allowable downlevel operating systems) should be included with your driver. Available certifications vary depending on your driver submission package, so there may not be any certifications listed.

    Note: If you are signing a driver package for a single architecture, only include logs for the intended architecture. For example, to sign for x64 only, submit only the x64 logs.
  7. In the Certification section, complete the following information:
    Field Description
    Device type Indicate if your device is:
    - An internal component, if your device is part of a system and connects inside the PC.
    - An external component, if your device is an external device (peripheral) that connects to a PC.
    - Both, if your device can be connected internally (inside a PC) and externally (peripheral).
    Device metadata category Select an incon for your device from a list of default icons based on your device category. This determines which icon appears in Devices and Printers. If your device should not appear, select "Internal device".

    For information about delivering a rich experience with Windows Device Stage, see Device Metadata.
    Device metadata model ID These GUIDs are used to validate your Device Metadata submissions to the legacy Sysdev dashboard. If provided, they must match the model IDs in your device metadata package.
    Announcement date Enter the date when you want your product included on the Windows Server Catalog, the Windows Certified Products List, and the Universal Driver List.
    Marketing name Enter the marketing name(s) for your submission. Marketing names allow you to provide aliases for your product. You can provide as many names as you want.

  8. Select Submit.
  9. The Distribution section is used to publish your driver to Windows Update. For information about how to use the Distribution section, see Manage driver distribution with shipping labels.
  10. You can monitor the progress of your submission with the progress tracker at the top of the page. Once all steps show a green check, the submission is complete and your organization will receive a notification in the dashboard header.
  11. Review the results. If your submission failed, make any necessary changes and resubmit.