All Windows 10 Kernel Mode Drivers Must Be Digitally Signed By Microsoft

"Last year, we announced that beginning with the release of Windows 10, all new Windows 10 kernel mode drivers must be submitted to the Windows Hardware Developer Center Dashboard portal to be digitally signed by Microsoft," reads a MSDN blog post. "However, due to technical and ecosystem readiness issues, this was not enforced by Windows Code Integrity and remained only a policy statement. Starting with new installations of Windows 10, version 1607, the previously defined driver signing rules will be enforced by the Operating System, and Windows 10, version 1607 will not load any new kernel mode drivers which are not signed by the Dev Portal."

Slashdot reader mikejuk quotes a report from i-programmer.info which argues "the control of what software users can run on their machines is becoming ever tighter," and compares Microsoft's proposal to an XKCD cartoon: Before you start to panic about backward compatibility with existing drivers the lockdown is only going to be enforced on new installations of Windows 10. If you simply upgrade an existing system then the OS will take over the drivers that are already installed... Only new installations, i.e. installing all drivers from scratch, will enforce the new rules from Windows 10 version 1607... Be warned, if you need to do a fresh install of Windows 10 in the future you might find that your existing drivers are rejected.

Not MS target demographic

[JeffOwl]

For 97% of Windows 10 users (yes, I made that figure up) this is a total non-issue. It may even be a benefit to protect them from themselves. Many can't distinguish between safe and not so safe web sites from which to download programs and such. These folks may not even know how to uninstall drivers that don't uninstall automatically when a related piece of software is uninstalled. If you are a registered developer, this isn't an issue either as MS gives you a way around it.

For the rest of us, well, there aren't enough who haven't already migrated to iOS or Linux so MS doesn't give a shit.

Locking out open source hardware

[mysidia]

Also, Submitting drivers to the Dev center now requires EV CODE SIGNING CERTIFICATE.
Even though Microsoft will sign the final result, you have to have an EV CERT from a small list of approved CAs to
sign your code before their portal will sign it per the new policy.

In case you have not noticed, the cheapest of the EV Certs is $1000 a Year; Only organizations can obtain these certificates, not individual developers.

Also, all EV Code signing certs require Smartcard/Token-Based Storage of your certificate's private key to ensure credentials cannot be shared, and you cannot automate the digital signing process.

Thus is a move to make sure Open Source software developers and individuals cannot produce Kernel mode drivers.

Re: Worse and worse

[backslashdot]

Actually I think they are in cahoots with the movie and music ownership industry. This move is all about enforcing DRM.

Intel and AMD want Microsoft to make the OS have CPU busting features .. Like I dunno 3D animated window management, voice control, fingerprint recognition etc.

But this driver move, it seems entirely dreamt up by the DRM crowd. The don't want you to play any video or music that may be similar looking or sounding to anything they own. I mean the browser industry sold out already. How come when ads play in a browser the player controls are limited?

Re:How do I change a user's password

[Gadget_Guy]

I'm using windows 10 and I cannot figure out how to change a user's password.

The Anonymous Cowards who responded to you have given you the correct answers. It should be noted that the method for administering other local accounts has not changed since Windows 2000. You still use Control Panel->User Accounts as you did back then, although the method of getting to the control panel has changed over time. In Windows 10 you right click on the start button and choose it from the pop up menu.

The command line version of "net user username NewPassword" has not changed at all since Windows NT 4.0 (19 years ago). Of course, if you are not used to Windows then it is quite reasonable that you wouldn't know the command to use, any more than a Windows admin would magically know to misspell the word password on Linux.

Re: Worse and worse

Or, you know, it's to prevent viruses and other such garbage that has plagued windows for years and years, to be able to boot up with windows by masquerading as a driver?
I see nothing wrong with this. If anything it will force manufacturers to get their sh*t together and stop releasing buggy half baked drivers.

Re: Worse and worse

[nmb3000]

Or, you know, it's to prevent viruses and other such garbage that has plagued windows for years and years, to be able to boot up with windows by masquerading as a driver?

Actually the GP is right, and Microsoft calls it out themselves:

To play back certain types of next-generation premium content, all kernel-mode components in Windows Vista and later versions of Windows must be signed. In addition, all the user-mode and kernel-mode components in the Protected Media Path (PMP) must comply with PMP signing policy.

Besides, the only way to install kernel mode drivers is to be running as administrator. If malicious code is allowed to run on your computer with administrative credentials, you're already screwed in any number of ways. Installation of a kernel driver is just one avenue.

I see nothing wrong with this.

I see everything wrong with this. Microsoft is now dictating what software can be run on my computer. That alone is enough of a reason to vehemently reject this, but think also of the F/OSS software impacted. There are plenty of software tools out there which run a driver as part of their operation and not all of these will want to or be able to get their drivers signed.

I have been trying to decide lately if I'll ever bite the bullet and move from Windows 7 to Windows 10, or if I'll start looking migrating to Linux. The decision just got a lot easier.