Microsoft Revamps Windows Driver Building and Signing Process

Microsoft is significantly revamping its approach to Windows driver development and signing, introducing a series of changes aimed at enhancing system security, stability, and reliability. These updates signal a move towards a more robust and secure driver ecosystem for the Windows operating system.

Elevating Driver Security and Reliability

Microsoft is implementing a higher security and resiliency bar for all drivers, particularly those operating in kernel mode. This initiative involves introducing more rigorous certification tests that drivers must pass before they can be signed and distributed. The company’s goal is to reduce the likelihood of driver-related system instability and security vulnerabilities.

These enhanced security measures are a direct response to the increasing complexity of the threat landscape and the critical role drivers play in operating system integrity. By tightening the requirements, Microsoft aims to prevent malicious actors from exploiting driver vulnerabilities to gain unauthorized access or compromise system data.

The increased scrutiny extends to all aspects of driver development, from initial coding practices to final verification. This comprehensive approach seeks to build trust in the Windows ecosystem by ensuring that only well-vetted and secure drivers make their way onto user systems.

Shifting Towards User-Mode and Standardized Drivers

A key tenet of Microsoft’s revamp is the push to move peripheral driver logic out of the kernel and into user mode. This strategic shift is intended to minimize the impact of potential driver failures, as user-mode components are less likely to cause system-wide crashes.

Microsoft is expanding its provision of Windows in-box drivers and APIs. This will enable hardware partners and original equipment manufacturers (OEMs) to replace many custom kernel drivers with standardized Windows drivers, thereby simplifying development and enhancing system stability.

Over the coming years, this strategy is expected to lead to a significant reduction in third-party code running in kernel mode across various driver classes, including networking, cameras, USB, printers, and audio devices.

Modernizing the Driver Signing Process

The process for pre-production driver signing is undergoing a significant transformation. Previously, the lifespan of pre-production drivers was tied to the expiry of the Certificate Authority (CA) that signed them. This model is being updated to decouple the trust period from CA expiry.

A new CA, “Microsoft Windows Component Preproduction CA 2024,” is being introduced for pre-production signing starting June 9, 2025. Drivers signed after this date will no longer have their trust period linked to the CA’s expiration, allowing for more continuous testing and deployment cycles.

Drivers signed before June 9, 2025, using the older PCA 2010 CA will expire on July 6, 2025, aligning with the CA’s expiration. This change aims to streamline the testing and validation phases for developers.

Deprecating Windows Device Metadata and WMIS

Microsoft is retiring Windows Device metadata and the Windows Metadata and Internet Services (WMIS) as of May 2025. These services, introduced with Windows 7, provided supplementary user-facing information about hardware devices, such as icons and descriptive text, via XML files.

Going forward, Microsoft recommends using INF (setup information) files instead of device metadata. This shift is part of a broader effort to modernize and simplify the driver delivery and management infrastructure.

The deprecation of WMIS also reduces the attack surface and overhead associated with maintaining backward compatibility for older infrastructure, contributing to a leaner and more secure Windows ecosystem.

Enhanced Security Measures for Kernel Drivers

For kernel-mode drivers, Microsoft is introducing practical guardrails to improve quality and contain faults. These include mandatory compiler safeguards to constrain driver behavior, driver isolation to limit the blast radius of issues, and DMA-remapping to prevent accidental driver access to kernel memory.

These measures are being implemented in the aftermath of significant service interruptions caused by faulty driver updates, such as the CrowdStrike incident in July 2024. The goal is to prevent such widespread outages by enforcing stricter operational boundaries for kernel-level code.

While Microsoft will continue to support third-party kernel-mode drivers where integrated alternatives are unavailable, such as graphics drivers, these specialized drivers must adhere to the updated technical regulations.

Stricter Driver Attestation and Verification

Microsoft is enforcing stricter policies for driver attestation through its Windows Hardware Compatibility Program (WHCP). This includes the mandatory enforcement of InfVerif /h validation, which checks for driver isolation and ensures that driver packages are resilient to external modifications and easy to install and update.

This ruleset was already part of WHCP and Attestation workflows but will now be a mandatory requirement for compliance. The tech giant anticipates this change will significantly increase the security and quality of the Windows driver ecosystem.

OEMs and other partners are advised to run the InfVerif /h ruleset on their driver packages prior to submission. The ruleset is automatically run on the Windows 11, version 25H2 HLK, simplifying the process for those testing with that version.

The Role of Driver Verifier

Driver Verifier remains a crucial tool for developers to ensure the reliability of their drivers. Available in all versions of Windows since Windows 2000, it has been continuously enhanced with new features and checks to identify bugs in drivers.

Recent updates, such as those for Windows 11, enable many flags without requiring a reboot and introduce new driver validation rules for specific technologies like audio and AVStream drivers. For Windows 8.1, new options were added to detect errors, including NDIS/WIFI verification and systematic low resource simulation.

Using Driver Verifier is essential for identifying common driver problems and ensuring that drivers are not making illegal function calls or causing system corruption. Its ongoing development reflects Microsoft’s commitment to improving driver quality.

Transitioning to Modern Driver Models and Tools

Microsoft encourages developers to adopt the most modern driver models available, such as Windows Driver Frameworks (WDF), including KMDF and UMDF, over older models like WDM. This approach helps avoid many of the problems associated with legacy driver architectures.

The Windows Driver Kit (WDK) is also being made more accessible through NuGet packages, allowing for easier acquisition and updates within modern CI/CD pipelines and Visual Studio. This integration streamlines the driver development toolchain and ensures developers are using the latest components.

The Driver Module Framework (DMF), an open-source framework designed to improve and speed up the development of Windows Driver Frameworks, further supports this modernization effort by promoting code reuse and maintainability.

Ongoing Support for Specialized Kernel Drivers

Despite the push towards user-mode and standardized drivers, Microsoft affirms its continued support for third-party kernel-mode drivers where no suitable integrated alternatives exist. Graphics drivers, for instance, will continue to operate in kernel mode to meet specific performance and feature demands.

These specialized drivers, however, must still adhere to the updated technical regulations and enhanced security requirements. This balanced approach ensures that while the overall driver ecosystem becomes more secure and streamlined, unique hardware functionalities can still be supported.

This ongoing support acknowledges the diverse needs of hardware development and ensures that innovation is not stifled, provided that security and reliability standards are met.

Impact on Developers and Enterprises

These changes represent a significant shift for driver developers, requiring them to adapt to new security standards, testing protocols, and development models. The increased complexity of the signing process, particularly the need for Extended Validation (EV) certificates, adds a new layer of requirement for submission.

Enterprises will need to ensure they deploy the latest cumulative updates to maintain trust in new pre-production driver signatures. Proactive communication with hardware vendors about their readiness for these transitions will also be crucial for managing device procurement and deployment timelines.

The move towards a more secure driver ecosystem is expected to yield long-term benefits, including reduced attack surfaces, improved device trust, and more efficient troubleshooting for IT professionals.

The Evolving Landscape of Driver Signing

The driver signing policy has evolved considerably, with Windows 10, version 1607, mandating that all new kernel-mode drivers be signed by the Dev Portal. This process typically requires an Extended Validation (EV) certificate and submission through the Windows Hardware Developer Center.

The requirement for digitally signed drivers is a cornerstone of Microsoft’s security strategy, aimed at preventing malware and rootkits from infiltrating the operating system at its lowest levels. This policy ensures that only code vetted by Microsoft or a trusted authority can execute in the kernel.

While this stringent signing process enhances security, it also means that developers must navigate a more complex certification and validation pathway, potentially increasing development time and costs.

Microsoft’s Commitment to a Secure Ecosystem

Microsoft views the security of the Windows ecosystem as a shared responsibility between the company and its partners. By adhering to security guidelines, monitoring driver reliability data, and staying informed about the latest threats, partners play a vital role in this collaborative effort.

The company provides resources such as the Driver security checklist and guidance on secure coding practices to help developers build more robust and trustworthy drivers. This focus on partnership and shared responsibility is essential for creating a secure environment that users can rely on.

The continuous updates and improvements to driver development tools and policies underscore Microsoft’s dedication to maintaining the integrity and security of the Windows platform for all users.

Strategic Cleanup of Legacy Drivers on Windows Update

In a move to optimize security and driver quality, Microsoft is initiating a routine cleanup of legacy drivers from Windows Update. This process involves identifying and expiring older drivers that have modern replacements available.

The initial phase targets drivers with newer counterparts already on Windows Update, with a six-month grace period for partners to voice concerns before permanent removal. This initiative aims to ensure that only current and essential drivers are readily available, reducing potential compatibility issues and security risks.

Microsoft plans to expand this cleanup to other categories of drivers in the future, communicating broadly with partners at each step to maintain transparency and ensure a smooth transition toward a more streamlined driver landscape.