Windows Hardware Dashboard: Attestation signing fails (no validation rule shown) for Windows 11 24H2/25H2

Question

Windows Hardware Dashboard: Attestation signing fails (no validation rule shown) for Windows 11 24H2/25H2

Steven Powell 20

This issue concerns the Windows Hardware Dashboard (Hardware Submission & Signing – all OS versions). I need assistance diagnosing attestation signing failures for Windows 11 24H2 and 25H2. Two separate attestation submissions fail with the same response: "There are files at the root of the cabinet: <cat>, <inf>, engineBIOkeyWBF.dll, nbbksensoradapter6520.dll, U2_BK6520.dll." No validation rule, policy failure, or diagnostic message is surfaced by the dashboard. Submissions: • BIO-key ECO ID III‑2 Private Product ID: <PII removed> Submission ID: <PII removed> • BIO-key ECO ID III‑3 Private Product ID: <PII removed> Submission ID: <PII removed> Context: To reconcile conflicting documentation, we submitted two CAB variants: 1) A CAB including the PDB for our UMDF/WBF engine DLL (per Microsoft’s attestation documentation stating a typical CAB includes the PDB and that the .pdb is required for Microsoft's automated crash analysis tools). 2) A CAB without the PDB (to satisfy newer packaging guidance stating that all files in the submission must be referenced by the INF, and PDBs cannot be referenced via INF syntax). Both variants fail identically with the same one-line message above, and no diagnostic rule is returned. INF/CAT validation via InfVerif and Inf2Cat succeeds locally for both Windows 11 24H2 and 25H2 OS selections. Artifacts ready to provide to Microsoft: • Full attestation failure report (expand -d outputs, .stats files, CAB SHA-256 fingerprints) • CAT dump excerpts (24H2 OS attributes created with Inf2Cat) • INF and CAT validation logs (InfVerif /h, Inf2Cat /os:10_GE_X64,10_25H2_X64) • symchk verification showing the engine DLL ↔ PDB GUID/Age match (for the PDB-included variant) Request: 1) Please identify the specific validation rule in the Hardware Dashboard that causes these attestation submissions to fail. 2) Please clarify the correct CAB packaging requirements for Windows 11 24H2/25H2 attestation, given the conflicting documentation around PDB inclusion versus “unreferenced file” enforcement. Thank you for your assistance — I can supply all report files and logs through a private channel.

Steven Powell 20 Reputation points

2026-03-02T15:30:16.49+00:00

The proposed answer does not apply to attestation signing. Microsoft’s attestation documentation explicitly states that a typical CAB contains the INF, CAT, driver DLL/SYS, and the PDB directly in the root of the CAB (no subfolders). The .pdb file is required for Microsoft's crash analysis tools. (Ref: Windows attestation signing documentation.) InfVerif /h and Inf2Cat /os:10_GE_X64 succeed locally, and both variant submissions (with and without PDB) fail identically with no rule surfaced. Therefore this is not a CAB layout violation. This requires escalation to the Windows Hardware Dashboard support team so the internal validation rule can be identified. Please route accordingly.
Steven Powell 20 Reputation points

2026-03-02T15:32:46.7033333+00:00

Microsoft team—this is a Windows Hardware Dashboard (Hardware Submission & Signing – all OS versions) issue.

Please pull the submissions by ID:

• Private Product ID: <PII removed>, Submission ID: <PII removed>

• Private Product ID: <PII removed>, Submission ID: <PII removed>

Both fail with the same one‑line response:

“There are files at the root of the cabinet: <cat>, <inf>, engineBIOkeyWBF.dll, nbbksensoradapter6520.dll, U2_BK6520.dll.”

No validation rule is surfaced by the dashboard.

We validated locally with InfVerif (/h) and Inf2Cat for Win11 24H2 (10_GE_X64) and 25H2; both are clean.

We also tested two CAB variants (with PDB per attestation doc; without PDB to avoid unreferenced‑file issues); both fail identically.

Please advise the specific failing validation rule for these Submission IDs and the correct attestation packaging requirement for Win11 24H2/25H2.

I can privately share:

• Attestation_Failure_Report_FULL.docx

• .stats (CAB SHA‑256 + per-file hashes)

• expand -d outputs

• CAT dump excerpts

• symchk match (DLL↔PDB) for the PDB variant

Please provide a secure upload link or open a private case tied to this thread. Thanks.
Steven Powell 20 Reputation points

2026-03-02T15:33:43.43+00:00

This fails exactly with the exact error reponse when I submit CABs for 25H2 and 24H2 .

Answer accepted by question author

0 additional answers

Your answer

Steven Powell 20 Reputation points

2026-03-02T15:30:16.49+00:00

The proposed answer does not apply to attestation signing. Microsoft’s attestation documentation explicitly states that a typical CAB contains the INF, CAT, driver DLL/SYS, and the PDB directly in the root of the CAB (no subfolders). The .pdb file is required for Microsoft's crash analysis tools. (Ref: Windows attestation signing documentation.) InfVerif /h and Inf2Cat /os:10_GE_X64 succeed locally, and both variant submissions (with and without PDB) fail identically with no rule surfaced. Therefore this is not a CAB layout violation. This requires escalation to the Windows Hardware Dashboard support team so the internal validation rule can be identified. Please route accordingly.
Steven Powell 20 Reputation points

2026-03-02T15:32:46.7033333+00:00

Microsoft team—this is a Windows Hardware Dashboard (Hardware Submission & Signing – all OS versions) issue.

Please pull the submissions by ID:

• Private Product ID: <PII removed>, Submission ID: <PII removed>

• Private Product ID: <PII removed>, Submission ID: <PII removed>

Both fail with the same one‑line response:

“There are files at the root of the cabinet: <cat>, <inf>, engineBIOkeyWBF.dll, nbbksensoradapter6520.dll, U2_BK6520.dll.”

No validation rule is surfaced by the dashboard.

We validated locally with InfVerif (/h) and Inf2Cat for Win11 24H2 (10_GE_X64) and 25H2; both are clean.

We also tested two CAB variants (with PDB per attestation doc; without PDB to avoid unreferenced‑file issues); both fail identically.

Please advise the specific failing validation rule for these Submission IDs and the correct attestation packaging requirement for Win11 24H2/25H2.

I can privately share:

• Attestation_Failure_Report_FULL.docx

• .stats (CAB SHA‑256 + per-file hashes)

• expand -d outputs

• CAT dump excerpts

• symchk match (DLL↔PDB) for the PDB variant

Please provide a secure upload link or open a private case tied to this thread. Thanks.
Steven Powell 20 Reputation points

2026-03-02T15:33:43.43+00:00

This fails exactly with the exact error reponse when I submit CABs for 25H2 and 24H2 .

Answer 1

Hello @Steven Powell ,

The error message — "There are files at the root of the cabinet: <cat>, <inf>, engineBIOkeyWBF.dll, nbbksensoradapter6520.dll, U2_BK6520.dll" — is itself the validation rule output, even though it reads more like a file listing than a diagnostic.

I'd point you to the official attestation signing documentation on Microsoft Learn as the primary reference here. Based on that, and on the driver code signing requirements page, the expected structure for a valid attestation CAB has evolved for newer OS targets.

In your case, what I'd suggest checking is whether your CAB is packaging files flat at the root versus nested inside an architecture subfolder. For 24H2 and 25H2 submissions, the dashboard increasingly expects files to be organized inside a named subfolder (typically the architecture, e.g. amd64\) rather than all at the root. Your current layout likely looks like this:

submission.cab
├── driver.inf
├── driver.cat
├── engineBIOkeyWBF.dll
├── nbbksensoradapter6520.dll
└── U2_BK6520.dll

The expected layout would be:

submission.cab
└── amd64\
    ├── driver.inf
    ├── driver.cat
    ├── engineBIOkeyWBF.dll
    ├── nbbksensoradapter6520.dll
    └── U2_BK6520.dll

If you're using MakeCab with a .ddf directive file, I'd suggest updating it to reflect this structure. A minimal example would look like:

.OPTION EXPLICIT
.Set CabinetNameTemplate=submission.cab
.Set DiskDirectory1=.
.Set DestinationDir=amd64

amd64\driver.inf
amd64\driver.cat
amd64\engineBIOkeyWBF.dll
amd64\nbbksensoradapter6520.dll
amd64\U2_BK6520.dll

Older attestation documentation does mention PDB inclusion for crash analysis, but the newer packaging guidance flags any file not referenceable via the INF as a potential rejection vector. For 24H2/25H2, I'd suggest omitting the PDB from the CAB for the initial submission to isolate the layout issue first.

For escalation, the Windows Hardware Certification blog for 24H2 and 25H2 both contain updated submission guidance that may clarify any policy changes specific to those releases. I'd also recommend opening a support case directly through Microsoft Partner Center support with your submission IDs attached — the Q&A forum won't be able to pull internal submission data, but a direct case will.

If my answer was helpful or informative to you, I would really appreciate if you could follow this guide to provide some feedback.
Thank you.

Steven Powell 20 Reputation points

2026-03-03T21:59:51.2533333+00:00

The subfolders for the CAB file worked. As an aside and for the rest of the class, "expand -d" will dump the file as a flat file, removing any file paths. "extrac32" (an older utility but still included in the WDK) can be used in place of "extract -d" but the subfolders will be output.
Michael Le (WICLOUD CORPORATION) 11,080 Reputation points Microsoft External Staff Moderator

2026-03-04T04:07:18.3266667+00:00

Thank you for your response. Feel free to reach out anytime if you have any questions.

Share via

Windows Hardware Dashboard: Attestation signing fails (no validation rule shown) for Windows 11 24H2/25H2

0 additional answers

Your answer