How to test pre-production drivers with Secure Boot enabled
On retail and production systems, the Windows kernel only trusts and loads drivers with a production WHQL/WHCP signature. To test pre-production drivers, it's required that driver developers enable TESTSIGNING to enable non-production drivers to load. TESTSIGNING requires disabling Secure Boot, to present a difference in the testing and production environments.
The Windows kernel supports loading pre-production drivers signed with the WHQL/WHCP pre-production signature. The WHQL/WHCP signature is accessible through the Microsoft Hardware Developer Center (HDC).
Prerequisites
Sign your pre-production drivers with Partner Center Hardware dashboard
Download EnableUefiSbTest.exe from the latest version of the Windows Driver Kit (WDK) or from Download Center. The default setup location of the EnableUefiSbTest tool is C:\Program Files (x86)\Windows Kits\10\tools\{arch}\SecureBoot\EnableSB.
{arch}can be one of{amd64, x86, arm, arm64}. The policies are located under the same SecureBoot directory:C:\Program Files (x86)\Windows Kits\10\tools\{arch}\SecureBoot\Policies.
Enable support for the pre-production WHQL/WHCP Signature
Once your driver is pre-production signed, you're ready to provision a test computer where you'll install the driver.
The provisioning tools and payload are provided starting in Windows 11, version 22H2.
Use of the EnableUefiSbTest tool is strongly recommended. Alternatively, you can manually provision the Microsoft Test Root key from the HLK Secure Boot Manual Tests section (UefiSecureBootManualTests.zip\ManualTests\certs\test\db_MSFTtestSigningRoot.cer). The Microsoft test key must be included in the Secure Boot database (DB) and the Secure Boot Configuration Policy (SBCP) to enable trust for the pre-production WHQL/WHCP driver signature.
Note
When provisioning any of the Secure Boot databases, never production sign a payload with the Microsoft test keys inside.
Provisioning Steps
In the system’s UEFI menu, disable Secure Boot and clear the Secure Boot keys, if applicable. This will allow the provisioning tool to set the test keys to trust the Secure Boot policy file and re-enable Secure Boot.
Download the correct Secure Boot policy .p7b file, depending on the system architecture, as well as the accompanying provisioning tool, EnableUefiSbTest.exe, from the WDK. For the location of the provisioning tool, see Prerequisites.
Run the following command in an elevated instance of PowerShell or Terminal and validate that the PK, KEK, db, dbx and OemId values are empty (“Not Found”):
EnableUefiSbTest.exe /dumpIf Secure Boot is disabled and the keys have been successfully cleared, the following output is expected:
EnableUefiSbTest.exe /dump Name: PK Not Found Name: KEK Not Found Name: db Not Found Name:dbx Not Found Name: OemId Not FoundProvision the Secure Boot test keys into the Secure Boot db and re-enable Secure Boot by running the following command in an elevated instance of PowerShell or Terminal:
EnableUefiSbTest.exeNote
EnableUefiSbTest.exe will not output/return anything after successfully running.
Optionally, specify the
thirdpartycommand to provision the Microsoft UEFI CA certificate alongside the default keys in the Secure Boot DB. This will allow trust for Microsoft UEFI CA-signed EFI executables like option ROMs and non-Windows bootloaders.EnableUefiSbTest.exe /thirdpartyFor devices running Desktop-based Windows, mount the EFI partition of the system and copy over the Secure Boot policy (.p7b) file to S:/EFI/Microsoft/Boot by running the following command in an elevated instance of PowerShell or Terminal:
mountvol s: /s copy-item <path_to_p7b> S:/EFI/Microsoft/Boot/SecureBootPolicy.p7bNote
Because Windows kernel requires the Secure Boot policy file in the form of
SecureBootPolicy.p7b, the name and file format must not be modified.For devices not running Desktop-based Windows, copy the corresponding
PreProductionPolicy.polto\EFI\Microsoft\Boot\Policies. Then deleteFullDebugPolicy.polfrom\EFI\Microsoft\Boot\Policies.Reboot the system to allow Windows kernel to refresh the policies. Secure Boot is now re-enabled and provisioned automatically by the provisioning tool. This can be validated by re-running
EnableUefiSbTest.exe /dumpas admin and validating that only thedbxandOemIdvalues are empty (“Not Found”).The system is ready to validate preproduction WHQL/WHCP signed driver content. Rebooting the system will not impact the state of the device, as long as the Secure Boot keys and Secure Boot policy file(s) aren't modified.
Deprovisioning Steps
To deprovision the system and opt-out of preproduction signing trust on the system:
Delete the Secure Boot policy files from the mounted EFI partition by running the following commands in an elevated instance of PowerShell or Terminal:
mountvol s: /s rm S:/EFI/Microsoft/Boot/SecureBootPolicy.p7bNote
If the validations are being performed on a HoloLens 2, the .pol policy files must also be removed from S:/EFI/Microsoft/Boot/Policies.
Boot into the system's UEFI menu and reconfigure Secure Boot keys to factory settings.
Reboot the system and run
EnableUefiSbTest.exe /dump, which should return non-empty values forPK,KEK,dbanddbxvalues indicating the keys were returned to factory state.Note
We recommend clean installing Windows on the system to de-provision a system intended for retail environments.
FAQs
Q: The EnableUefiSbTest.exe /dump command is only showing a result for PK. Is something wrong?
A: This will happen if the tool is run as a standard user instead of as admin.
Q: The EnableUefiSbTest.exe /dump command returns an error that I don't recognize. What do I do?
A: An error may be thrown by the tool when Secure Boot has not been successfully disabled and/or the Secure Boot keys have not been cleared. Verify that Secure Boot is disabled.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for