Kernel checks for non-WHQL signed drivers
For devices that clean install Windows 10, and where Secure Boot is on (note that this is standard for all new devices since the release of Windows 8.0), all new drivers must be signed by WHQL/Sysdev rather than just use cross-signed certificates. Devices that are upgraded and cases where drivers have been signed with a cross-cert before this policy went into effect are excluded from this policy to ensure backwards compatibility. This policy was announced April 2015, however it will be enforced with the Windows Anniversary Edition, released August 2016.
In cases where a driver is not signed correctly, it will manifest as a PCA notification that the driver(s) is blocked when it doesn’t pass signature requirements. This prevents a later disconnected user experience of the driver being blocked in kernel transparently.
For more information, please refer to this blog post, which announces the driver signing change.