Secure boot feature signing requirements for kernel-mode drivers


Clients – Windows 8 Servers – Windows Server 2012


In Windows 8 and Windows Server 2012, including WinPE, the kernel has been locked down to prevent malware introduced by boot or root kits from circumventing Windows operating system security requirements for signed drivers.

This change affects all kernel-mode drivers for devices that support unified extensible firmware interface (UEFI) Secure Boot; UEFI Secure Boot is required for Windows 8 certification for client machines, and optional for servers. It does not affect user-mode drivers.

Standard development for kernel-mode drivers involves either the use of kernel mode debugging or the boot configuration data (BCD) <testsigning> setting. Both of these are disabled when Secured Boot is on.


Kernel-mode drivers will not run if they are not properly signed by a trusted certification authority (CA). The operating system will not allow untrusted drivers to run and standard mechanisms like kernel debugging and testsigning will not be permitted.


To test drivers, you must disable Secure Boot in BIOS as well as meet the other test-signing requirements (see below).

When distributing drivers more widely they must be properly signed by a trusted CA.