Microsoft Overhauls Windows Driver Building and Signing Process

Microsoft is changing how Windows drivers are built and signed. And, it’s doing that by extending its driver resiliency playbook beyond antivirus makers to make drivers safer, more secure, and more reliable.

As part of this effort, signed drivers will now have to meet a higher security and resiliency bar, passing multiple new certification tests. Microsoft, in the announcement post, mentions that it expects a significant reduction in kernel-mode code over the coming years that covers drivers for networking, cameras, USB, printers, storage, and more.

To support this, Windows will get an expanded set of in-box drivers and APIs, allowing OEM partners to replace custom kernel-level drivers with standardized Windows drivers. This should not only stabilize the OS but also reduce overall system bloat.

Here’s what’s changing according to Microsoft:

What’s changing:

• Driver signing will require a higher security and resiliency bar with many new certification tests.
• We are expanding Microsoft-provided Windows in-box drivers and APIs so partners can replace many custom kernel drivers with standardized Windows drivers or move logic to user mode.
• Over the coming years, we expect a significant reduction in code that runs in kernel mode across driver classes such as networking, cameras, USB, printers, batteries, storage, and audio.

At the same time, third-party kernel-mode drivers will continue to be supported. Microsoft says that partners can innovate where Windows does not provide in-box drivers. For instance, graphics drivers will remain in kernel mode to preserve performance.

To further improve reliability, Microsoft is adding safeguards for kernel-mode drivers to contain faults before they cause outages. These include mandatory compiler checks, driver isolation to limit the blast radius, and DMA-remapping to prevent accidental access to kernel memory.