they don't anymore, they used to, but it's free now
From Wikipedia:
Microsoft no longer requires a WHQL testing fee,[4] which used to be USD $250 per operating system family.[5] This fee covers both 32-bit (x86) and 64-bit (x64) versions, if submitted simultaneously, and is non-refundable. The fee does not include other expenses, such as a Windows Server 2008 x64 license, necessary for running WHQL tests, and a VeriSign certificate, necessary for submitting test results.[6]
$250 is free for all intensive purposes. If you can't afford it you probably shouldn't be writing them in the first place, and that's probably the intent. I highly doubt it's a profit center for them.
That's a mute point. Bare in mind that it's a doggy-dog world out there, and $250 fees for software licensing can make or brake a company. In lame man's terms, Microsoft is a business, and businesses gotta make money. It's in any businesses' best interests to charge for whatever they can, and Microsoft will probably start that up again. By not charging, they're acknowledging that they're playing a zero-sum gain.
But you know, just take with these words with a grain assault.
What's up the terrible use of idioms here? I hope you were being ironic with that "lame man's" thing. I'm not even a native speaker and those jump out at me.... It's "in layman's terms".
As English is clearly JoesJoJo's native language, all I can assume at this point is an incomplete high school education; numerous basic grammatical errors, incoherent sentence structure, and complete misunderstanding of basic business costs.
$250 won't break any corporation. Driver development costs are tens of thousands of dollars for most products. WHQL validation is rolled into that cost. I mean seriously, it costs me $500 a year just to license my company and legally operate of corporation in the state of Illinois, $250 would probably be the smallest single fee my business is charged by anybody.
Well, there was a setup for community hotfix drivers for Radeon with graphics systems able to swap between the discreet and integrated Intel gpu. ATI/AMD wasn't able to allow users to just install the latest driver package for the discreet portion, as the switching required both halves to generally be up to date to know what the other was doing. Users were forced to fall back on their oem for updated drivers for their particular system, usually a laptop. That support often ran out even before their system hit the store shelf. The community project to step in and provide those drivers was certainly not a case where $250 per release was practically free, as there was no sale of hardware covering the community's cost.
Agree, a lot of small manufacturers refused to do 64 bit signed drivers because of this. Annoying to need to restart windows and turn off certain things just to make a joystick work!
This may not affect graphics drivers, but I've already seen it affect printer drivers, making about half of the network print drivers in our corporate environment refuse to install properly in Windows 10. There are a ton of old hardware devices that will be affected, and Microsoft isn't warning enough of their users beforehand.
That is my biggest concern as well. What happens to all these small Chinese peripeherals? This used to be windows appeal. But now with Android and Windows both moving to such a closed model.
Either they use an interface chip from someone else who does have certified drivers for it or they can't sell that product anymore. Even cheap Chinese peripheral makers can't sell completely unusable products.
You don't buy from china much, do you? Protip, avoid too cheap to be true battery packs... Not only are they overrated by a factor of 10 but they might be made from recicled batteries and not work or worse, take a charge and explode on you down the line.
You can't even trust brands, as they will hapily sell you factory rejects as new or price, as they will sell you junk for high proces if they can get away with it.
Also, even if you got the real deal once, you can't asume you will get the same thing if you buy again...
Microsoft doesn't care anymore. What are you going to do, switch to apple? In general, people will keep using windows because they dont really know how to use a computer. It's the same reason HP is still a giant PC manufacturer, despite putting out one terrible piece of hardware after another.
Man, people have no idea what they want. What MS are doing is a good thing in the long run for ecosystem. We've been wanting this for ages. Bad 3rd party drivers ARE the reason for system instability, and Microsoft finally starts fixing that, you think they don't care? IT guys who think like to are the problem.
Unskilled and uneducated IT departments that don't keep up with technology out of laziness or poor funding, and companies that employ such IT departments out of ignorance or penny pinching, are the reason the majority of data leaks, hacks, and downtime exist.
If you just turn off secure boot I don't think driver validation is required. This driver verification is for secure environments since it operates at the software level (it isn't like an execute disable bit that happens in hardware, but hardware support is obviously required at the BIOS level for this all to work.)
Its important to point out Mac OSX has had this style of driver verification since Snow Leopard, and they now have SOFTWARE verification in Sierra (which for the moment can be bypassed in control center)
You could argue that it's not Microsoft's problem to ensure your business' printers have WHQL drivers. That responsiblity falls on the printer manufacturer. It's also part and parcel with running legacy equipment that things will eventually break and wind up unsupported.
It stinks when stuff like that happens and I totally sympathize with you. When something like this happens and established systems start breaking unexpectedly it makes being an info tech employee a pretty miserable prospect. Explaining to budget-minded managers that they need to purchase new printers because of something Microsoft did to make their operating system "more secure" doesn't make for a fun day at the office. Add grumpy end users wondering why they have to walk to a printer in another department because theirs happened to be one of the legacy ones puts you between two groups of unhappy people. And you end up stuck there throwing your hands up in the air going, "I can't do anything about it!" Yup, that's a hide-under-the-desk-to-cry sort of position.
The problem came from drivers that were actually signed, and WHQL signed, but internally didn't mark themselves as "packaged" drivers for printers. When Microsoft pushed an update that activated this signed driver enforcement, our drivers stopped installing over the network. It took me almost a full day to figure out how to modify the print server so the drivers would install again.
Microsoft doesn't document the repercussions of their (somewhat) arbitrary decisions to lock some "features" into the on or off position. As much as I love Windows 10, this is becoming more problematic while they refine the Win10 experience. Same goes for the Win10 controls and options that still can't be controlled through Group Policy, only registry hacks (that we have to begrudgingly push through GPO's).
This is certainly tragic. Not only printers but almost the entire Audio/musical hardware released. These are complete industries going to have problems with Windows 10. Mostly composed of professionals because big firms will have IT guys, like several of you here, to fix it up ...on a day's lapse, whereas some unique keyboards, mixing boards, etc. have costed years, decades to be acquired and now won't install in W10. If our recently forced (non uninstallable) W7's programmed tasks are indication of what is to come, such would be a war field with this issue plus wasted time on something that should instead be an easy working OS tool, not an intruding wall progressively asphyxiating us.
At least with the Insider build from last Friday(haven't had to install anything new yet since the most recent), you can still do Settings->Update & Security->Recovery->Advanced Startup-Restart Now. Then select Troubleshoot, Advanced options, Startup Settings, then Restart button. Finally use option 7 "Disable driver signature enforcement". Sure, it's a lot of steps, but it's what I had to do to get the drivers working for our CNC machine. You only have to do it when installing, once installed, they continue to work.
Are you sure? Because I kind of find it hard to believe that printer drivers would be kernel level drivers and not user level. I guess other stranger things are true, though.
They'd have to be very old. IIRC at best for XP, but likely bit older. It used to be popular way to write them. And it had predictable effect on system stability.
Yep. Good point, I don't think people realize how easy Windows 7 can be hijacked with a driver-based rootkit, even with secure boot (because windows 7 drivers under secure boot only validates the drivers that load during the boot process, not drivers initialized under the operating environment like occasional drivers)
Windows 10 and even Windows 8 introduced a internally validating driver model which although it can be bypassed, at least gives you a scary warning you need to click through TWICE.
While I appreciate Microsoft's concern, I frequently run unsupported drivers and software for some things. IMO, it should be an option on the UAC panel.
Typo in article title: "Enforcesment Policy" should be "Enforcement Policy"
While I agree with what you are saying, I think the comment was made more in terms of an x64 system with all of the available security options enabled.
Driver signing enforcement to combat malware? Don't make me laugh. Only idiots actually believe that. Malware is spreading through bugs in existing fully signed components.
The actual purpose of this policy is enforcing media DRM and attempts to create a fully walled garden. Users get only drawbacks, like you can't easily patch a certain driver even if you have administrator rights (one well known example is Realtek audio drivers).
The malware may spread through bugs in signed components, but signing enforcement helps reduce the impact once the malware is on the machine. It makes it harder for the malware to escalate privileges or install root kit drivers.
It does not. If you got in the system through bug in signed driver you are basically have exactly the same rights as that driver. Instead of installing your code "the official way" you just call the compromised signed driver to execute it.
I don't know the situation with PMP, but if nobody broke it just means it wasn't interesting enough. The whole thing was invented for protecting BD playback while people found better ways to dump it.
"Rootkit" is just a technique, it has nothing to do with signing enforcement. Actually Sony is likely to get with no problems WHQL or any other signature on it from MS if it would be required.
There are three essential changes. First all drivers must now be signed by Microsoft. Second you can have any driver signed for you by Microsoft. there is no charge, typical turnaround time is 15 minutes. Third you must authenticate yourself to Microsoft by having an EV Code signing certificate.
This is all about preventing people with stolen code-signing certificates signing drivers (think Stuxnet.) EV Certificates are distributed on a security key, so harder to steal. If your dongle goes missing you probably will realize it is stolen and the cert can be cancelled.
JoeyJoJo123 - Friday, October 14, 2016 - link ====================================================== That's a mute point. Bare in mind that it's a doggy-dog world out there, and $250 fees for software licensing can make or brake a company. In lame man's terms, Microsoft is a business, and businesses gotta make money. It's in any businesses' best interests to charge for whatever they can, and Microsoft will probably start that up again. By not charging, they're acknowledging that they're playing a zero-sum gain.
But you know, just take with these words with a grain assault. =====================================================
I logged in just to acknowledge your post - a masterful combination of whimsical and wise. Thank you. You made my day.
It seems that not all AMD drivers carry a digital signature their last release for the 5850 card does not have a digital signature. Hence the new update installed and lo behold big crash !!!! So who is responsible my card is fantastic, even some of the latest cards cant match it. So who is to blame for the fact that I my system went bang so to speak..AMD ?? I don't think so !! All worked 100% before the update..
BS meter pegged! If you read the article you would have noticed this doesn't affect updated systems, only fresh installs with AE preinstalled (at this point, only new OEM boxes really). So no, your crash is unrelated. Second, and possibly also unrelated, that 5850 is an antique compared to new cards. Sorry. It's Terascale architecture. Even a lowly RX 460 would beat it.
Also if you did have a new install with this signing enabled, you could disable Secure Boot to turn it off. No, your crash is unrelated to this feature. I'd bet you picked up some malware at some point that damaged your system files or something along those lines.
This is definitely for DRM and Universal Windows Platform apps with security on the side.
If I run an unsigned video or audio driver, UWP apps refuse to load DRM material and say that the driver installed is unsupported or my system is currently unsupported.
Never mind that UWP apps sound terrible, as they bypass all of my sound card's processing and features. Bass and treble control? What's that? It's all generic. My SB X-Fi Titanium (PCIe) has a UAA component to use generic MS drivers, and I'm sure I'll be forced to use them at some point.
That could very well be Creative's fault or the game developer. Their drivers are godawful. Even the latest drivers for my newer and better-supported-on-Win10 Sound Blaster Z-series card have some minor issues. I don't know if you noticed but Creative has virtually killed off their sound "card" business. Look at their support website as an example. You have to click on "Sound Blaster" which pictures an external unit. Then you have to click on the tiny lettering at the bottom "If your product is not listed above, please click here". It's like hey you with the unsupported crap, down here.
It's a shame too because the sound cards themselves are very good and far superior in terms of sound quality, compared to most onboard solutions.
Was anyone really surprised big names like AMD or NVIDIA are not affected by this? If they can't figure it out, how would anyone?
What I would really have liked is a look at how small independent companies are supposed to handle this gracefully, especially if they provide software-only drivers (say loopback audio devices ala Virtual Audio Cable and similar things), because those are those that are really stuck trying to figure it out, not huge companies like AMD or NVIDIA.
This update is BS as is all the additional "security" BS. If you are a small fish, you don't need any of these fancy "security" features, and if you are a big fish, you have your IT dept. working on custom solutions to protect you.
Happily sailing on Windows 7 and will be for years to come.
The only device I've had problems with on Win10 is a generic Xbox controller USB adapter. The driver isn't signed and so I have to turn off driver signing in order to use my 360 controllers with my PC.
Eventually this will work itself out as I move onto PS4 and XBO controllers on PC, but for now I have to completely disable driver signing to play.
The best approaches for driver certifications require online connectivity (think: SSL certs). But that's a huge problem when a common driver to be installed is for networking adapters.
Microsoft having to sign every driver is a burden. Who is going to pay for that if not the device manufacturers?
Do we need driver signing?
Yes: protect users down to the lowest common denominator
No: let users choices have their consequences
Maybe: if it can be done in a low cost, efficient manner that is widely accepted by the industry
Wait, you're using a generic adapter for wireless 360 controllers? Interesting... the nice thing about the XB1 controllers is that they're dual wired/wireless. If you don't have/want the wireless adapter, you can just use a regular USB to micro USB cable.
The PC in question isn't well positioned for tethered accessories. Wireless is kind of a necessity. But yes, I bought a cheap-o adapter years ago off Amazon. It works great once the driver is loaded, so I've never bought a replacement.
I did mention that eventually I will move onto XB1 and/or PS4 controllers. Though I still won't be using them wired. So I will need new adapters and I'm likely to just buy the official Sony and Microsoft adapters this time to avoid driver issues.
Right, I was just saying for those who prefer wired for their PCs, it's nice to be able to use the same controller. I previously had one wired 360 controller for my PC and the other was wireless and used on the 360. I like the simplicity, no resyncing of the wireless controller needed. With the XB1 controller all I have to do is plug in an mUSB so I don't mind using the same controller.
But yeah there are cases even for PCs where wireless is the only way to go. The newer XB1 receiver is pretty decent. Can do something like up to 8 controllers at a time so if it's being used for HTPC there's lots of possibilities. Personally I'd fire up Yabause (Saturn emulator) for Saturn Bomberman 8 player matches! Bring your own controller. :P Yes I know there was even a 10 player map but only the one, whereas there were 7 or 8 fields total that could do 8 players IIRC. So 8 is perfect.
I support this policy change by Microsoft even though it broke some functionality on my system recently.
Following the release of 1607, I did a fresh install on my Precision workstation at work. I'm an IT pro/dev and decided to go full best-practices with my workstation build, so I built my workstation to not only utilize Secure Boot, TPM 2 and the latest Ring -1 Hyper-v technique to protect against pass the hash attacks. This essentially makes my workstation OS a VM with an ultra-light and highly-segmented OS that boots and stores hashes of my credentials.
Anyway, all went well: Firepro drivers installed without a hitch (Microsoft handled it) and soon enough I was able to install my tools.
One program I use daily is http debugger pro. Like Fiddler, HTTP debugger Pro offers me the ability to decrypt TLS connections and inspect HTTP traffic hitting my machine. To do this, HTTP Debugger PRo installs a driver in windows/system32. As you can imagine, .sys files located in system32 are important and version 1607 didn't like the SHA-1, standard DV signature on HTTP Debugger Pro's .sys file. So it barfed, refused to let me use the driver, and I couldn't decrypt HTTPS traffic.
I reported the problem to the dev and working with him over the next month we got it working. I felt bad for the guy because he had to fork out some serious cash to purchase an EV certificate to sign his driver. I offered to give him a couple extra bucks on top of the cost of the software but he refused.
Ultimately he produced a build of the software that satisfied the strict new requirements from Microsoft and I couldn't be happier. I hate software -security software in particular- that requires me to weaken the security posture of my machine and thereby my organization.
I expect this policy change will hit small devs as well, not just big guys like Nvidia and AMD.
If the reporting on this story is correct, then driver manufacturers needed to sign their drivers with a standard DV code signing certificate in 1511 and versions prior. Microsoft did not need to co-sign or cross-sign those drivers in 1511 and versions prior.
Now in 1607, if the reporting is to be believed , 1) devs have to sign driver .sys files with an EV certificate, and 2) submit the driver for a cross-signature by Microsoft.
Put another way, Microsoft's not going to cross-sign a driver without an EV certificate from the driver's author. I wouldn't put my stamp of approval on something without an EV certificate either, would you?
The same rules apply in the UWP framework I believe.
Devs that want this level of access to the hardware will have to jump through some more hoops to get there.
If MS wants to compete for John and Jane Doe's money, they need their OS to be resilient against common threats, or else they'll lose their market to iPads and Chrome/whatever is next devices. But since they have to allow user-installed drivers (it's still full Windows), they had to do something to bolster security.
Prior to getting her a proper Windows 10 touchscreen device, my mom was ready to ditch PC and get an iPad. But she's been very happy with Win10 especially with Anniversary Update. Anything that makes it harder for malware to compromise her laptop is a good thing. Speaking of which I might have to see if you can turn this revised driver signing on with an existing install.
All new Ford cars will only accept parts and consumables from Ford-certified and approved 3rd parties.
Need Oil? Only oil from this list of manufacturers will work.... Oil filter? Only filters from Ford itself will work.... Tyres? Only tyres from .... Brake pads? Must be obatined from and installed by company..... Seat covers? Only from.... No 3rd party speakers can be installed.... No 3rd party sub can be added.... Only spotlights from .... are allowed.
Bad analogy. You're talking about hardware, not software. If the hardware of the car has to interact with the core computer of the car, you certainly can make it work, but it won't get support by Ford, and you will void your warranty!
Your computer hardware is the car. The OS is the PCM.
I'm kind of annoyed by how many requirements there are to get your copy of Windows to enforce this, but still, it's a step in the right direction. The signing thing vaguely creeped me out years ago when they first started it, but since then...well, malware and the bad guys have just kept getting cleverer and cleverer :-/
We’ve updated our terms. By continuing to use the site and/or by logging into your account, you agree to the Site’s updated Terms of Use and Privacy Policy.
85 Comments
Back to Article
Ahnilated - Friday, October 14, 2016 - link
This might not be a bad idea if Microsoft didn't charge a fee every timeJoeyJoJo123 - Friday, October 14, 2016 - link
Dis right here, fam.Morawka - Friday, October 14, 2016 - link
they don't anymore, they used to, but it's free nowFrom Wikipedia:
Microsoft no longer requires a WHQL testing fee,[4] which used to be USD $250 per operating system family.[5] This fee covers both 32-bit (x86) and 64-bit (x64) versions, if submitted simultaneously, and is non-refundable. The fee does not include other expenses, such as a Windows Server 2008 x64 license, necessary for running WHQL tests, and a VeriSign certificate, necessary for submitting test results.[6]
TheinsanegamerN - Friday, October 14, 2016 - link
how much you want to bet that fee will come back one day?flgt - Friday, October 14, 2016 - link
$250 is free for all intensive purposes. If you can't afford it you probably shouldn't be writing them in the first place, and that's probably the intent. I highly doubt it's a profit center for them.ddriver - Friday, October 14, 2016 - link
It's actually "for all intents and purposes". It might not be a priority source of income now that they are pushing spyware and all.JoeyJoJo123 - Friday, October 14, 2016 - link
That's a mute point. Bare in mind that it's a doggy-dog world out there, and $250 fees for software licensing can make or brake a company. In lame man's terms, Microsoft is a business, and businesses gotta make money. It's in any businesses' best interests to charge for whatever they can, and Microsoft will probably start that up again. By not charging, they're acknowledging that they're playing a zero-sum gain.But you know, just take with these words with a grain assault.
Death666Angel - Friday, October 14, 2016 - link
What's up the terrible use of idioms here? I hope you were being ironic with that "lame man's" thing. I'm not even a native speaker and those jump out at me....It's "in layman's terms".
Tehort - Friday, October 14, 2016 - link
It´s also dog-eat-dog world.Demi9OD - Friday, October 14, 2016 - link
Moot point, dog eat dog world, make or break, in layman's terms, grain of salt. I am surprised he missed the Bear in mind opportunity.Samus - Sunday, October 16, 2016 - link
As English is clearly JoesJoJo's native language, all I can assume at this point is an incomplete high school education; numerous basic grammatical errors, incoherent sentence structure, and complete misunderstanding of basic business costs.$250 won't break any corporation. Driver development costs are tens of thousands of dollars for most products. WHQL validation is rolled into that cost. I mean seriously, it costs me $500 a year just to license my company and legally operate of corporation in the state of Illinois, $250 would probably be the smallest single fee my business is charged by anybody.
Ascaris - Monday, October 17, 2016 - link
And zero-sum game.TJKV - Saturday, October 29, 2016 - link
The correct usage is actually 'Bear in mind'. So he didn't miss that opportunity ;)smorebuds - Sunday, October 16, 2016 - link
Terrible use of ironic though.Ascaris - Monday, October 17, 2016 - link
Of course it was deliberate.Spunjji - Friday, October 14, 2016 - link
This post is perfectBillBear - Saturday, October 15, 2016 - link
Did you ever know that you're my hero?flgt - Saturday, October 15, 2016 - link
lol, I'll admit my poor grammar. That post was funny.Zim - Monday, October 17, 2016 - link
Love it. Thanks! :)otherwise - Monday, October 17, 2016 - link
If $250 can break your company it was destined for failure anyways.Rocket321 - Tuesday, October 18, 2016 - link
I LOL'd. Thanks for bringing the humor.bug77 - Sunday, October 16, 2016 - link
I'm seeing a scene from "The King of Queens" in my head right now. :DMurloc - Saturday, October 15, 2016 - link
I guess we'll find out, the proof is in the pudding.desolation0 - Monday, October 17, 2016 - link
Well, there was a setup for community hotfix drivers for Radeon with graphics systems able to swap between the discreet and integrated Intel gpu. ATI/AMD wasn't able to allow users to just install the latest driver package for the discreet portion, as the switching required both halves to generally be up to date to know what the other was doing. Users were forced to fall back on their oem for updated drivers for their particular system, usually a laptop. That support often ran out even before their system hit the store shelf. The community project to step in and provide those drivers was certainly not a case where $250 per release was practically free, as there was no sale of hardware covering the community's cost.tamalero - Monday, October 17, 2016 - link
Agree, a lot of small manufacturers refused to do 64 bit signed drivers because of this.Annoying to need to restart windows and turn off certain things just to make a joystick work!
knightspawn1138 - Friday, October 14, 2016 - link
This may not affect graphics drivers, but I've already seen it affect printer drivers, making about half of the network print drivers in our corporate environment refuse to install properly in Windows 10. There are a ton of old hardware devices that will be affected, and Microsoft isn't warning enough of their users beforehand.JoeyJoJo123 - Friday, October 14, 2016 - link
Also, the usage of 3rd party chinese peripherals. Such as console controller to USB adapters which use in-house drivers that are not WHQL certified.lvlFK - Friday, October 14, 2016 - link
That is my biggest concern as well.What happens to all these small Chinese peripeherals?
This used to be windows appeal. But now with Android and Windows both moving to such a closed model.
Should we be moving to Linux?
Flunk - Friday, October 14, 2016 - link
Either they use an interface chip from someone else who does have certified drivers for it or they can't sell that product anymore. Even cheap Chinese peripheral makers can't sell completely unusable products.valinor89 - Saturday, October 15, 2016 - link
You don't buy from china much, do you? Protip, avoid too cheap to be true battery packs... Not only are they overrated by a factor of 10 but they might be made from recicled batteries and not work or worse, take a charge and explode on you down the line.You can't even trust brands, as they will hapily sell you factory rejects as new or price, as they will sell you junk for high proces if they can get away with it.
Also, even if you got the real deal once, you can't asume you will get the same thing if you buy again...
Such fun!
TheinsanegamerN - Friday, October 14, 2016 - link
Microsoft doesn't care anymore. What are you going to do, switch to apple? In general, people will keep using windows because they dont really know how to use a computer. It's the same reason HP is still a giant PC manufacturer, despite putting out one terrible piece of hardware after another.lilmoe - Friday, October 14, 2016 - link
"Microsoft doesn't care anymore"Man, people have no idea what they want. What MS are doing is a good thing in the long run for ecosystem. We've been wanting this for ages. Bad 3rd party drivers ARE the reason for system instability, and Microsoft finally starts fixing that, you think they don't care? IT guys who think like to are the problem.
Alexvrb - Saturday, October 15, 2016 - link
How DARE they improve security! I want my cheap Chinese crap peripherals to work, to hell with the consequences on the entire ecosystem!OR for the few people impacted, there are workarounds.
Murloc - Saturday, October 15, 2016 - link
exactly, if you're nerd enough they provided the workarounds.Meanwhile, the average user has everything to gain from being more protected.
close - Monday, October 17, 2016 - link
Then TheinsanegamerN will go on another topic and complain that MS and Windows are sh*t , the security sucks, etc. :)Samus - Sunday, October 16, 2016 - link
Unskilled and uneducated IT departments that don't keep up with technology out of laziness or poor funding, and companies that employ such IT departments out of ignorance or penny pinching, are the reason the majority of data leaks, hacks, and downtime exist.Michael Bay - Saturday, October 15, 2016 - link
Ah, so that`s what loonixoid nutcases tell themselves!sheh - Friday, October 14, 2016 - link
I suppose someone will create a patch to allow Windows to install these drivers.In some cases it's a problem also in earlier versions of Windows.
Gigaplex - Friday, October 14, 2016 - link
Such a patch would break the signatures on the Microsoft binaries, which would be blocked via Secure Boot.Murloc - Saturday, October 15, 2016 - link
which can be deactivated according to the post.seamonkey79 - Saturday, October 15, 2016 - link
Which prevents the need for such a patch.sheh - Saturday, October 15, 2016 - link
It can be a memory-patch.Samus - Sunday, October 16, 2016 - link
If you just turn off secure boot I don't think driver validation is required. This driver verification is for secure environments since it operates at the software level (it isn't like an execute disable bit that happens in hardware, but hardware support is obviously required at the BIOS level for this all to work.)Its important to point out Mac OSX has had this style of driver verification since Snow Leopard, and they now have SOFTWARE verification in Sierra (which for the moment can be bypassed in control center)
BrokenCrayons - Friday, October 14, 2016 - link
You could argue that it's not Microsoft's problem to ensure your business' printers have WHQL drivers. That responsiblity falls on the printer manufacturer. It's also part and parcel with running legacy equipment that things will eventually break and wind up unsupported.It stinks when stuff like that happens and I totally sympathize with you. When something like this happens and established systems start breaking unexpectedly it makes being an info tech employee a pretty miserable prospect. Explaining to budget-minded managers that they need to purchase new printers because of something Microsoft did to make their operating system "more secure" doesn't make for a fun day at the office. Add grumpy end users wondering why they have to walk to a printer in another department because theirs happened to be one of the legacy ones puts you between two groups of unhappy people. And you end up stuck there throwing your hands up in the air going, "I can't do anything about it!" Yup, that's a hide-under-the-desk-to-cry sort of position.
knightspawn1138 - Friday, October 14, 2016 - link
The problem came from drivers that were actually signed, and WHQL signed, but internally didn't mark themselves as "packaged" drivers for printers. When Microsoft pushed an update that activated this signed driver enforcement, our drivers stopped installing over the network. It took me almost a full day to figure out how to modify the print server so the drivers would install again.Microsoft doesn't document the repercussions of their (somewhat) arbitrary decisions to lock some "features" into the on or off position. As much as I love Windows 10, this is becoming more problematic while they refine the Win10 experience. Same goes for the Win10 controls and options that still can't be controlled through Group Policy, only registry hacks (that we have to begrudgingly push through GPO's).
Nexing - Saturday, October 15, 2016 - link
This is certainly tragic. Not only printers but almost the entire Audio/musical hardware released. These are complete industries going to have problems with Windows 10. Mostly composed of professionals because big firms will have IT guys, like several of you here, to fix it up ...on a day's lapse, whereas some unique keyboards, mixing boards, etc. have costed years, decades to be acquired and now won't install in W10. If our recently forced (non uninstallable) W7's programmed tasks are indication of what is to come, such would be a war field with this issue plus wasted time on something that should instead be an easy working OS tool, not an intruding wall progressively asphyxiating us.NXTwoThou - Friday, October 14, 2016 - link
At least with the Insider build from last Friday(haven't had to install anything new yet since the most recent), you can still do Settings->Update & Security->Recovery->Advanced Startup-Restart Now. Then select Troubleshoot, Advanced options, Startup Settings, then Restart button. Finally use option 7 "Disable driver signature enforcement". Sure, it's a lot of steps, but it's what I had to do to get the drivers working for our CNC machine. You only have to do it when installing, once installed, they continue to work.Donkey2008 - Sunday, October 16, 2016 - link
Thank you for these instructions.extide - Friday, October 14, 2016 - link
Are you sure? Because I kind of find it hard to believe that printer drivers would be kernel level drivers and not user level. I guess other stranger things are true, though.Klimax - Saturday, October 15, 2016 - link
They'd have to be very old. IIRC at best for XP, but likely bit older. It used to be popular way to write them. And it had predictable effect on system stability.Alexvrb - Saturday, October 15, 2016 - link
Just disable secure boot on those machines. They're still more secure than 7 even without it.Samus - Sunday, October 16, 2016 - link
Yep. Good point, I don't think people realize how easy Windows 7 can be hijacked with a driver-based rootkit, even with secure boot (because windows 7 drivers under secure boot only validates the drivers that load during the boot process, not drivers initialized under the operating environment like occasional drivers)Windows 10 and even Windows 8 introduced a internally validating driver model which although it can be bypassed, at least gives you a scary warning you need to click through TWICE.
nathanddrews - Friday, October 14, 2016 - link
While I appreciate Microsoft's concern, I frequently run unsupported drivers and software for some things. IMO, it should be an option on the UAC panel.Typo in article title:
"Enforcesment Policy" should be "Enforcement Policy"
BrokenCrayons - Friday, October 14, 2016 - link
"...a fully secure x64 system..." Color me skeptical (and yes, you can use a crayon for that).extide - Friday, October 14, 2016 - link
While I agree with what you are saying, I think the comment was made more in terms of an x64 system with all of the available security options enabled.Senti - Friday, October 14, 2016 - link
Driver signing enforcement to combat malware? Don't make me laugh. Only idiots actually believe that. Malware is spreading through bugs in existing fully signed components.The actual purpose of this policy is enforcing media DRM and attempts to create a fully walled garden. Users get only drawbacks, like you can't easily patch a certain driver even if you have administrator rights (one well known example is Realtek audio drivers).
Gigaplex - Friday, October 14, 2016 - link
The malware may spread through bugs in signed components, but signing enforcement helps reduce the impact once the malware is on the machine. It makes it harder for the malware to escalate privileges or install root kit drivers.Senti - Saturday, October 15, 2016 - link
It does not. If you got in the system through bug in signed driver you are basically have exactly the same rights as that driver. Instead of installing your code "the official way" you just call the compromised signed driver to execute it.Klimax - Saturday, October 15, 2016 - link
DRM is already long ago enforced through Protected Media Path. Don't think anybody managed to brake it even with kernel-mode drivers.As for malware, see rootkits and associated fun. And look up Sony Rootkit fiasco...
Senti - Saturday, October 15, 2016 - link
I don't know the situation with PMP, but if nobody broke it just means it wasn't interesting enough. The whole thing was invented for protecting BD playback while people found better ways to dump it."Rootkit" is just a technique, it has nothing to do with signing enforcement. Actually Sony is likely to get with no problems WHQL or any other signature on it from MS if it would be required.
DomOfSF - Friday, October 14, 2016 - link
im...im sorry. "Enforcesment"?Lolimaster - Friday, October 14, 2016 - link
My solution is simple, keep win7 and play win10 only games on youtube. I only care about story mode.sl149q - Friday, October 14, 2016 - link
There are three essential changes. First all drivers must now be signed by Microsoft. Second you can have any driver signed for you by Microsoft. there is no charge, typical turnaround time is 15 minutes. Third you must authenticate yourself to Microsoft by having an EV Code signing certificate.This is all about preventing people with stolen code-signing certificates signing drivers (think Stuxnet.) EV Certificates are distributed on a security key, so harder to steal. If your dongle goes missing you probably will realize it is stolen and the cert can be cancelled.
frodesky - Friday, October 14, 2016 - link
Curious, but how did you modify the print servers so the drivers would install?Lapog - Friday, October 14, 2016 - link
JoeyJoJo123 - Friday, October 14, 2016 - link======================================================
That's a mute point. Bare in mind that it's a doggy-dog world out there, and $250 fees for software licensing can make or brake a company. In lame man's terms, Microsoft is a business, and businesses gotta make money. It's in any businesses' best interests to charge for whatever they can, and Microsoft will probably start that up again. By not charging, they're acknowledging that they're playing a zero-sum gain.
But you know, just take with these words with a grain assault.
=====================================================
I logged in just to acknowledge your post - a masterful combination of whimsical and wise. Thank you. You made my day.
johnyp - Saturday, October 15, 2016 - link
It seems that not all AMD drivers carry a digital signature their last release for the 5850 card does not have a digital signature. Hence the new update installed and lo behold big crash !!!! So who is responsible my card is fantastic, even some of the latest cards cant match it. So who is to blame for the fact that I my system went bang so to speak..AMD ?? I don't think so !! All worked 100% before the update..Klimax - Saturday, October 15, 2016 - link
Seems like certificate is problematic, but it should have on. As for some cards still not matching, evidence required...Achaios - Sunday, October 16, 2016 - link
"My 2009 card is so good, and y'all n00bs for buying $800 GPU's".Alexvrb - Saturday, October 15, 2016 - link
BS meter pegged! If you read the article you would have noticed this doesn't affect updated systems, only fresh installs with AE preinstalled (at this point, only new OEM boxes really). So no, your crash is unrelated. Second, and possibly also unrelated, that 5850 is an antique compared to new cards. Sorry. It's Terascale architecture. Even a lowly RX 460 would beat it.Alexvrb - Saturday, October 15, 2016 - link
Also if you did have a new install with this signing enabled, you could disable Secure Boot to turn it off. No, your crash is unrelated to this feature. I'd bet you picked up some malware at some point that damaged your system files or something along those lines.JasonMZW20 - Saturday, October 15, 2016 - link
This is definitely for DRM and Universal Windows Platform apps with security on the side.If I run an unsigned video or audio driver, UWP apps refuse to load DRM material and say that the driver installed is unsupported or my system is currently unsupported.
Never mind that UWP apps sound terrible, as they bypass all of my sound card's processing and features. Bass and treble control? What's that? It's all generic. My SB X-Fi Titanium (PCIe) has a UAA component to use generic MS drivers, and I'm sure I'll be forced to use them at some point.
Alexvrb - Saturday, October 15, 2016 - link
That could very well be Creative's fault or the game developer. Their drivers are godawful. Even the latest drivers for my newer and better-supported-on-Win10 Sound Blaster Z-series card have some minor issues. I don't know if you noticed but Creative has virtually killed off their sound "card" business. Look at their support website as an example. You have to click on "Sound Blaster" which pictures an external unit. Then you have to click on the tiny lettering at the bottom "If your product is not listed above, please click here". It's like hey you with the unsupported crap, down here.It's a shame too because the sound cards themselves are very good and far superior in terms of sound quality, compared to most onboard solutions.
nevcairiel - Saturday, October 15, 2016 - link
Was anyone really surprised big names like AMD or NVIDIA are not affected by this? If they can't figure it out, how would anyone?What I would really have liked is a look at how small independent companies are supposed to handle this gracefully, especially if they provide software-only drivers (say loopback audio devices ala Virtual Audio Cable and similar things), because those are those that are really stuck trying to figure it out, not huge companies like AMD or NVIDIA.
Achaios - Sunday, October 16, 2016 - link
This update is BS as is all the additional "security" BS. If you are a small fish, you don't need any of these fancy "security" features, and if you are a big fish, you have your IT dept. working on custom solutions to protect you.Happily sailing on Windows 7 and will be for years to come.
marty1980 - Sunday, October 16, 2016 - link
The only device I've had problems with on Win10 is a generic Xbox controller USB adapter. The driver isn't signed and so I have to turn off driver signing in order to use my 360 controllers with my PC.Eventually this will work itself out as I move onto PS4 and XBO controllers on PC, but for now I have to completely disable driver signing to play.
The best approaches for driver certifications require online connectivity (think: SSL certs). But that's a huge problem when a common driver to be installed is for networking adapters.
Microsoft having to sign every driver is a burden. Who is going to pay for that if not the device manufacturers?
Do we need driver signing?
Yes: protect users down to the lowest common denominator
No: let users choices have their consequences
Maybe: if it can be done in a low cost, efficient manner that is widely accepted by the industry
Alexvrb - Monday, October 17, 2016 - link
Wait, you're using a generic adapter for wireless 360 controllers? Interesting... the nice thing about the XB1 controllers is that they're dual wired/wireless. If you don't have/want the wireless adapter, you can just use a regular USB to micro USB cable.marty1980 - Monday, October 17, 2016 - link
The PC in question isn't well positioned for tethered accessories. Wireless is kind of a necessity. But yes, I bought a cheap-o adapter years ago off Amazon. It works great once the driver is loaded, so I've never bought a replacement.I did mention that eventually I will move onto XB1 and/or PS4 controllers. Though I still won't be using them wired. So I will need new adapters and I'm likely to just buy the official Sony and Microsoft adapters this time to avoid driver issues.
Alexvrb - Tuesday, October 18, 2016 - link
Right, I was just saying for those who prefer wired for their PCs, it's nice to be able to use the same controller. I previously had one wired 360 controller for my PC and the other was wireless and used on the 360. I like the simplicity, no resyncing of the wireless controller needed. With the XB1 controller all I have to do is plug in an mUSB so I don't mind using the same controller.But yeah there are cases even for PCs where wireless is the only way to go. The newer XB1 receiver is pretty decent. Can do something like up to 8 controllers at a time so if it's being used for HTPC there's lots of possibilities. Personally I'd fire up Yabause (Saturn emulator) for Saturn Bomberman 8 player matches! Bring your own controller. :P Yes I know there was even a 10 player map but only the one, whereas there were 7 or 8 fields total that could do 8 players IIRC. So 8 is perfect.
jeffwilsontech - Sunday, October 16, 2016 - link
I support this policy change by Microsoft even though it broke some functionality on my system recently.Following the release of 1607, I did a fresh install on my Precision workstation at work. I'm an IT pro/dev and decided to go full best-practices with my workstation build, so I built my workstation to not only utilize Secure Boot, TPM 2 and the latest Ring -1 Hyper-v technique to protect against pass the hash attacks. This essentially makes my workstation OS a VM with an ultra-light and highly-segmented OS that boots and stores hashes of my credentials.
Anyway, all went well: Firepro drivers installed without a hitch (Microsoft handled it) and soon enough I was able to install my tools.
One program I use daily is http debugger pro. Like Fiddler, HTTP debugger Pro offers me the ability to decrypt TLS connections and inspect HTTP traffic hitting my machine. To do this, HTTP Debugger PRo installs a driver in windows/system32. As you can imagine, .sys files located in system32 are important and version 1607 didn't like the SHA-1, standard DV signature on HTTP Debugger Pro's .sys file. So it barfed, refused to let me use the driver, and I couldn't decrypt HTTPS traffic.
I reported the problem to the dev and working with him over the next month we got it working. I felt bad for the guy because he had to fork out some serious cash to purchase an EV certificate to sign his driver. I offered to give him a couple extra bucks on top of the cost of the software but he refused.
Ultimately he produced a build of the software that satisfied the strict new requirements from Microsoft and I couldn't be happier. I hate software -security software in particular- that requires me to weaken the security posture of my machine and thereby my organization.
I expect this policy change will hit small devs as well, not just big guys like Nvidia and AMD.
erple2 - Sunday, October 16, 2016 - link
Wait, what? They're requiring an EV cert? That seems excessive.jeffwilsontech - Sunday, October 16, 2016 - link
Not excessive at all.If the reporting on this story is correct, then driver manufacturers needed to sign their drivers with a standard DV code signing certificate in 1511 and versions prior. Microsoft did not need to co-sign or cross-sign those drivers in 1511 and versions prior.
Now in 1607, if the reporting is to be believed , 1) devs have to sign driver .sys files with an EV certificate, and 2) submit the driver for a cross-signature by Microsoft.
Put another way, Microsoft's not going to cross-sign a driver without an EV certificate from the driver's author. I wouldn't put my stamp of approval on something without an EV certificate either, would you?
The same rules apply in the UWP framework I believe.
Devs that want this level of access to the hardware will have to jump through some more hoops to get there.
Alexvrb - Monday, October 17, 2016 - link
If MS wants to compete for John and Jane Doe's money, they need their OS to be resilient against common threats, or else they'll lose their market to iPads and Chrome/whatever is next devices. But since they have to allow user-installed drivers (it's still full Windows), they had to do something to bolster security.Prior to getting her a proper Windows 10 touchscreen device, my mom was ready to ditch PC and get an iPad. But she's been very happy with Win10 especially with Anniversary Update. Anything that makes it harder for malware to compromise her laptop is a good thing. Speaking of which I might have to see if you can turn this revised driver signing on with an existing install.
eldakka - Monday, October 17, 2016 - link
And in other news:All new Ford cars will only accept parts and consumables from Ford-certified and approved 3rd parties.
Need Oil? Only oil from this list of manufacturers will work....
Oil filter? Only filters from Ford itself will work....
Tyres? Only tyres from ....
Brake pads? Must be obatined from and installed by company.....
Seat covers? Only from....
No 3rd party speakers can be installed....
No 3rd party sub can be added....
Only spotlights from .... are allowed.
jardows2 - Monday, October 17, 2016 - link
Bad analogy. You're talking about hardware, not software. If the hardware of the car has to interact with the core computer of the car, you certainly can make it work, but it won't get support by Ford, and you will void your warranty!Your computer hardware is the car. The OS is the PCM.
Wolfpup - Thursday, October 20, 2016 - link
I'm kind of annoyed by how many requirements there are to get your copy of Windows to enforce this, but still, it's a step in the right direction. The signing thing vaguely creeped me out years ago when they first started it, but since then...well, malware and the bad guys have just kept getting cleverer and cleverer :-/