Microsoft will remove support for root certificates with kernel mode signing capabilities in the Microsoft Trusted Root Program in the first half of 2021.
The change affects devices running Microsoft"s Windows 10 operating system only, and drivers that have expired as part of the change won"t load, run or install anymore on Windows 10 devices.HOW DO PRODUCTION SIGNING OPTIONS DIFFER BY WINDOWS VERSION?
|Driver runs on||Drivers signed before July 1 2021 by||Driver signed on or after July 1 2021 by|
|Windows Server 2008 and later, Windows 7, Windows 8||WHQL or cross-signed drivers||WHQL or drivers cross-signed before July 1 2021|
|Windows 10||WHQL or attested||WHQL or attested|
Microsoft published a list of expiration dates for trusted cross-certificates; all listed trusted cross-certificates will expire either in February 2021 or April 2021.
Commercial release certificates, publisher certificates and commercial test certificates will become invalid on the expiration date, and that means that drivers signed with these certificates will become unusable as well.
[..] all software publisher certificates, commercial release certificates, and commercial test certificates that chain back to these root certificates also become invalid on the same schedule.
Microsoft informed hardware developers about the changes to its Trusted Root Program in early 2019. The majority of drivers should continue to work as before, but it is possible that older drivers, e.g. drivers that have not been updated for years, may stop working as a consequence.
The command line tool SignTool.exe, installed automatically with Visual Studio, can be used to verify if a driver will continue to work. All it takes is to run the command signtool verify /v /kp
Windows customers who are affected by the change, e.g. when they run older hardware with drivers that have not been updated by the manufacturer in a while, have only a few options to deal with this. If a driver update is not available, disabling driver signature enforcement is an option; this reduces system security and may also impact stability. It is recommended to create a backup before making the change.
One of the easier options to disable driver signature enforcement is to run the following command from an elevated command prompt: bcdedit.exe /set nointegritychecks on.
To restore the old status quo (default), run bcdedit.exe /set nointegritychecks off instead from an elevated command prompt. (via Deskmodder)