For 64-bit versions of Windows Server 2008 and Windows Vista, the kernel-mode code signing policy requires that all kernel-mode code have a digital signature. In addition, certain configurations of 32-bit versions of Windows Server 2008 and Windows Vista also require a kernel-mode driver to be digitally signed in order to access next generation premium content that is controlled by the content protection policy. Windows Server 2008 and Windows Vista relies on digital signatures of these components to increase the safety and stability of the Microsoft Windows platform and enable new customer experiences with next generation premium content.

Digital signatures allow the administrator or end-user who is installing Windows-based software to know whether a legitimate publisher has provided the software package. When users choose to send Windows Error Reporting data to Microsoft after a fault or other error occurs, Microsoft can analyze the data to know which publishers’ software was running on the system at the time of the error. Software publishers can then use the information provided by Microsoft to find and fix problems in their software.

The kernel-mode code signing policy for Windows Server 2008 and Windows Vista requires that the following drivers have digital signatures:

• On 64-bit versions of Windows, all kernel mode software, including, but not limited to, kernel-mode device drivers.

• Drivers that stream protected content. This includes audio drivers that use Protected User Mode Audio (PUMA) and Protected Audio Path (PAP), and video device drivers that handle protected video path-output protection management (PVP-OPM) commands. Information about these requirements is outside the scope of this documentation. For more information about these requirements, see  Code-signing for Protected Media Components in Windows Vista.

Note that this code signing policy is in addition to the Plug and Play (PnP) device installation signing requirements that affect the installation of a device driver. A developer and publisher of a driver must comply with both the kernel-mode code signing requirement for loading a kernel-mode driver and the PnP device installation signing requirements for installing a driver. Note also that, although an administrator can authorize the preinstallation of an unsigned kernel-mode driver on a 64-bit system, the administrator cannot subsequently load the unsigned driver during the installation of the driver for a device.

Kernel-mode code signing enforcement is implemented by a component in Windows Server 2008 and Windows Vista known as Code Integrity. Code Integrity is a feature that improves the security of the operating system by verifying the integrity of a file each time the image of the file is loaded into memory. The function of Code Integrity is to detect if an unsigned driver is being loaded into kernel-mode, or if a system binary file has been modified by malicious code that may have been run by an administrator. Code Integrity helps ensure that a Windows Server 2008 or Windows Vista platform is running known, identifiable code. Code Integrity generates diagnostic events and a system audit log event when the signature of a kernel module fails to verify correctly. You can use the information logged by Code Integrity to troubleshoot driver load problems.

For development and testing purposes only, kernel-mode code signing enforcement can be temporarily disabled. For more information, see Installing an Unsigned Driver During Development and Test (Windows Server 2008 and Windows Vista).

For general information about how to sign a Windows Server 2008 or Windows Vista driver for public release, see Signing Drivers For Public Release (Windows Server 2008 and Windows Vista).

For general information about how to test-sign a Windows Server 2008 or Windows Vista driver during development and test, see Signing Drivers During Development and Test (Windows Server 2008 and Windows Vista).

For more information about the kernel-mode code signing requirements, see the  Digital Signatures for Kernel Modules on Systems Running Windows Vista Web site.

The information provided there is also applicable to Windows Server 2008.