The obvious remaining question is when will we know when cross-signing will no longer be enough and the driver is required to go through the sysdev process?
My immediate question is how does Windows 10 LTSB play into these potential upcoming policy enforcements? I suspect that since we don’t even know about RS1, that asking about LTSB is inherently unknown as well. However, I thought I’d float the question in case anybody was able to shed some light on how these policy changes will be integrated into the LTSB branch.
The obvious remaining question is when will we know when cross-signing will no longer be enough and the driver is required to go through the sysdev process?
I think we DO know that. As of the RS1 (anniversary) release, on a
fresh install on a machine with “secure boot” enabled, all drivers will
have to go through attestation. We’ve already seen that with the RS1
preview releases.
My immediate question is how does Windows 10 LTSB play into these potential upcoming policy enforcements?
There’s no different between LTSB and the normal release, except that
the client gets to control the timing. As soon as you install Windows
10 Enterprise LTSB at RS1 or later, then you get the attestation
requirement. If you stick with TH2, then you don’t.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
I haven’t heard THAT. I *did* hear/see (on this video) that there’s a policy that will disable all recognition of cross-signing, whether Secure Boot is enabled or not.
For clarity: I’m not saying Mr. Roberts is wrong! I’m just saying that *I* have not heard in passing of a policy that will ignore Attestation Signing. I also haven’t tried to explicitly seek this information, either.
I haven’t heard THAT. I *did* hear/see (on this video) that there’s a policy that will disable all recognition of cross-signing, whether Secure Boot is enabled or not.
That’s what I heard. I stated it incorrectly.
–
Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.
“I’ve heard there is a group policy type setting in Windows 10 that allows a client to enable this, although I’ve never seen it.”
As DG is managed through GP, technically OP is right that there is indeed a way to do this. I thought you were saying you had “not heard that”. Sorry if I misunderstood you.
Similarly, through DG, both requirements can be turned off from my understanding of the document.
Speaking of what happens on Win10 Enterprise when one enables Device Guard virtualization-based configurable code integrity, has anyone tried this? What is the result when trying to load and run a driver that is “traditionally signed”?
I have tried this on TH2 (and expected trouble), but the failure mode is not as I expected, although MSFT doesn’t really spell out what should happen, only referring to “may cause system to fail”. I get a mysterious BSOD which points to my driver GsDriverEntry routine. Has anyone else seen this?
*This transmission is intended only for the use of the addressee and may
contain information that is privileged, confidential and exempt from
disclosure under applicable law. If you are not the intended recipient, you
are hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited. If you have received this
communication in error, please notify us immediately.*
On Thu, Jun 9, 2016 at 7:09 PM, wrote:
> Speaking of what happens on Win10 Enterprise when one enables Device Guard > virtualization-based configurable code integrity, has anyone tried this? > What is the result when trying to load and run a driver that is > “traditionally signed”? > > I have tried this on TH2 (and expected trouble), but the failure mode is > not as I expected, although MSFT doesn’t really spell out what should > happen, only referring to “may cause system to fail”. I get a mysterious > BSOD which points to my driver GsDriverEntry routine. Has anyone else seen > this? > > — > NTDEV is sponsored by OSR > > Visit the list online at: < > http://www.osronline.com/showlists.cfm?list=ntdev> > > MONTHLY seminars on crash dump analysis, WDF, Windows internals and > software drivers! > Details at http: > > To unsubscribe, visit the List Server section of OSR Online at < > http://www.osronline.com/page.cfm?name=ListServer> ></http:>