Best practice for non-PnP driver loading on Server 2016 with Secure Boot?

First, I apologize for the question on everyone’s favorite topic. I’ve largely avoided the headache until now.

  1. I’ve never run HLK tests on a non-PnP driver. My normal usage scenario has an application loading/unloading the driver. Do I need to use a dummy inf and load it with DevCon to keep it loaded during the test?
  2. Will Server 2016 soon reject Attestation Signed drivers? How does one get non-PnP drivers signed going forward?

Ultimately I need my .sys signed and am looking for explicit instruction that likely doesn’t exist. Any help guiding me on the path to enlightenment would be quite welcomed.

Shane_Corbin wrote:

First, I apologize for the question on everyone’s favorite topic. I’ve largely avoided the headache until now.

There is no need to apologize.  Even those of us who have been here for
decades are still confused about some of the signing requirements.

* I’ve never run HLK tests on a non-PnP driver. My normal usage scenario has an application loading/unloading the driver. Do I need to use a dummy inf and load it with DevCon to keep it loaded during the test?
* Will Server 2016 soon reject Attestation Signed drivers? How does one get non-PnP drivers signed going forward?

The signing behavior of Server 2016 is exactly the same as Windows 10. 
They originally said they were going to require HLK for the server
systems, but they backed off of that requirement. Attestation signing
works just fine.

With a few specific exceptions, I’m not convinced it is possible to run
HLK on a non-PnP driver.

I have not seen Server 2016 with Secure Boot reject attestation signed drivers. I have not tested Server 2017.

Bill Wandel

Thanks fellas!

I got my driver signed through the attestation path. However, it still doesn’t load properly when Secure Boot is enabled. Here’s what happens.

  1. When Secure Boot is not enabled my application loads my driver successfully, makes IOCTLs appropriately, then unloads the driver.
  2. When Secure Boot is enabled, and my .sys file has only my EV cert sig my application fails to load the driver and yields an error of 577.
  3. When Secure Boot is enabled, and I replace my .sys file with the one that has Microsoft and my EV cert sig on it, the application fails to load the driver and yields an error of -2146762484

Error 577 looks like ERROR_INVALID_IMAGE_HASH
Error -2146762484 looks like CERT_E_REVOKE

Any ideas?