Followup: Microsoft: No More Updates Allowed for Drivers on Win 7, Win 8, Win 8.1

@“Peter_Viscarola_(OSR)” said:
Let’s move this to the NTDEV, shall we? Then we can continue there…

Peter

yes :wink:

@“Peter_Viscarola_(OSR)”

@“Peter_Viscarola_(OSR)” said:
… as long as the CROSS CERT doesn’t expire… or Windows decides to not load drivers that are cross-signed.

If you tell me Microsft gonna do this? How should the prevent drivers from loading on Win 7 Systems without Windows Updates possible any more?

The real solution here isn’t to find a certificate; The REAL solution is to school Microsoft in all the reasons that this is bad policy, and to work hard to get them to reverse this decision.

Yes I agree, there policy is foolish, but I think its wasting time in this war between david and Goliat :disappointed: . At least our company is way to small to have an impact.

but I think its wasting time in this war between david and Goliat :disappointed: . At least our company is way to small to have an impact.

You are mistaken.

As I have said numerous times before, we have changed similar policies in the past – all working together.

MSFT doesn’t intend to cause OEMs/IHVs/ISVs pain… they NEVER do. It’s just that they don’t always see the far-reaching consequences of their actions. They “do the right thing” to fix one thing, or avoid one serious problem… but that action has side-effects that they don’t really anticipate, understand, or (having already implemented their “fix”) have a great way to solve.

And it has to do with “domains” – The guy who “owns” the cross-signing issue, doesn’t “own” everything to do with drivers being authorized on Windows. So, he doesn’t really have a way to force (or even meaningfully encourage) the guys who “own” attestation signing to extend it to down-level platforms (cuz that’d take time and dev resources and cost money). So, one guys makes his little decision… and there’s nobody to work cross-discipline to make the right thing happen for the community…

UNTIL WE ALL MAKE A FUSS ABOUT IT.

Peter

@“Peter_Viscarola_(OSR)”

Yes, I understand what you wanna point out. I’m personally also would like to push MSFT to the right direction. And I really tried to get someone in my company to open up a support query at MSFT side or just get one the phone from radmond.
So I really tried but at some point in time gave up, as I’ve got other stuff to do.

Sorry :dizzy:

@“Peter_Viscarola_(OSR)”

But still im interested in the answer to the follwing port of my questions above?!

@Matthias_Lehmann said:
@“Peter_Viscarola_(OSR)”

@“Peter_Viscarola_(OSR)” said:
… as long as the CROSS CERT doesn’t expire… or Windows decides to not load drivers that are cross-signed.

If you tell me Microsft gonna do this? How should the prevent drivers from loading on Win 7 Systems without Windows Updates possible any more?

Any answer to this?

Any answer to this?

With all due respect, I’m not sure what the question is.

I’m not even sure what it is you’re trying to accomplish: Simply sign a driver today that’ll work forever on Windows? Well, you just need a code signing cert that’s valid as of today, and that gets you as close as you’re gonna get… unless MSFT changes their policy.

Be able to sign drivers in the future? Well, you need your cert to be valid and the cross-cert to be valid. And I was under the impression the issue was that the CROSS CERTS were going to expire. Whether or not you could get somebody to issue you a code signing cert wasn’t really the issue… at least the way I understand the problem.

Peter

I really tried but at some point in time gave up, as I’ve got other stuff to do.

Hmmmm… I’ve got other stuff to do, as well. It’s not like I get paid to answer the questions you post here, right?

Community, dude. It’s important.

Peter

Hmm, is that an EV SHA256 cert you were issued?
Does it load on Windows 10 without attestation signing?

Our Company managed to still order a code signing certificate with kernel
mode signing caps in december last year. The certificate itself expires in
2025 and the cross certificate it chaines to expires in Dez 2023.

Thus we managed to be able to sign Win 7 kernel mode drivers and load them
sucessfully until Dez 2023.

@Dejan_Maksimovic :smile:

nope its an OV Certificate.

I think it’s not possible to get a driver singed by ureself (without attestation) which loads under windows 10, secure boot on, version > 1603

I see no point then, unless you get it for free on top of an EV cert.

Is it SHA2 at least?

I see no point then

I suspect the POINT is that the driver will load on down-rev OS versions. Which is, after all, the whole point of cross-signing.

Peter

@“Peter_Viscarola_(OSR)” said:

I see no point then

I suspect the POINT is that the driver will load on down-rev OS versions. Which is, after all, the whole point of cross-signing.

Peter

exactly, thats the point

And EV Certifivates are only useable together with HW Dongles, which makes usage more complex, especially in Corona Home Office, and it’s more expensive :wink:

@“Peter_Viscarola_(OSR)” said:

I’m not even sure what it is you’re trying to accomplish: Simply sign a driver today that’ll work forever on Windows? Well, you just need a code signing cert that’s valid as of today, and that gets you as close as you’re gonna get… unless MSFT changes their policy.

Be able to sign drivers in the future? Well, you need your cert to be valid and the cross-cert to be valid. And I was under the impression the issue was that the CROSS CERTS were going to expire. Whether or not you could get somebody to issue you a code signing cert wasn’t really the issue… at least the way I understand the problem.

What I intend to, is to have a code signing certificate which I can be totally sure to be able to sign drivers for win 7 at leat until end of this year (2021).
And as I got a certificate from entrust which together with its cross singing cert is valid till 2023, I’m just wondering if MSFT can do anthing to prevent me from signing such drivers till 2023?

as you said above:

… or Windows decides to not load drivers that are cross-signed …

So I asking myself (and the community): Is it possible for MSFT to revoke my nicely singend driver which is cross singed and timestamped properly today or any later time this year, anyway from loading under Win 7. How would they do that without Windows Updates possible on Win7?
And can they prevent me to sign such drivers until 2023 with the certificate I already purches today, which is vailid until 2023 including the it’s cross cert.

Greeting Matthias

which I can be totally sure to be able to sign drivers for win 7 at leat until end of this year (2021)

Yeah, well… “totally sure” is a pretty high standard, so I won’t go there. But as long as you have a cert and a cross cert that are valid until the end of 2021, you should have a very good chance that you’ll be able to do what you want during that time.

How would they do that without Windows Updates possible on Win7

I’m not sure what “without Windows Updates possible on Win7” means. If you mean that the target systems that will be loading your driver will not be connected to the Internet (or you will otherwise be set to disable any possibility of getting a Windows Update)… yes, I think you’re safe. If you’re saying “Microsoft has said they won’t do any Windows Updates for Win7” … well, whether that’s what they DO or not is entirely up to them, isn’t it?

And can they prevent me to sign such drivers until 2023 with the certificate I already purches today,

It’s their operating system. They can do anything they want. As we see from this whole mess… But the point isn’t “prevent me to sign such drivers” – the ultimate point is “refusing to load such drivers” after you’ve signed them, right? Who knows what logic lurks in the various versions of the Win7 driver signing/authorization code? What little things they have that might expire, and when? This code is among the most closely guarded in Windows and I, for one, have never seen it.

Have you considered passing the Win7 WHQL tests? That would save you from having to worry about all this nonsense. It seems like you’ve expended as much effort as it might require for you to setup, run, and maybe pass those tests…

Peter

From where did you get a cross-certificate valid until 2023? The cross certificates have to be issued by Microsoft, and it was my understanding they were not going to issue or renew any that lasted beyond June 2021.

@Tim_Roberts said:
From where did you get a cross-certificate valid until 2023? The cross certificates have to be issued by Microsoft, and it was my understanding they were not going to issue or renew any that lasted beyond June 2021.

From Entrust. It’s evben documented on MSFT’s home page:
https://docs.microsoft.com/en-us/windows-hardware/drivers/install/cross-certificates-for-kernel-mode-code-signing
Entrust Root Certification Authority – G2 ‎d8 fc 24 87 48 58 5e 17 3e fb fb 30 75 c4 b4 d6 0f 9d 8d 08 2025/07/07 Download

@“Peter_Viscarola_(OSR)” said:

How would they do that without Windows Updates possible on Win7

I’m not sure what “without Windows Updates possible on Win7” means. If you mean that the target systems that will be loading your driver will not be connected to the Internet (or you will otherwise be set to disable any possibility of getting a Windows Update)… yes, I think you’re safe. If you’re saying “Microsoft has said they won’t do any Windows Updates for Win7” … well, whether that’s what they DO or not is entirely up to them, isn’t it?

Rather the later one, but you’re right, it’s up to them, what tehy do or don’t do on their Win 7.

And can they prevent me to sign such drivers until 2023 with the certificate I already purches today,

It’s their operating system. They can do anything they want. As we see from this whole mess… But the point isn’t “prevent me to sign such drivers” – the ultimate point is “refusing to load such drivers” after you’ve signed them, right? Who knows what logic lurks in the various versions of the Win7 driver signing/authorization code? What little things they have that might expire, and when? This code is among the most closely guarded in Windows and I, for one, have never seen it.

“refusing to load such drivers” → yes that’s what I exactly mean. Yes and maybe they have some special code in the depths o their windows 7 OS waiting to get active and start revoking cross signed driver after June 2021 :wink: We never know (until June :smile: ).
But from your answer I read, that you don’t know for sure about such code/feature. It’s all just guessing.
So I’m fine with that and take the risk for know.

Have you considered passing the Win7 WHQL tests? That would save you from having to worry about all this nonsense. It seems like you’ve expended as much effort as it might require for you to setup, run, and maybe pass those tests…

Yes sure, we looked into HLK already for Win 10 and even managed to pass some of our drivers. But then wie figured out that we need HCK for Win 7 drivers, which is another hassel to setup. But anyway, we are still investigating that as well.

But that’s not my job in my company. Other people doing that.
I just have to job to find a backup plan, if we miss to pass HCK, which is very likley as I read in many other posts here :wink:

Thanks for your help and expertise Peter, so far.

Matthias

@“Peter_Viscarola_(OSR)” said:

The real solution here isn’t to find a certificate; The REAL solution is to school Microsoft in all the reasons that this is bad policy, and to work hard to get them to reverse this decision.

Hi Peter,

I am virtio-win maintainer.
How can I help?
Should we approach MS through development support or do you know other ways to approach MS to discuss the “update-apocalypse” with them?

Best regards,
Yan.

thwaite and geo-whatever expire on 2.22 so it should be an
interesting month. Digicert and many others expire early april. I happen to
know that some very large companies have no clue this is happening. I

Mark Roddy

Should we approach MS through development support

You should approach MSFT through whatever mechanisms are available to you.

If your company has executives that have Quarterly Reviews with MSFT higher-ups, then that’s a good place to bring this issue. If you have interactions with folks in MSFT Premier Support, then by all means raise the issue there. If you have buddies (devs or PMs) who happen to work in one of the product groups, that’s a good place. If all you have is per-incident support, then go that way.

The key is for as many people as possible to raise the issue.

There ARE people internally who want to fix this, but they don’t have the clout to manage it themselves and therefore need folks from outside of MSFT to provide ammunition. Without breaking any confidences, I can tell you that I had one PM tell me that there are folks internally who do not believe that there are a legit subset of drivers that are correct, but will never be able to pass the WHQL tests. Internally, the mantra has been “WTF are they so upset about? This isn’t an issue. Just pass WHQL and be done with it.”

Peter