Microsoft tightens up Windows 10 security by requiring kernel mode drivers to be digitally signed
Windows 10 will not load unsigned kernel mode drivers, starting with version 1607 of the operating system. This is something that had been announced back in 2015, but is only just being implemented.
The decision was taken in order to improve the security of Windows 10, but Microsoft says that "due to technical and ecosystem readiness issues, this was not enforced by Windows Code Integrity and remained only a policy statement". Now it is a reality, and it's something developers and users need to keep in mind.
The change only affects new drivers, and Microsoft explains that there is no need for existing drivers to be resubmitted for signing. It also only applies to fresh installations on computers with Secure Boot enabled.
Announcing the change on the Windows Hardware Certification blog, Microsoft says:
Starting with new installations of Windows 10, version 1607, the previously defined driver signing rules will be enforced by the operating system, and Windows 10, version 1607 will not load any new kernel mode drivers which are not signed by the Dev Portal. OS signing enforcement is only for new OS installations; systems upgraded from an earlier OS to Windows 10, version 1607 will not be affected by this change.
Microsoft's own TL;DR version of the policy is: "On non-upgraded fresh installations of Windows 10, version 1607 with Secure Boot ON, drivers must be signed by Microsoft or with cross-signed certificates issued prior to July 29, 2015."