In Windows 11 Pro, digital signing options do not necessarily have to be configured manually for most users, but they can be
customized or enforced depending on security policies and specific use cases. Here are some scenarios where configuration might be required:
Default Digital Signing Behavior in Windows 11 Pro
Windows automatically verifies digital signatures on system files, drivers, and executables to ensure integrity and security.
Code signing is required for kernel-mode drivers.
Windows Defender SmartScreen and User Account Control (UAC) rely on digital signatures to verify application authenticity.
Configuring Digital Signing Options
Driver Signing Enforcement
Windows 11 Pro enforces driver signing by default, requiring drivers to be signed by a trusted certificate authority.
You can disable this enforcement (not recommended) via:
Group Policy Editor (gpedit.msc) → Code Signing for Device Drivers
Enforcing Signed Executables via Group Policy
You can require that only digitally signed applications run by configuring AppLocker:
Open Group Policy Editor (gpedit.msc) → Computer Configuration → Windows Settings → Security Settings → Application Control Policies → AppLocker.
Define rules for allowing only signed software.
Configuring Digital Signatures for Emails and Documents
In Microsoft Outlook, you can configure S/MIME signing for digitally signing and encrypting emails.
In Microsoft Office, you can enforce document signing via:
File → Info → Protect Document → Add a Digital Signature.
Configuring PowerShell Script Execution Policy
Windows restricts unsigned PowerShell scripts by default.
To allow only signed scripts:
Set-ExecutionPolicy AllSigned
This ensures all scripts are signed by a trusted certificate.
Enterprise Security and Compliance
If you're working in a corporate or regulated environment, digital signing policies may be centrally enforced via Active Directory Group Policies.
Windows 11 Pro supports BitLocker with TPM, which integrates with certificate-based authentication.
Do You Need to Configure It?
For home or standard users, default settings are usually sufficient.
For business or security-conscious environments, manual configuration is recommended to enforce signed drivers, scripts, and applications.
Identify Microsoft-approved system files
Digital signatures are used by Microsoft to identify Microsoft-approved system files, including device drivers.
Sometimes, when installing new software on your computer, the software installation process overwrites system files with incompatible versions. This can cause system instability. The system files provided with Windows 11 have a Microsoft digital signature.
These signatures ensure that a particular file has met a certain level of testing, and that the file has not been altered with, or overwritten by, another program's installation process. Digital signatures are required for all vendor-provided drivers that ship with Windows 11, and for drivers published on the Windows Update Web site.
How driver signing works
The digital signature does not change the contents of the actual device driver file. Rather, the device driver is associated with the digital signature via a inf file. The .inf file contains the instructions for installing the device driver, and contains a "pointer" to the digital signature file (or .cat file). During the installation of the driver, the operating system will read the contents of the .inf file, and then check the .cat file to which the .inf file points. If the .cat file contains Microsoft's own digital signature, the operating system assumes the driver is good and continues with installation. If there is no digital signature, or if the digital signature is not confirmed as a valid Microsoft signature, then the operating system will either warn you of this situation or will prevent the driver from installing at all.
Controlling unsigned Drivers
As a support professional, one of your responsibilities is to control how Windows 11 reacts if an installation program attempts to add unsigned drivers to the system. To configure driver signing options:
Right-click My Computer and click Properties
1) Click Driver Signing on the Hardware tab
2) Driver Signing Hardware Tab
Select one of the options shown in the diagram below
Drivers Signing
Driver Signing Options Driver Signing
Ignore
Installs all device drivers regardless of whether they have a digital signature.
This is not recommended, as defective devices drivers can be installed without warning.
Warn
This setting is the default. If chosen, the system will display a warning when it detects device drivers that are not digitally signed. This allows you to choose to install the device driver, and offers the most flexibility of the three options.
Block
This option prevents users from installing device drivers without digital signatures
Identifying unsigned files
You can use file signature verification to identify unsigned files on your computer and specify verification options.
To use file signature verification, perform the steps shown in the list below.
Identifying Unsigned Files
Click Start.
Click Run.
Type 'sigverif' in the Open box, then click OK.
Click Start to identify any files that are not signed.
The program then begins to scan for unsigned files. You can see the progress of the scan via the progress indicator.
The Signature Verification Results dialog box appears when the file scan is completed. Make a note of the unsigned files, then click the Close button.
Click the Advanced button to see some of the options you have when performing a File Signature Verification.
In the Advanced File Signature Verification Settings dialog box, you can see options for selecting what types of files are scanned. Click the Logging tab.
The log file lists the unsigned files. This completes the outlined stpes. Click the Exit button.
Use File Signature Verification
Use file signature verification to identify unsigned files on your computer and specify verification options.
These tasks are useful when determining whether to update a driver or when troubleshooting a problem you suspect is related to a driver.
To use file signature verification:
Click Start, click Run, type sigverif in the Open box, and then click OK.
Click Start to identify any files that are not signed. A list of files that have not been digitally signed appears.
To set verification options, click Advanced. The Advanced File Signature Verification Settings dialog box appears. You can choose to be notified if any system files are not signed, or you can search for files that are not digitally signed.
To create, save, or view a log file, click the Logging tab.
The log file contains the results of the search. This log file can be archived and used during troubleshooting to compare driver settings from one point in time to another point in time.
In the next lesson, you will learn how to create and activate a new hardware profile.
