Hardware Display  «Prev  Next»
Lesson 4Managing driver signing
ObjectiveConfigure digital signing options.

Purpose of digital signatures

In Windows 11 Pro, digital signing options do not necessarily have to be configured manually for most users, but they can be customized or enforced depending on security policies and specific use cases. Here are some scenarios where configuration might be required:
  1. Default Digital Signing Behavior in Windows 11 Pro
    • Windows automatically verifies digital signatures on system files, drivers, and executables to ensure integrity and security.
    • Code signing is required for kernel-mode drivers.
    • Windows Defender SmartScreen and User Account Control (UAC) rely on digital signatures to verify application authenticity.
  2. Configuring Digital Signing Options
    1. Driver Signing Enforcement
      • Windows 11 Pro enforces driver signing by default, requiring drivers to be signed by a trusted certificate authority.
      • You can disable this enforcement (not recommended) via:
        • Advanced Startup → Disable Driver Signature Enforcement
        • Group Policy Editor (gpedit.msc) → Code Signing for Device Drivers
    2. Enforcing Signed Executables via Group Policy
      • You can require that only digitally signed applications run by configuring AppLocker:
        • Open Group Policy Editor (gpedit.msc) → Computer Configuration → Windows Settings → Security Settings → Application Control Policies → AppLocker.
        • Define rules for allowing only signed software.
    3. Configuring Digital Signatures for Emails and Documents
      • In Microsoft Outlook, you can configure S/MIME signing for digitally signing and encrypting emails.
      • In Microsoft Office, you can enforce document signing via:
        • File → Info → Protect Document → Add a Digital Signature.
    4. Configuring PowerShell Script Execution Policy
      • Windows restricts unsigned PowerShell scripts by default.
      • To allow only signed scripts:
        Set-ExecutionPolicy AllSigned
                    
        • This ensures all scripts are signed by a trusted certificate.
  3. Enterprise Security and Compliance
    • If you're working in a corporate or regulated environment, digital signing policies may be centrally enforced via Active Directory Group Policies.
    • Windows 11 Pro supports BitLocker with TPM, which integrates with certificate-based authentication.

Do You Need to Configure It?
  • For home or standard users, default settings are usually sufficient.
  • For business or security-conscious environments, manual configuration is recommended to enforce signed drivers, scripts, and applications.

Identify Microsoft-approved system files

Digital signatures are used by Microsoft to identify Microsoft-approved system files, including device drivers.
Sometimes, when installing new software on your computer, the software installation process overwrites system files with incompatible versions. This can cause system instability. The system files provided with Windows 11 have a Microsoft digital signature. These signatures ensure that a particular file has met a certain level of testing, and that the file has not been altered with, or overwritten by, another program's installation process. Digital signatures are required for all vendor-provided drivers that ship with Windows 11, and for drivers published on the Windows Update Web site.
  • How driver signing works
    The digital signature does not change the contents of the actual device driver file. Rather, the device driver is associated with the digital signature via a inf file. The .inf file contains the instructions for installing the device driver, and contains a "pointer" to the digital signature file (or .cat file). During the installation of the driver, the operating system will read the contents of the .inf file, and then check the .cat file to which the .inf file points. If the .cat file contains Microsoft's own digital signature, the operating system assumes the driver is good and continues with installation. If there is no digital signature, or if the digital signature is not confirmed as a valid Microsoft signature, then the operating system will either warn you of this situation or will prevent the driver from installing at all.

Controlling unsigned Drivers

As a support professional, one of your responsibilities is to control how Windows 11 reacts if an installation program attempts to add unsigned drivers to the system. To configure driver signing options:
Right-click My Computer and click Properties
Properties Menu
1) Click Driver Signing on the Hardware tab

Driver Signing Hardware Tab
2) Driver Signing Hardware Tab
  1. Select one of the options shown in the diagram below
Drivers Signing
Drivers Signing

Driver Signing Options
Driver Signing
Driver Signing

Ignore   Installs all device drivers regardless of whether they have a digital signature. This is not recommended, as defective devices drivers can be installed without warning.
Warn   This setting is the default. If chosen, the system will display a warning when it detects device drivers that are not digitally signed. This allows you to choose to install the device driver, and offers the most flexibility of the three options.
Block   This option prevents users from installing device drivers without digital signatures

Identifying unsigned files

You can use file signature verification to identify unsigned files on your computer and specify verification options. To use file signature verification, perform the steps shown in the list below.
  • Identifying Unsigned Files
    1. Click Start.
    2. Click Run.
    3. Type 'sigverif' in the Open box, then click OK.
    4. Click Start to identify any files that are not signed.
    5. The program then begins to scan for unsigned files. You can see the progress of the scan via the progress indicator.
    6. The Signature Verification Results dialog box appears when the file scan is completed. Make a note of the unsigned files, then click the Close button.
    7. Click the Advanced button to see some of the options you have when performing a File Signature Verification.
    8. In the Advanced File Signature Verification Settings dialog box, you can see options for selecting what types of files are scanned. Click the Logging tab.
    9. The log file lists the unsigned files. This completes the outlined stpes. Click the Exit button.

Use File Signature Verification
Use file signature verification to identify unsigned files on your computer and specify verification options. These tasks are useful when determining whether to update a driver or when troubleshooting a problem you suspect is related to a driver. To use file signature verification:
  1. Click Start, click Run, type sigverif in the Open box, and then click OK.
  2. Click Start to identify any files that are not signed. A list of files that have not been digitally signed appears.
  3. To set verification options, click Advanced. The Advanced File Signature Verification Settings dialog box appears. You can choose to be notified if any system files are not signed, or you can search for files that are not digitally signed.
  4. To create, save, or view a log file, click the Logging tab. The log file contains the results of the search. This log file can be archived and used during troubleshooting to compare driver settings from one point in time to another point in time.

In the next lesson, you will learn how to create and activate a new hardware profile.

SEMrush Software 4 SEMrush Banner 4