Skip to main content

    How to Sign a Windows Driver (Attestation Signing, Step by Step)

    Sign a Windows kernel driver: why Microsoft signs it, the EV certificate rule, attestation signing in Partner Center step by step, and when you need WHQL.

    MS
    My-SSL Security Team
    ·
    13 min read
    ·
    Published July 9, 2026
    ·
    Last updated July 9, 2026

    In short

    You can't fully sign a production kernel-mode driver with your own certificate — since Windows 10 version 1607, new kernel drivers only load when Microsoft has signed them. Your EV code signing certificate signs the CAB file you submit to the Partner Center hardware dashboard; Microsoft attestation-signs the driver inside and returns it. That covers Windows 10 and 11. Windows Server 2016 and later ignores attestation entirely — Server drivers need full WHQL certification through HLK testing.

    Everything else in code signing follows the same script: run signtool sign, verify, ship. Drivers are the exception, and the number of forum threads that start with "signed my driver, still won't load" shows how often that surprises people. For a kernel driver, your signature isn't the end of the process — it's your ticket into Microsoft's signing service, which applies the signature Windows actually checks at load time. This guide walks through the whole chain: what your EV certificate really does, the attestation submission in Partner Center, when you need WHQL instead, and how to keep developing while none of your builds are Microsoft-signed yet.

    Why can't you sign a kernel driver yourself?

    Because kernel code runs with more privilege than anything else on the machine, Windows holds it to a different trust standard than applications. An EXE with a valid publisher signature gets a SmartScreen decision; a kernel driver gets a boot-time code integrity check that, since Windows 10 version 1607, requires a signature from Microsoft's Hardware Dev Center — not from your certificate, whoever issued it.

    The reasoning is straightforward: a malicious or compromised kernel driver doesn't just affect one app, it owns the operating system. Publicly trusted CAs vet publishers, but they never see the code. By routing every production kernel driver through its own signing service, Microsoft gets a central choke point — it knows exactly what was signed, by whom, and can revoke a specific driver version without touching the publisher's certificate.

    How a Windows driver gets its production signatureFour-step flow. Step one: your driver package with INF, SYS, and PDB files. Step two: you sign the submission CAB with your EV certificate. Step three, highlighted in gold: Microsoft signs the driver through attestation or WHQL — this is the signature that matters. Step four: Windows kernel code integrity checks for Microsoft's signature and loads the driver.Two signatures, two different jobsDriver package.inf + .sys + .pdbbuilt and testedYou sign the CABEV certificate,/fd sha256Microsoft signsthe driver itself —attestation or WHQLWindows loads itcode integrity checksMicrosoft's signatureYour EV certificate authenticates the submission.Microsoft's signature is the one the kernel trusts.
    Once this division of labor clicks, every driver signing error message starts making sense: Windows was never looking for your signature.

    Your certificate still matters — it's how Microsoft knows who you are. Partner Center accounts are anchored to an EV code signing certificate, and every submission CAB you upload must be signed. So the practical flow is always the same: you vouch for the submission, Microsoft signs the driver. Keep that in mind and the rest of this guide is mostly mechanics.

    Cross-signing is gone: what changed and when

    Cross-signing — CA-issued kernel signing certificates chained to Microsoft's cross-certificates — was the old way to sign drivers yourself. Microsoft deprecated the program in 2021, the certificates behind it have expired, and the April 2026 Windows update removed default trust for cross-signed kernel drivers on Windows 11 24H2, 25H2, 26H1, and Windows Server 2025. New driver work should assume that path no longer exists.

    This matters even if you never cross-signed anything, because it explains the confusing advice still floating around. Older tutorials — and some CA marketing pages — describe buying a kernel-capable certificate and signing your .sys file directly. That workflow died in stages, and the residue of each stage still shows up in the wild:

    Timeline of Windows kernel driver signing policyFour milestones on a horizontal timeline. July 2015: certificates issued after July 29 get no cross-signing grandfathering. 2016: Windows 10 version 1607 requires new kernel drivers to be signed by the Hardware Dev Center. 2021: the cross-signed driver program is deprecated and Microsoft becomes the only production kernel signer. April 2026, highlighted in gold: a Windows update removes default trust for cross-signed drivers on Windows 11 24H2 and later and Windows Server 2025.How the old ways were switched offJuly 2015Certs issued afterJuly 29 get nograndfathering2016Windows 10 1607:new kernel drivers needa Microsoft signature2021Cross-signing programretired; Microsoft is theonly production signerApril 2026Cross-signed driverslose default trust onWin 11 24H2+ / Server 2025Each step narrowed the same door: today, Microsoft's signature is the only way in.
    A driver that "always worked" was usually riding one of these grandfather clauses — and the last big one closed in April 2026.

    The practical takeaway: timestamped cross-signed drivers kept loading for years after 2021, which let some vendors put off resubmission. Machines that took the April 2026 update on the affected versions now load only Microsoft-signed kernel drivers by default. If you maintain a driver that predates attestation, resubmitting it through Partner Center is no longer optional housekeeping — it's the difference between loading and not loading on current Windows.

    What you need before you start

    Three things, in order: an EV code signing certificate, a Microsoft Partner Center account for the hardware program (which requires that certificate to register), and the signing tools — SignTool from the Windows SDK plus MakeCab, which ships with Windows. The EV requirement is Microsoft's, not the CA's: attestation and WHQL submissions both demand at least one EV certificate on the account.

    1. An EV code signing certificate

    Microsoft's driver signing requirements list six approved EV providers: Certum, DigiCert, GlobalSign, IdenTrust, Sectigo, and SSL.com. The Certum EV code signing certificates My-SSL sells are on that list, and the document checklist shows what EV validation will ask your organization for. Like all code signing keys since June 2023, the private key lives on certified hardware — a USB token or a cloud signing service — so budget a few days for delivery and setup.

    2. A Partner Center hardware account

    Register for the Windows Hardware Developer Program at Partner Center. Registration verifies your company identity against the EV certificate, which is why you need the certificate first. One account covers attestation signing, WHQL submissions, and shipping labels for Windows Update distribution later.

    3. SignTool and MakeCab

    SignTool comes with the Windows SDK (and the WDK, which you already have if you're building drivers). MakeCab is part of Windows itself. For development-time signing you'll also want Inf2Cat from the WDK to generate catalog files — more on that in the test signing section.

    Attestation signing, step by step

    Attestation signing means Microsoft signs your driver on your word — you attest that it's tested and safe, no lab tests required. The mechanics: package the driver files into a CAB, sign the CAB with your EV certificate, upload it in Partner Center, and download the Microsoft-signed result, usually within the hour. Here is each step with the exact commands.

    Step 1: Build the CAB file

    The CAB contains your driver folder: the INF, the compiled .sys binary, and ideally the .pdb symbol file so Microsoft can analyze crashes. Catalog files are optional — Microsoft regenerates them during signing anyway. Describe the contents in a DDF file and feed it to MakeCab. Two format rules: use real paths (mapped drives, not UNC paths), and keep every driver folder in the CAB to the same architecture set.

    MyDriver.ddf — then build the CAB
    ; MyDriver.ddf
    .Set CabinetNameTemplate=MyDriver.cab
    .Set DestinationDir=MyDriver
    C:\MyDriver\MyDriver.inf
    C:\MyDriver\MyDriver.sys
    C:\MyDriver\MyDriver.pdb
    
    REM Build it (output lands in .\disk1\):
    MakeCab /f MyDriver.ddf

    Step 2: Sign the CAB with your EV certificate

    This is the only signature you apply in the whole production flow — and it goes on the CAB, not the driver. SHA-256 digest and a SHA-256 certificate are required; a timestamp is good practice on anything you sign. With a hardware token, expect the PIN prompt here.

    Sign the submission CAB
    signtool sign /s MY /n "Your Company Name" /fd SHA256 ^
      /tr http://time.certum.pl /td SHA256 disk1\MyDriver.cab

    Step 3: Submit in Partner Center

    In the Partner Center hardware dashboard, choose "Submit new hardware," name the product, upload the signed CAB, and pick the Windows versions the driver should be signed for. Leave the test-signing checkboxes unchecked — those produce test-only signatures. Microsoft runs automated malware and quality scans, signs the driver, and the submission page offers the signed package for download.

    Step 4: Verify and ship

    Download the signed package and check what came back before it goes anywhere near an installer. The signature on the .sys file should now chain to Microsoft, with your company listed in the attributes.

    Verify the returned driver
    signtool verify /pa /ph /v /d MyDriver.sys
    
    REM Install the package on a clean test VM with Secure Boot ON --
    REM that's the environment your users actually run.

    Re-sign after every rebuild — of anything

    Microsoft's signature covers the exact binaries you submitted. A one-line fix means a new CAB, a new submission, and a new signed package. Teams that ship driver updates regularly usually wire the CAB build into their release pipeline so the submission step is a habit, not a scramble.

    Attestation or WHQL: which submission do you need?

    Attestation is faster and covers Windows 10 and 11 client systems; WHQL certification through the Windows Hardware Compatibility Program covers everything else. The two hard lines: Windows Server 2016 and later only loads dashboard-signed drivers that passed the HLK tests, and only certified drivers can be published through Windows Update. If neither applies to you, attestation is the sensible default.

    Four ways to sign a Windows driver and what each is good forComparison panel with four rows. Attestation signing: Microsoft signs on your word, valid on Windows 10 and 11 client only, not published on Windows Update. WHQL certification, highlighted in gold: pass HLK tests and Microsoft certifies the driver — the only path that works on Windows Server and qualifies for Windows Update. Test signing: your own certificate in test mode, development machines only. Your EV certificate alone: signs the submission CAB and user-mode software, but is not enough for a kernel driver to load.Pick the path by where the driver must runAttestationhours, no lab testsMicrosoft signs on your word. Windows 10 / 11 client only.You distribute it yourself — no Windows Update publishing.WHQL / WHCPHLK test passThe only path Windows Server 2016+ accepts — and the onlyone eligible for Windows Update distribution.Test signingbcdedit test modeYour own test certificate on machines you control.Development and lab use only — never a distribution plan.EV cert alonesubmission credentialSigns the CAB you submit (and your apps and installers) —not sufficient by itself for a kernel driver to load.
    The Server row decides for many teams: if your driver ever needs to run on Windows Server, attestation was never on the table.

    WHQL is a bigger investment: you set up an HLK test environment (or hire a lab), run the test suite for your device class on each Windows version you target, and submit the results package. What you get for it is reach — Server support, Windows Update distribution, and the "certified" status some enterprise customers require in procurement. Plenty of teams run both tracks: attestation for fast fixes to client-only tools, WHQL for the flagship hardware driver.

    One planning note: attestation-signed drivers aren't retroactively valid on Server, and there's no upgrade button — a Server-capable release means a fresh WHQL submission with HLK results. Deciding which audiences matter before you ship the first version saves an awkward re-release later.

    Test signing during development

    You don't submit every debug build to Microsoft. For development, Windows offers test signing mode: the machine accepts drivers signed with your own test certificate, and reminds you with a "Test Mode" watermark on the desktop. Enable it with bcdedit on a test machine or VM — Secure Boot blocks the change, so test boxes typically run with it off.

    Test-sign a driver package
    REM On the TEST machine (admin prompt, then reboot):
    bcdedit /set testsigning on
    
    REM Create a test certificate (developer machine, PowerShell):
    New-SelfSignedCertificate -Type CodeSigningCert -Subject "CN=MyDriver Test" ^
      -CertStoreLocation Cert:\CurrentUser\My
    
    REM Generate the catalog from the INF (WDK):
    Inf2Cat /driver:C:\MyDriver /os:10_x64
    
    REM Sign the catalog with the test certificate:
    signtool sign /s MY /n "MyDriver Test" /fd SHA256 MyDriver.cat
    
    REM Install the test certificate into the test machine's
    REM Trusted Root and Trusted Publishers stores, then install the driver.

    Keep the two worlds strictly separate: test-signed packages are for machines you control, production packages come back from Partner Center. If a test-signed build escapes to a customer, it simply won't load on their normally configured system — which is the policy working as designed, though it rarely feels that way at the support desk.

    Common driver signing errors

    Most driver signing failures trace back to one of three mismatches: the driver lacks a Microsoft signature, the signature type doesn't match the Windows edition, or the install package is missing a signed catalog. Here are the errors those produce and what actually fixes each one.

    Code 52: "Windows cannot verify the digital signature"

    Kernel code integrity rejected the driver. Check the .sys file's signature chain with signtool verify /pa /ph /v — if it chains to your certificate instead of Microsoft, the driver was never attestation-signed, and that's the fix. Cross-signed drivers hit this on systems with the April 2026 update. Telling users to disable enforcement is not a fix; it doesn't survive a normal reboot and trains them badly.

    "The third-party INF does not contain digital signature information"

    The driver package has no valid signed catalog — common when files were edited after signing (a catalog covers exact file hashes, so touching the INF breaks it) or when the .cat file didn't make it into the install package. Rebuild, resubmit, and ship the package exactly as Partner Center returned it.

    Loads on Windows 11, refuses on Windows Server

    The signature is attestation-only. Server 2016 and later requires an HLK-tested, WHQL-signed driver — there's no setting on the customer's side that makes attestation acceptable. The path forward is an HLK run and a WHCP submission for the Server versions you support.

    Works on one machine, fails on an identical one

    Almost always a policy difference, not a hardware one: Secure Boot on versus off, test mode enabled on the dev box, or one machine carrying the April 2026 update. Compare msinfo32 Secure Boot state and patch levels before rebuilding anything — the binary is probably fine.

    Frequently Asked Questions

    Get instant answers to common questions about SSL certificates and our services.

    Still Have Questions?

    Our SSL experts are available 24/7 to help with any questions about certificates, installation, or technical issues.

    The bottom line

    Driver signing is a two-key system: your EV certificate signs the submission, Microsoft signs the driver. Package the INF, .sys, and .pdb into a CAB, sign it with /fd SHA256, submit through Partner Center, and verify what comes back on a Secure Boot machine before shipping. Windows Server means WHQL — decide that before the first release, not after. If the EV certificate is the piece you're missing, My-SSL carries Certum EV code signing certificates — Certum is one of the six providers on Microsoft's approved list for the hardware program.