I am inquiring about the latest version 1809 of Windows 10 Pro for x64 systems. The device in question may have Secure Boot enabled or disabled and is able to utilize custom Secure Boot keys.
The driver that I have written, which is intended for personal use on my primary laptop, needs to be loaded at startup. Due to security concerns and the potential added cost, I am hesitant to use Test Mode or obtain a paid certificate.
Is there a method to load a driver that is signed with my own key, allowing for manual trust in Windows and Secure Boot, without enabling Test Mode for all drivers?
I have come across an article that suggests this is possible, however, it mentions that this method only persists until the next Windows restart.
This happy circumstance of your having your own driver executing despite its having your own signature will persist through sleeps and hibernations until you next restart Windows.
Has anyone had success in persistently loading a self-signed driver using a similar approach?
3 Answers
It is possible to load a self-signed driver in Windows 10 without using Test Mode, but it requires some additional steps.
First, you will need to create your own certificate and sign the driver with it. This can be done using the Microsoft Signing Tool (SignTool.exe). Once the driver is signed, you will need to add the certificate to the Trusted Root Certification Authorities store on your machine.
Next, you will need to configure Secure Boot to trust the certificate. If Secure Boot is enabled on your machine, you will need to add the certificate to the Secure Boot database. If Secure Boot is disabled, you will need to disable driver signature enforcement.
It is worth noting that the driver will only be loaded for the current session, and will not persist through reboots. To make the driver persist through reboots, you will need to add it to the Windows Startup folder or configure it to start as a service.
It’s also worth noting that, self-signed drivers are not considered secure, as it can be easily compromised. So it’s not recommended to use self-signed driver for any production systems.