none
Driver support on SecureBoot enabled Windows server 2016 & 2019 RRS feed

  • Question

  • We have a hardware device for which the driver must be prepared to be supported on a SecureBoot enabled windows 2016 and 2019 server.  Based on our initial investigation, having our driver attestation signed with EV code signing is sufficient.  However, we have also come across Microsoft online document, which indicates that for 2016 & 2019 servers, we need to participate in Hardlare compatibility program starting with HLK log submission.  We're trying to get an official statement on what is the minimal requirement for us to support SecureBoot enabled 2016 & 2019 windows server.  We're not planning to include our driver as part of regular Microsoft windows update patches.  We will be managing the driver update on our customer's servers through our channels.  Also, we're not required to have our driver/device included in Microsoft Hardware compatibility list.  We have already done appropriate testing to ensure that our attestation signed driver is loaded and functioning correctly on today's 2016 and 2019 server.  Our concern is whether our driver will stop loading in the future because Microsoft decides to enforce certain policy.

    A post on GitHub by a Microsoft representative indicates that the policy documented on Microsoft sites does not reflect how SecureBoot windows 2016 & 2019 support policy is implemented on 2016 & 2019 server.  I can share the URL, if necessary as this post does not allow for a URL.

    Wednesday, June 5, 2019 2:31 PM