Summary
The /INTEGRITYCHECK linker option provides Windows kernel digital signature verification for user mode Portable Executables (PE) files. This linker option is required for anti-malware and anti-cheat scenarios to register components with the Windows Security Center.
You must sign IntegrityCheck-linked user mode PEs using Trusted Signing (formerly Azure Code Signing). The cross-signing program is deprecated and new signing certificates will not be issued. Windows will continue to trust the existing binaries signed by the cross-signing program.
Compatibility
Microsoft first introduced the signing requirement for user mode PEs in Windows 11, version 21H2. These changes were serviced to the supported Windows client and Windows server products through Windows Update. All versions of Windows 11 natively support Trusted Signing for user mode PE files. Support for Trusted Signing was made available in other client and server products starting with the releases listed below.
NOTE The updates that are listed in the following table can be expired or withdrawn for a specific reason. We recommend that you apply the latest version of update available as the updates are cumulative and include all earlier updates.
|
Product |
KB number |
Release date |
Updates history page |
|
Windows Server 2022 |
5005619 or a later update |
September 27, 2021 |
|
|
Windows 10, version 2004 Windows 10, version 20H2 Windows 10, version 21H1 |
5005611 or a later update |
September 30, 2021 |
Updates for Windows 10, version 2004 and Windows Server, version 2004 Updates for Windows 10, version 20H2 and Windows Server, version 20H2 |
|
Windows 10, version 1909 |
5005624 or a later update |
September 21, 2021 |
Updates for Windows 10, version 1909 and Windows Server, version 1909 |
|
Windows 10, version 1809 Windows Server 2019 |
5005625 or a later update |
September 21, 2021 |
Updates for Windows 10, version 1809 and Windows Server 2019 |
|
Windows 10, version 1607 Windows Server 2016 |
5006669 or a later update |
October 12, 2021 |
|
|
Windows 10, version 1507 |
5006675 or a later update |
October 12, 2021 |
|
|
Windows 8.1 Windows Server 2012 R2 |
5006714 (Monthly rollup) or a later update 5006729 (Security-only update) or a later update |
October 12, 2021 |
|
|
Windows Server 2012 |
5006739 (Monthly rollup) or a later update 5006732 (Security-only update) or a later update |
October 12, 2021 |
|
|
Windows 7.0 SP1 Windows Server 2008 R2 |
5006743 (Monthly rollup) or a later update 5006728 (Security-only update) or a later update |
October 12, 2021 |
|
|
Windows Server 2008 SP2 |
5006736 (Monthly rollup) or a later update 5006715 (Security-only update) or a later update |
October 12, 2021 |
NOTE To correctly verify modules signed by Trusted Signing, computers are required to have the "Microsoft Identity Verification Root Certificate Authority 2020" certificate authority (CA) installed. By default, root certificates are installed automatically if the computer is connected to the Internet. If the "automatic root certificates update" setting is disabled or the computer is offline, you must install this root certificate into the certificate store of "Local Computer" under "Trusted Root Certification Authorities". To download the certificate, see PKI Repository - Microsoft PKI Services.
