Support policy for third-party, kernel-level software that is signed by using the attestation process in Windows

Se aplică la: Windows Server 2019, all editionsWindows Server 2016

Summary


This article describes the support that the Microsoft Windows Server Support organization provides for Microsoft software products, such as the Windows Server operating system (all versions), when you run that Microsoft product together with attestation-signed kernel-level drivers and any associated physical adapter, controller, or other device or application.

Note The attestation signing process for a third-party, kernel-level driver does not require that the driver vendor provide test results in order to obtain a driver signature from Microsoft. For more information, see Attestation signing a kernel driver for public release

More information


Except as described in this article, Microsoft Windows Server Support does not support software that has kernel-level drivers that are attestation-signed. Additionally, Microsoft does not support any physical device, filter driver, or application that is associated with that software. 

Microsoft supports drivers for physical devices, filters, and applications that are tested by using the test kit that is appropriate for the version of the Windows Server operating system for which the driver was submitted and then either signed or certified by Microsoft.

If a customer-reported problem is thought to be caused by an attestation-signed kernel driver, Microsoft Support engineers may try to determine the origin of the driver by asking whether any drivers have been recently updated.

This can be determined by checking the Setupapi.dev.log file that is located at %SystemRoot%\inf.

If any drivers were recently installed, they can be examined to learn whether they were tested and submitted for signature or were signed by using the attestation process. 

Microsoft Support Engineer may also check either the Windows Server Catalog or the Windows Compatible Products List to determine whether the device and driver were tested, submitted, and certified or signed recently. You can do this by searching for the Vendor Name value in the Windows Compatible Products List, and entering an asterisk in the Product Name field. For example, see the following screenshot.

Windows Compatible Products List

The "Certifications" column indicates the Windows or Windows Server operating system versions, editions, and processor platforms for which the product was tested and submitted.

Note The same information is available in the Verification Report. 

You can also use Windows Server Catalog to check whether a product is using a driver that was recently tested, submitted, and signed. To do this, use the Search functionality in Windows Server Catalog for the Product Name, Driver Name, or Vendor Name.

Windows server catalog

Note A driver may be listed as Signature Only. This indicates that the device or driver had no matching defined Product Type. However, the requirements that do apply to that product were validated by the tests in the relevant kit, and the driver was submitted.

A driver may have been signed by using the attestation process as part of the following scenario:

  • The driver may have been previously tested, and the results submitted for certification or signature. Support may check the sources in the previous section to verify that information.
  • The vendor may have had to provide a hotfixed version of the driver immediately to a customer to mitigate or fix a serious problem for that customer.
  • The vendor may not have been able to take the time to run the full test list that is mandated for that Product type. This is because such a test can take days or even weeks to complete. Therefore, the vendor used the attestation process to provide some relief for that customer. 

    Note In this case, the likelihood is low that a regression occurred from a single hotfix that caused some additional issue in regards to security, reliability, or compatibility.

In this scenario, the driver should be considered as being fully tested and supported.

Support policy

A vendor may have an established support relationship with Microsoft for either of the following reasons:

  • The vendor is a TSANet member and uses the TSANet process and path.
  • The vendor has a Premier-level support contract.

For Microsoft customers who have Premier-level support and have Windows Server systems that are running attestation-signed kernel-level drivers from a vendor with which Microsoft has an established support relationship, Microsoft will coordinate with the vendor to jointly investigate support issues.

As part of the investigation, Microsoft will determine whether there are Test Kit results for the kit that is associated with that version of the Windows Server operating system that were submitted in the recent past for the kernel-level driver that is determined to be currently attestation-signed. In this context, the “recent past” is a period of no more than two or three months. This is based on the average time between tested submissions for products that use drivers.

For Microsoft customers who have Premier-level support and have Windows Server systems that are running attestation-signed kernel-level drivers from a vendor with which Microsoft does not have an established support relationship, Microsoft will investigate potential issues that affect Microsoft software as follows:

  • If the driver is certified or was signed in the recent past because of a previous tested submission, Microsoft will support Microsoft products as if the vendor product and kernel-level driver and associated physical product or application are still certified based on full test results.
  • If the driver has not been certified or signed in the recent past because of a previous tested submission, the Premier-level customer will be directed to contact the vendor that provided the attestation-signed kernel-level driver for any further support. 

Regardless of the support relationship between Microsoft and the vendor that is providing the attestation-signed driver, the vendor that provides the kernel driver is ultimately responsible for supporting the product and driver.

How to determine whether a driver is attestation-signed

In the %SystemRoot%\system32\drivers directory, right-click the driver file name in question. Select and click on Properties from the drop-down list.

Properties

Select the Digital Signatures tab.

Properties

Select the Microsoft entry in the Signature list, and then select the Details button.

4519013-5

In the Digital Signature Details window, select the Advanced tab.

Properties

Select the View Certificate button.

Properties

In the Certificate window, select the Details tab.

Properties

In the resulting list box, scroll down to the Enhanced Key Usage row.

Properties

If the text in that row includes Windows Hardware Driver Attested Verification, the driver was attestation-signed.