If you want to load a kernel driver on a current consumer Windows install — Windows 10 1607 or later, or any version of Windows 11 — Microsoft has to sign it first. Not "Microsoft has to trust the cert"; not "you can self-sign with an EV cert and ship it." Microsoft itself, on the Microsoft signing infrastructure, has to put a counter-signature on your driver before the OS will load it without complaint.
Most engineers learn this the hard way the first time they try to ship a kernel driver outside a corporate dev fleet. The infrastructure is well-documented but procedurally heavy, and the path looks intimidating before you've walked it. This post is the map. It also explains why this gauntlet is the actual moat protecting any kernel-resident interview tool, and why "we'll just ship a driver too" is not the threat to FaangCoder it sounds like.
Key takeaways
- Windows 10 (1607+) and Windows 11 require Microsoft-signed kernel drivers. Self-signed drivers, third-party CA-signed drivers, and pre-1607 cross-signed drivers all fail to load by default. Microsoft documents the policy on the kernel-mode code signing requirements page.
- The path to a Microsoft signature has two routes: WHQL (Windows Hardware Quality Labs — full HLK test pass, public driver catalog) and attestation (no test pass, no catalog distribution, signed for OEM/enterprise scenarios). Both require an EV code-signing certificate and a Hardware Dev Center account.
- The economic and process cost of getting a driver signed is the structural moat for kernel-resident stealth tools. EV cert ($300-$700/year), an organizational identity Microsoft can verify, and a signing pipeline that tolerates Patch-Tuesday-grade churn — all together push the floor of "ships a kernel driver" multiple orders of magnitude above "ships a user-mode app."
Why kernel drivers need a Microsoft signature at all
Pre-Vista, anyone who could write a kernel driver could load one. Post-Vista (x64), Microsoft introduced Driver Signature Enforcement (DSE) — the kernel refused to load drivers that weren't signed by a trusted Authenticode certificate.
That worked for a few years until Microsoft watched the malware ecosystem absorb the change. Bad actors bought commercial code-signing certs, used them to sign rootkits, and the OS happily loaded them. So in Windows 10 1607 (the Anniversary Update, August 2016), Microsoft tightened the policy: as of that build, new kernel drivers had to be signed by Microsoft itself, not just by an Authenticode-trusted CA.
The official policy lives on the kernel-mode code signing requirements page. The summary:
- Drivers signed before 2015-07-29 by a cross-signed Authenticode cert are grandfathered. They still load.
- Drivers signed after 2015-07-29 with anything other than a Microsoft signature will not load on Windows 10 1607+ unless DSE is disabled (which requires Secure Boot off, which in turn fails Windows 11 install requirements).
- Drivers signed by Microsoft via the Hardware Dev Center submission flow load without complaint.
The grandfather clause matters in practice — a few legacy security products still ship pre-2015 drivers — but it's a closed window. Anything new in 2026 takes the Microsoft route.
The two roads: WHQL and attestation
Microsoft signs drivers through two distinct programs. Both are documented in the Hardware Dev Center submission overview.
WHQL signing — Windows Hardware Quality Labs — is the full ride. You build the driver, run it through the Windows Hardware Lab Kit (HLK) test suite, package the resulting test report into an .hlkx file, submit it through the Hardware Dev Center, and wait for Microsoft to issue a WHQL-signed catalog (.cat) file. The driver is published to the Windows Update driver catalog and can be distributed to any Windows machine via Windows Update.
Attestation signing is the lighter ride. You build the driver, sign the .cab package with your EV cert, submit it through the same portal, and Microsoft adds a counter-signature without a test pass. The signed driver loads on Windows 10 1607+ but is not distributed via Windows Update — you ship it yourself in your installer. Microsoft documents the attestation submission flow at length.
The trade-off is straightforward:
| Dimension | WHQL | Attestation |
|---|---|---|
| HLK test pass required | Yes | No |
| Catalog distribution | Yes (Windows Update) | No (you ship the driver) |
| Time per submission | Days to weeks | Hours to days |
| Cost per submission | Free (Microsoft side); HLK lab time can be substantial | Free (Microsoft side) |
| Audience | Mass-market hardware drivers | OEM, enterprise, niche commercial drivers |
For a stealth-grade interview tool that ships through a custom installer to individual buyers, attestation signing is the natural path. There's no consumer hardware to certify; there's no need to be in Windows Update; the audience is the candidates the tool sells to.
What you need before submitting anything
The Hardware Dev Center signup page lists the prerequisites. The condensed checklist:
- An EV code-signing certificate. Standard Authenticode certs aren't enough — Microsoft specifically requires Extended Validation. The major issuers (DigiCert, Sectigo, GlobalSign) sell EV certs after a corporate identity verification process that takes 1-3 weeks. Pricing is in the $300-$700/year range, varying by issuer and term.
- A registered Microsoft Partner account linked to the Hardware Dev Center. Free, but it requires the same legal entity name that's on your EV cert.
- An organization Microsoft can identify. The EV process is structured around verifying a registered business — sole proprietorships sometimes work, but the fastest path is an LLC or corporation with documented existence.
- A driver that's actually signable. Some old constructs — undocumented kernel APIs, certain PatchGuard interactions, drivers that try to disable code-integrity checks — will be rejected at the static-analysis stage of submission. The portal runs
signtool verifyand a battery of inf-validator and Driver Verifier checks before the package even reaches a human.
The first time through, the org-verification phase is the bottleneck. EV cert issuance involves notarized documents, DUNS verification, sometimes a phone callback to an officer of the company. Plan three to six weeks for the first cert. After that, renewals run faster.
The submission mechanics
Once you have the EV cert and the Hardware Dev Center account:
- Build a release-quality driver package. That's the
.sysfile plus an INF file describing how it installs, plus any related files, packaged into a CAB. Microsoft's WDK toolchain handles the packaging. - Sign the CAB with your EV cert using
signtool. The signature on the CAB is what Microsoft verifies before counter-signing. - For attestation: upload the signed CAB through the Dev Center "Submit new hardware" flow, classify it as a software-only attestation submission, attest to a small set of statements about the driver (no DRM bypasses, no hidden behaviors of certain regulated kinds), and submit.
- For WHQL: run the HLK against your driver on every Windows version you want signing for, package the test report as an HLKX file, attach it to the submission, and submit.
- Microsoft's signing infrastructure processes the submission, runs static analysis, runs the driver against its own internal validation harness, and either issues a counter-signed driver package or returns errors. Attestation typically lands in hours; WHQL takes days to weeks depending on queue depth.
- Download the signed package, ship it in your installer.
The signed driver is now valid to install via the standard driver-install path on any Windows 10 1607+ or Windows 11 machine, with no DSE bypass and no test-mode toggle.
Where the moat actually lives
A naive read of the above says: "OK, an EV cert is $500, Microsoft attestation is free, my engineering team knows kernel work — what's the barrier?"
The barrier is not the steady-state cost. It's the cumulative friction of operating a kernel-driver business that has to keep working across Windows updates, threat-landscape changes, and Microsoft's evolving driver policy.
Patch-Tuesday churn. Microsoft ships kernel updates monthly. Some of them break drivers. WDDM 3.x introduced GPU partitioning (covered in the WDDM design guide) that changed how some display-pipeline drivers see the world. The PatchGuard rules tighten over time. A team that ships a kernel driver has to test, every month, against the new builds and re-sign when behavior changes. Miss a cycle and your customer base hits a brick wall the next time they update.
WHCP requirements ratchet up. The Windows Hardware Compatibility Program periodically tightens the requirements drivers have to meet. New API constructs become required; old ones get deprecated. Drivers that work today on the WHCP version they were submitted under may fail re-submission a year later if they haven't kept up.
Microsoft's Vulnerable Driver Block List. Microsoft maintains a list of drivers blocked from loading due to known vulnerabilities. The list is enforced by Smart App Control and HVCI on Windows 11. A driver that ends up on this list — say, because a vulnerability is found and a security researcher publishes a writeup — is effectively dead until the vendor ships a patched version through a new submission. The CrowdStrike incident of 2024 brought this pipeline into public view.
Anti-cheat stack co-evolution. If your driver does anything that touches the same APIs commercial anti-cheat hooks (BattlEye, EAC, Vanguard), expect those vendors to actively look for you. Vanguard especially treats any unrecognized driver loading alongside a protected game as a hostile signal. A stealth-grade interview tool needs to coexist with that.
Customer support load. Kernel drivers fail in ways user-mode apps don't. A bad install bricks a boot. A bad interaction with the user's antivirus causes a Smart App Control popup that the customer treats as malware. The support cost per customer climbs because the surface area is wider.
A team that genuinely ships a kernel driver has to internalize all of this. The first signed driver is the easy part. Operating it for years is what costs.
Why this is the moat for stealth-tier interview tools
Every consumer AI interview tool in the public market in 2026 — Interview Coder, UltraCode, LockedIn, Cluely, the rest — sits in user mode. The reason isn't that they don't know about kernel drivers. The reason is that the operational load above is incompatible with the business they're running.
Most of these tools were funded as quick AI plays — UI work, a hotkey, a model API integration. Six engineers, twelve months, looking for the launch. None of that team's experience is Windows kernel work. None of the runway is set up to absorb three months of EV-cert acquisition plus another three months of HLK iteration plus a recurring monthly Patch-Tuesday tax. The math doesn't pencil unless the founding bet is "we are a Windows kernel engineering company that happens to make an AI overlay."
That bet is what FaangCoder is. It's also why the four stealth layers we ship — display-pipeline filtering, process concealment, window-enumeration blocking, detection-query spoofing — are not architecture choices a competitor ports in a quarter. The driver is signable, the EV cert is in place, the HLK pipeline is wired up, the Patch Tuesday discipline is the team's monthly rhythm. The output is a kernel-resident overlay; the moat is the multi-year infrastructure that produces it month after month.
For the architectural details of what the kernel driver actually does, see our four stealth layers tour. For the input-side counterpart — pulling problem text and code from process memory rather than re-rendering it — see memory read versus screen-capture OCR.
FAQ
Can I disable Driver Signature Enforcement and load an unsigned driver? On Windows 10/11 you can boot into "Disable driver signature enforcement" mode (F8 boot menu, then advanced startup), which lets unsigned drivers load for that session. It's a developer mode, not a deployment mode — Secure Boot has to be off, BitLocker complains, and the next reboot reverts. No serious product distributes drivers this way.
Does test signing count as a Microsoft signature?
No. Test signing uses Microsoft's test root CA and only loads on machines with test signing enabled (bcdedit /set testsigning on). Useful in development, never used in production.
Does an EV code-signing cert alone let me sign a driver? For user-mode binaries, yes — an EV cert from a trusted CA is enough Authenticode trust. For kernel drivers on Windows 10 1607+, the EV signature is necessary (it's what gates Hardware Dev Center submission) but not sufficient — you still need Microsoft's counter-signature obtained through that submission.
How long does the first attestation submission take end-to-end? Realistically 6-12 weeks from a standing start. EV cert issuance: 2-4 weeks. Hardware Dev Center account setup tied to the same legal entity: 1-2 weeks. First package iteration through static-analysis errors: 1-3 weeks. Final attestation processing once the package is clean: hours to days. Subsequent submissions are much faster — days, not months — once the org infrastructure is in place.
What about Linux distribution kernel drivers? Doesn't this discriminate against open source? Microsoft's policy applies to Windows. The structural concern — that a kernel driver is a high-privilege piece of code from an unknown publisher — is solved differently on Linux (signed-modules with the distribution's keys, sometimes vendor keys enrolled in Secure Boot via MOK). The economics are different, the trust model is different, but a kernel-resident product on either OS faces some equivalent of "an entity has to vouch for this binary before the system loads it."
If I already have a WHQL-signed driver, do I still need attestation? No. WHQL is strictly stronger — anything WHQL-signed is loadable in every context an attestation-signed driver loads in, plus it's distributable through Windows Update. Attestation exists for vendors who don't want or need WUF distribution.
For the broader stealth architecture this driver enables, see the four stealth layers. For the user-mode-flag approach competitors take and why it isn't enough, see the Windows stealth setup guide.
FaangCoder ships the kernel-resident path described above. $399 lifetime, $199 monthly — single product, both plans ship the full kernel-resident stack.