Except as described in this article, Microsoft Windows Server Support does not support software that has kernel-level drivers that are attestation-signed. Additionally, Microsoft does not support any physical device, filter driver, or application that is associated with that software.
Microsoft supports drivers for physical devices, filters, and applications that are tested by using the test kit that is appropriate for the version of the Windows Server operating system for which the driver was submitted and then either signed or certified by Microsoft.
If a customer-reported problem is thought to be caused by an attestation-signed kernel driver, Microsoft Support engineers may try to determine the origin of the driver by asking whether any drivers have been recently updated.
This can be determined by checking the Setupapi.dev.log file that is located at %SystemRoot%\inf.
If any drivers were recently installed, they can be examined to learn whether they were tested and submitted for signature or were signed by using the attestation process.
Microsoft Support Engineer may also check either the Windows Server Catalog or the Windows Compatible Products List to determine whether the device and driver were tested, submitted, and certified or signed recently. You can do this by searching for the Vendor Name value in the Windows Compatible Products List, and entering an asterisk in the Product Name field. For example, see the following screenshot.
The "Certifications" column indicates the Windows or Windows Server operating system versions, editions, and processor platforms for which the product was tested and submitted.
Note The same information is available in the Verification Report.
You can also use Windows Server Catalog to check whether a product is using a driver that was recently tested, submitted, and signed. To do this, use the Search functionality in Windows Server Catalog for the Product Name, Driver Name, or Vendor Name.
Note A driver may be listed as Signature Only. This indicates that the device or driver had no matching defined Product Type. However, the requirements that do apply to that product were validated by the tests in the relevant kit, and the driver was submitted.
A driver may have been signed by using the attestation process as part of the following scenario:
- The driver may have been previously tested, and the results submitted for certification or signature. Support may check the sources in the previous section to verify that information.
- The vendor may have had to provide a hotfixed version of the driver immediately to a customer to mitigate or fix a serious problem for that customer.
- The vendor may not have been able to take the time to run the full test list that is mandated for that Product type. This is because such a test can take days or even weeks to complete. Therefore, the vendor used the attestation process to provide some relief for that customer.
Note In this case, the likelihood is low that a regression occurred from a single hotfix that caused some additional issue in regards to security, reliability, or compatibility.
In this scenario, the driver should be considered as being fully tested and supported.
Support policy
A vendor may have an established support relationship with Microsoft for either of the following reasons:
- The vendor is a TSANet member and uses the TSANet process and path.
- The vendor has a Premier-level support contract.
For Microsoft customers who have Premier-level support and have Windows Server systems that are running attestation-signed kernel-level drivers from a vendor with which Microsoft has an established support relationship, Microsoft will coordinate with the vendor to jointly investigate support issues.
As part of the investigation, Microsoft will determine whether there are Test Kit results for the kit that is associated with that version of the Windows Server operating system that were submitted in the recent past for the kernel-level driver that is determined to be currently attestation-signed. In this context, the “recent past” is a period of no more than two or three months. This is based on the average time between tested submissions for products that use drivers.
For Microsoft customers who have Premier-level support and have Windows Server systems that are running attestation-signed kernel-level drivers from a vendor with which Microsoft does not have an established support relationship, Microsoft will investigate potential issues that affect Microsoft software as follows:
- If the driver is certified or was signed in the recent past because of a previous tested submission, Microsoft will support Microsoft products as if the vendor product and kernel-level driver and associated physical product or application are still certified based on full test results.
- If the driver has not been certified or signed in the recent past because of a previous tested submission, the Premier-level customer will be directed to contact the vendor that provided the attestation-signed kernel-level driver for any further support.
Regardless of the support relationship between Microsoft and the vendor that is providing the attestation-signed driver, the vendor that provides the kernel driver is ultimately responsible for supporting the product and driver.
How to determine whether a driver is attestation-signed
In the %SystemRoot%\system32\drivers directory, right-click the driver file name in question. Select and click on Properties from the drop-down list.
Select the Digital Signatures tab.
Select the Microsoft entry in the Signature list, and then select the Details button.
In the Digital Signature Details window, select the Advanced tab.
Select the View Certificate button.
In the Certificate window, select the Details tab.
In the resulting list box, scroll down to the Enhanced Key Usage row.
If the text in that row includes Windows Hardware Driver Attested Verification, the driver was attestation-signed.