Option 2 — Required (Windows Hardware Quality Labs Certification)#

Table of Contents#

What It Does
Why It Exists
Visual Anatomy — Policy Evaluation Stack
How to Set It (PowerShell)
XML Representation
Interaction with Other Options
When to Enable vs Disable
Real-World Scenario — End-to-End Walkthrough
What Happens If You Get It Wrong
Valid for Supplemental Policies?
OS Version Requirements
Summary Table

1. What It Does#

Required:WHQL tightens the kernel-mode driver signing standard from the broader Microsoft-signed requirement to the stricter Windows Hardware Quality Labs (WHQL) certification standard. By default, WDAC (and Windows Driver Signing policy in general) allows any kernel-mode driver that carries a valid Microsoft signature — including drivers cross-signed by third-party Certificate Authorities under the legacy cross-signing program. When Required:WHQL is enabled, that broader acceptance is revoked: only drivers that have been formally submitted to, tested by, and signed through the Windows Hardware Developer Center (WHDC) portal and the Hardware Lab Kit (HLK) certification pipeline are permitted to load. This effectively eliminates legacy cross-signed drivers and imposes a strict quality and security gate at the kernel boundary. Every kernel driver loading on the machine must carry an authentic Microsoft WHQL signature to pass the Code Integrity check.

2. Why It Exists#

The Driver Supply-Chain Problem#

Kernel-mode drivers operate at the highest privilege level in Windows — Ring 0. A malicious or compromised driver can read any memory, disable security software, intercept system calls, and persist invisibly across reboots. The kernel attack surface is the primary target for:

BYOVD (Bring Your Own Vulnerable Driver) attacks — Attackers package legitimate but vulnerable signed drivers and exploit them to escalate privileges or kill EDR/AV processes.
Kernel-mode rootkits — Malware that signs drivers through stolen or fraudulently obtained certificates and abuses the legacy cross-signing pathway.
Driver-based persistence — Implants that survive OS reinstalls by hiding in driver storage.

Why the Legacy Cross-Signing System Is a Risk#

Before 2015, Microsoft allowed hardware vendors to sign their own drivers with certificates issued by trusted third-party CAs (Symantec, DigiCert, etc.) without submitting to WHQL testing. This “cross-signed” driver model had two problems:

No quality gate. Cross-signed drivers were not tested by Microsoft’s HLK suite. Vendors could ship unstable, insecure, or intentionally malicious drivers and they would load on Windows.
Certificate theft/abuse. Malware authors obtained (or stole) valid cross-signing certificates and used them to legitimately sign rootkits and BYOVD payloads.

Microsoft deprecated new cross-signed drivers for 64-bit Windows 10+ in 2015, requiring WHQL submission for new drivers. However, pre-existing cross-signed drivers grandfathered under the old system remain trusted by default. Required:WHQL revokes that grandfather clause for the machines where it is deployed.

WHQL Security Properties#

1
flowchart TD
2
    classDef secure fill:#0d1f12,color:#86efac,stroke:#166534
3
    classDef weak fill:#1f0d0d,color:#fca5a5,stroke:#7f1d1d
4
    classDef neutral fill:#162032,color:#58a6ff,stroke:#1e3a5f
5

6
    subgraph WHQL_Certified["WHQL Certified Driver"]
7
        direction TB
8
        A1([Submitted to WHDC portal]):::secure
9
        A2([Tested against HLK suite]):::secure
10
        A3([Microsoft reviews submission]):::secure
11
        A4([Signed with Microsoft WHQL\ncertificate chain]):::secure
12
        A5([Listed in Windows Update catalog]):::secure
13
        A1 --> A2 --> A3 --> A4 --> A5
14
    end
15

16
    subgraph Legacy_Cross["Legacy Cross-Signed Driver"])"]
17
        direction TB
18
        B1([Vendor self-signs]):::weak
19
        B2([No HLK testing required]):::weak
20
        B3([No Microsoft review]):::weak
21
        B4([Signed by third-party CA\nunder cross-sign program]):::weak
22
        B5([Not in WHDC catalog]):::weak
23
        B1 --> B2 --> B3 --> B4 --> B5
24
    end

3. Visual Anatomy — Policy Evaluation Stack#

1
flowchart TD
2
    classDef kernel fill:#162032,color:#58a6ff,stroke:#1e3a5f
3
    classDef option fill:#1a1a0d,color:#fde68a,stroke:#713f12
4
    classDef allow fill:#0d1f12,color:#86efac,stroke:#166534
5
    classDef block fill:#1f0d0d,color:#fca5a5,stroke:#7f1d1d
6
    classDef neutral fill:#1c1c2e,color:#a5b4fc,stroke:#3730a3
7

8
    A([Driver Load Request\nfrom OS or Service]) --> B[Kernel Code Integrity\nCI.dll]:::kernel
9
    B --> C{Is driver a\nkernel-mode binary?}
10
    C -- No --> D([User-mode check\nsee Option 0 UMCI]):::neutral
11
    C -- Yes --> E{Option 2\nRequired:WHQL\nenabled?}:::option
12

13
    E -- No --> F{Driver has any valid\nMicrosoft signature?}
14
    F -- Yes WHQL or cross-signed --> G([Driver loads]):::allow
15
    F -- No --> H([Driver blocked]):::block
16

17
    E -- Yes --> I{Driver has WHQL\ncertification signature?}:::kernel
18
    I -- Yes --> J{Signature chain leads\nto Microsoft WHQL root?}
19
    J -- Yes --> K([Driver loads]):::allow
20
    J -- No --> L([Driver blocked\nEvent ID 3082]):::block
21
    I -- No --> M{Is it a cross-signed\nlegacy driver?}
22
    M -- Yes --> N([BLOCKED — legacy\ncross-sign rejected]):::block
23
    M -- No, unsigned --> O([BLOCKED — unsigned\ndriver rejected]):::block

Driver Signing Hierarchy#

1
flowchart LR
2
    classDef kernel fill:#162032,color:#58a6ff,stroke:#1e3a5f
3
    classDef allow fill:#0d1f12,color:#86efac,stroke:#166534
4
    classDef block fill:#1f0d0d,color:#fca5a5,stroke:#7f1d1d
5
    classDef option fill:#1a1a0d,color:#fde68a,stroke:#713f12
6

7
    MSRoot([Microsoft Root CA]) --> WHQL_CA([Microsoft WHQL\nCode Signing CA]):::allow
8
    MSRoot --> CrossSign_CA([Third-Party CA\nCross-Sign])
9

10
    WHQL_CA --> WHQL_Driver([WHQL Certified Driver\nAllowed by Option 2]):::allow
11
    CrossSign_CA --> Legacy_Driver([Legacy Cross-Signed Driver\nBLOCKED by Option 2]):::block
12
    CrossSign_CA --> Stolen_Cert([Stolen/Abused Cert\nBLOCKED by Option 2]):::block
13

14
    Unsigned([Unsigned Driver\nBLOCKED by any WDAC]):::block
15

16
    WHQL_Driver --> Kernel([Kernel]):::kernel
17
    Legacy_Driver -.->|"Blocked at CI gate"| Kernel
18
    Stolen_Cert -.->|"Blocked at CI gate"| Kernel
19
    Unsigned -.->|"Blocked at CI gate"| Kernel

4. How to Set It (PowerShell)#

Enable WHQL Requirement#

1
# Require WHQL certification for all kernel drivers
2
Set-RuleOption -FilePath "C:\Policies\MyBasePolicy.xml" -Option 2

Remove WHQL Requirement (Revert to Any Microsoft-Signed)#

1
# Allow any Microsoft-signed driver (including cross-signed legacy)
2
Set-RuleOption -FilePath "C:\Policies\MyBasePolicy.xml" -Option 2 -Delete

Audit Drivers Before Enabling WHQL Requirement#

1
# Find all currently loaded drivers and check for WHQL certification
2
$Drivers = Get-WindowsDriver -Online -All | Where-Object { $_.Driver -like "*.sys" }
3

4
foreach ($Driver in $Drivers) {
5
    $SigInfo = Get-AuthenticodeSignature -FilePath "C:\Windows\System32\drivers\$($Driver.OriginalFileName)" -ErrorAction SilentlyContinue
6
    if ($SigInfo) {
7
        [PSCustomObject]@{
8
            Driver    = $Driver.Driver
9
            Status    = $SigInfo.Status
10
            Signer    = $SigInfo.SignerCertificate.Subject
11
            WHQLSigned = $SigInfo.SignerCertificate.Subject -match "Microsoft Windows Hardware Compatibility"
12
        }
13
    }
14
} | Export-Csv "$env:USERPROFILE\Desktop\driver_audit.csv" -NoTypeInformation

Identify Non-WHQL Drivers That Would Be Blocked#

1
# Check for drivers NOT bearing the WHQL certificate chain
2
Get-WinEvent -LogName "Microsoft-Windows-CodeIntegrity/Operational" |
3
    Where-Object { $_.Id -in @(3033, 3034, 3082) } |
4
    Select-Object TimeCreated, Id, Message |
5
    Format-Table -AutoSize

Full Policy Creation with WHQL Enforcement#

1
$PolicyPath = "C:\Policies\WHQL_Enforced.xml"
2

3
# Copy the DefaultWindows base
4
Copy-Item "$env:SystemRoot\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Enforced.xml" $PolicyPath
5

6
# Enable UMCI (Option 0) and WHQL (Option 2)
7
Set-RuleOption -FilePath $PolicyPath -Option 0  # UMCI
8
Set-RuleOption -FilePath $PolicyPath -Option 2  # WHQL
9
Set-RuleOption -FilePath $PolicyPath -Option 3  # Audit mode (safe rollout)
10

11
# Set policy identity
12
Set-CIPolicyIdInfo -FilePath $PolicyPath -PolicyName "Corp WHQL Baseline" -PolicyId (New-Guid).Guid
13

14
# Compile and deploy
15
$BinPath = "C:\Policies\WHQL_Enforced.cip"
16
ConvertFrom-CIPolicy -XmlFilePath $PolicyPath -BinaryFilePath $BinPath
17

18
# Deploy to test systems first
19
Copy-Item $BinPath "C:\Windows\System32\CodeIntegrity\CiPolicies\Active\{<PolicyGUID>}.cip"

5. XML Representation#

Option 2 Enabled in Policy XML#

1
<?xml version="1.0" encoding="utf-8"?>
2
<SiPolicy xmlns="urn:schemas-microsoft-com:sipolicy" PolicyType="Base Policy">
3

4
  <VersionEx>10.0.0.0</VersionEx>
5
  <PolicyTypeID>{A244370E-44C9-4C06-B551-F6016E563076}</PolicyTypeID>
6
  <PlatformID>{2E07F7E4-194C-4D20-B96C-1498495910E7}</PlatformID>
7

8
  <Rules>
9
    <Rule>
10
      <Option>Enabled:UMCI</Option>
11
    </Rule>
12

13
    <Rule>
14
      <Option>Required:WHQL</Option>
15
    </Rule>
16

17
    <Rule>
18
      <Option>Enabled:Audit Mode</Option>
19
    </Rule>
20
  </Rules>
21

22

23
</SiPolicy>

WHQL Signer Entry (For Reference)#

When allowing WHQL-signed drivers, the policy typically relies on the built-in Microsoft WHQL signers that are pre-defined in the DefaultWindows templates. They appear in the <Signers> section as:

1
<Signers>
2
  <Signer ID="ID_SIGNER_WINDOWS_PRODUCTION" Name="Microsoft Product Root 2010 Windows WHQL">
3
    <CertRoot Type="TBS" Value="..." />
4
    <CertEKU ID="ID_EKU_WINDOWS" />
5
  </Signer>
6
</Signers>

6. Interaction with Other Options#

Option Relationship Matrix#

Option	Name	Relationship with WHQL
0	Enabled	Companion — UMCI extends enforcement to user-mode; WHQL tightens kernel-mode
3	Enabled Mode	Companion during rollout — log blocked non-WHQL drivers before enforcing
4	Disabled Signing	Synergistic — both restrict non-production binaries
6	Enabled System Integrity Policy	Unrelated — affects policy signing, not driver signing
14	Enabled Intelligence	Independent — cloud reputation check for user-mode
16	Enabled Policy No Reboot	Deployment helper — neutral to WHQL

WHQL and UMCI Layered Enforcement#

1
flowchart TD
2
    classDef kernel fill:#162032,color:#58a6ff,stroke:#1e3a5f
3
    classDef usermode fill:#0d1f12,color:#86efac,stroke:#166534
4
    classDef option fill:#1a1a0d,color:#fde68a,stroke:#713f12
5

6
    A([Binary or Driver Execution]) --> B{Kernel-mode?}
7
    B -- Yes --> C["Option 2: Required:WHQL\nKernel enforcement layer"]:::option
8
    C --> D{WHQL cert?}
9
    D -- Yes --> E([Kernel driver loads]):::kernel
10
    D -- No --> F([Kernel driver blocked]):::kernel
11

12
    B -- No --> G["Option 0: Enabled:UMCI\nUser-mode enforcement layer"]:::option
13
    G --> H{Policy allow rule?}
14
    H -- Yes --> I([User binary executes]):::usermode
15
    H -- No --> J([User binary blocked]):::usermode

7. When to Enable vs Disable#

1
flowchart TD
2
    classDef yes fill:#0d1f12,color:#86efac,stroke:#166534
3
    classDef no fill:#1f0d0d,color:#fca5a5,stroke:#7f1d1d
4
    classDef warn fill:#1a1a0d,color:#fde68a,stroke:#713f12
5
    classDef question fill:#162032,color:#58a6ff,stroke:#1e3a5f
6

7
    Start([Should I enable Option 2 WHQL?]) --> Q1{Are all deployed drivers\nWindows 10-era or newer?}:::question
8
    Q1 -- Yes --> Q2{No legacy hardware\n pre-2015 drivers?}:::question
9
    Q2 -- Yes --> Q3{Is BYOVD defense\na concern?}:::question
10
    Q3 -- Yes --> ENABLE([Enable Required:WHQL\nStrong BYOVD mitigation]):::yes
11
    Q3 -- No --> ENABLE2([Enable Required:WHQL\nGood hygiene regardless]):::yes
12
    Q2 -- No --> AUDIT([Audit first with Option 3\nIdentify legacy driver blockers]):::warn
13
    Q1 -- No --> WARN1([High risk of legacy driver breaks\nAudit extensively before enabling]):::warn
14
    AUDIT --> CHECK{Any legacy drivers\ncritical to operations?}:::question
15
    CHECK -- Yes --> PLAN([Plan legacy driver replacement\nor hardware refresh]):::warn
16
    CHECK -- No --> ENABLE3([Enable Required:WHQL]):::yes
17
    PLAN --> DEFER([Defer Option 2 until\nhardware refreshed]):::no

Decision Reference Table#

Scenario	Recommendation
Modern corporate laptop fleet (post-2019)	Enable WHQL — safe, strong security gain
Legacy manufacturing/OT hardware	Audit first — older industrial drivers may lack WHQL
Domain controller / server	Enable WHQL — critical asset, minimal driver variety
Dev/build machine with custom drivers	Audit first — in-house driver builds need WHQL or exception
BYOVD attack mitigation priority	Enable WHQL — directly addresses BYOVD vector
Printer/scanner heavy environment	Audit first — many legacy printer drivers lack WHQL

8. Real-World Scenario — End-to-End Walkthrough#

Scenario: BYOVD Attack Blocked by WHQL Requirement#

An EDR vendor’s vulnerable driver (RTCore64.sys — a known BYOVD target) is used by an attacker to kill the EDR process. Without Required:WHQL, the driver loads because it has a valid (if old) Microsoft cross-signature. With Required:WHQL, the cross-signed driver is rejected.

1
sequenceDiagram
2
    autonumber
3
    actor Attacker
4
    participant Malware as Malware Process
5
    participant SCM as Service Control Manager
6
    participant KernelCI as Kernel Code Integrity
7
    participant PolicyEng as WDAC Policy Engine
8
    participant EventLog as Windows Event Log
9
    participant EDR as EDR Process
10

11
    Note over Attacker,EDR: WITHOUT Required:WHQL (Default)
12
    Attacker ->> Malware: Execute attack tool with embedded RTCore64.sys
13
    Malware ->> SCM: sc.exe create RTCore64 binPath=RTCore64.sys type=kernel
14
    SCM ->> KernelCI: Request driver load
15
    KernelCI ->> PolicyEng: Check RTCore64.sys signature
16
    PolicyEng -->> KernelCI: Cross-signed by DigiCert — ALLOWED (no WHQL req)
17
    KernelCI -->> SCM: Driver approved
18
    SCM -->> Malware: Driver loaded
19
    Malware ->> EDR: Kill EDR via kernel IOCTL
20
    EDR -->> Attacker: EDR terminated — attack continues undetected
21

22
    Note over Attacker,EDR: WITH Required:WHQL (Option 2 Enabled)
23
    Attacker ->> Malware: Execute attack tool with embedded RTCore64.sys
24
    Malware ->> SCM: sc.exe create RTCore64 binPath=RTCore64.sys type=kernel
25
    SCM ->> KernelCI: Request driver load
26
    KernelCI ->> PolicyEng: Check RTCore64.sys signature
27
    PolicyEng -->> KernelCI: Cross-signed only — WHQL cert MISSING — BLOCK
28
    KernelCI -->> SCM: STATUS_ACCESS_DENIED
29
    SCM -->> Malware: Driver load failed
30
    KernelCI ->> EventLog: Event ID 3082 — non-WHQL driver blocked
31
    EventLog -->> EDR: Alert forwarded to SIEM

WHQL Rollout Sequence#

1
sequenceDiagram
2
    autonumber
3
    actor Admin
4
    participant PolicyXML as Policy XML
5
    participant TestMachines as Test Fleet (10 VMs)
6
    participant AuditLog as CodeIntegrity Event Log
7
    participant DriverStore as Windows Driver Store
8
    participant ProdFleet as Production Fleet (1000 Endpoints)
9

10
    Admin ->> PolicyXML: Set Option 2 + Option 3 (WHQL + Audit)
11
    Admin ->> PolicyXML: ConvertFrom-CIPolicy → audit_whql.cip
12
    Admin ->> TestMachines: Deploy audit_whql.cip via Intune test ring
13
    TestMachines ->> AuditLog: Generate Event 3082 for non-WHQL drivers
14
    Admin ->> AuditLog: Collect and analyze 3082 events
15
    AuditLog -->> Admin: List of 3 non-WHQL drivers found
16
    Admin ->> DriverStore: Check Windows Update catalog for WHQL versions
17
    DriverStore -->> Admin: 2 of 3 have WHQL updates available
18
    Admin ->> PolicyXML: Update driver inventory; update hardware for 1 exception
19
    Admin ->> PolicyXML: Remove Option 3 (Audit) — keep Option 2 (WHQL)
20
    Admin ->> PolicyXML: ConvertFrom-CIPolicy → enforced_whql.cip
21
    Admin ->> ProdFleet: Staged rollout: 100 → 500 → 1000 endpoints
22
    ProdFleet -->> Admin: Zero driver blocks reported — rollout successful

9. What Happens If You Get It Wrong#

Scenario A: Enable WHQL Without Audit Phase#

1
flowchart TD
2
    classDef block fill:#1f0d0d,color:#fca5a5,stroke:#7f1d1d
3
    classDef warn fill:#1a1a0d,color:#fde68a,stroke:#713f12
4

5
    A([Enable WHQL without audit]) --> B[Legacy printer driver blocked]:::block
6
    A --> C[Legacy NIC driver blocked]:::block
7
    A --> D[Third-party security tool driver blocked]:::block
8
    B --> E([Printing disabled across fleet]):::block
9
    C --> F([Network connectivity lost on some endpoints]):::block
10
    D --> G([EDR/AV kernel component non-functional]):::block
11
    E --> H([Helpdesk overwhelmed]):::warn
12
    F --> H
13
    G --> H
14
    H --> I([Emergency policy rollback required]):::warn

Scenario B: Disable WHQL on High-Security Asset#

Consequence	Description	Severity
BYOVD attack surface open	Legacy cross-signed vulnerable drivers loadable	Critical
Rootkit pathway via stolen cert	Cross-sign certs in attacker hands can load kernel code	Critical
Compliance gap	NIST, CIS, ACSC controls may require strict driver signing	High

Misconfig Consequences Summary#

Mistake	Impact	Severity
Skip audit phase	Mass driver blocks, operational outage	High
Assume all vendors have WHQL	Legacy hardware peripheral drivers break	High
Enable WHQL without inventory	Surprise blocks after deployment	Medium-High
Leave WHQL disabled on critical assets	Full kernel BYOVD exposure	Critical
Include legacy drivers in allow rules instead	Policy complexity increases; technical debt	Medium

10. Valid for Supplemental Policies?#

No. Required:WHQL is a kernel-layer enforcement directive that sets the minimum signing standard for all kernel-mode drivers. This is a system-wide policy scope that must be established by the base policy. Supplemental policies operate at a higher abstraction layer — they extend the list of allowed applications, publishers, and hashes. They cannot modify the kernel driver signing standard. The base policy’s WHQL setting is authoritative and cannot be overridden or weakened by a supplemental policy.

11. OS Version Requirements#

Windows Version	WHQL Support Status
Windows 10 1507 (TH1)	Basic WHQL support present
Windows 10 1607+	Full WHQL enforcement via WDAC Option 2
Windows 10 1703+	Required for all new kernel drivers (policy or not)
Windows 11 21H2+	WHQL enforced by default in Secured-core PCs
Windows Server 2016+	Full support
Windows Server 2019+	Recommended; HVCI makes Option 2 tamper-resistant
Windows Server 2022	Secured-core server; WHQL integral to baseline

WHQL Requirement by Default (Regardless of Option 2): From Windows 10, all new kernel-mode drivers submitted to Microsoft must be WHQL-signed via the WHDC portal. Option 2 adds policy-level enforcement, rejecting even grandfathered legacy cross-signed drivers that Windows would otherwise still permit.

12. Summary Table#

Attribute	Value
Rule Option Name	`Required:WHQL`
Rule Option Index	2
Default State	Disabled (cross-signed drivers allowed)
Effect when Enabled	Only WHQL-certified kernel drivers load; cross-signed legacy drivers blocked
Effect when Disabled	Any Microsoft-signed driver loads (including legacy cross-signed)
Valid in Base Policy	Yes
Valid in Supplemental Policy	No
Requires Reboot on Enable	Yes — kernel enforcement change takes effect at next boot
Primary Security Goal	BYOVD attack mitigation; kernel driver supply chain integrity
Primary Risk of Enabling	Legacy hardware driver compatibility breakage
Audit Strategy	Enable Option 3 + Option 2 together; review Event ID 3082
Minimum OS Version	Windows 10 1607 / Server 2016
PowerShell Cmdlet (Enable)	`Set-RuleOption -FilePath <xml> -Option 2`
PowerShell Cmdlet (Disable)	`Set-RuleOption -FilePath <xml> -Option 2 -Delete`
Event ID (Audit/Block)	3082 — Non-WHQL kernel driver blocked
Event Log	`Microsoft-Windows-CodeIntegrity/Operational`
Security Framework Alignment	NIST SP 800-167 (Driver Signing), CIS Control 2.7, ACSC Essential Eight
Key Threat Mitigated	BYOVD, rootkits via legacy cross-signed certificates