Share via

Signed ARM64 native printer driver will not install in Windows ARM64 even though Windows x64 driver will install using the same EV certificate

CAS869-1430 5 Reputation points
2025-03-14T18:22:39.2133333+00:00

Moving this Question from Intune Config to Windows Hardware Performance per Crystal's suggestion to see if anyone in the new forum has any guidance.

Also adding that we confirmed the entire certificate chain is in the Trusted stores and imported the EV certificate chain into the Trusted Publisher and Trusted Root Authorities stores on the Surface Pro just to be sure and see if that made any difference. Does anyone have any information on how third party printer drivers, especially for legacy printers, can be supported on ARM64 Surface Pro systems after WHQL stops printer driver signing in a couple of months, Jul-2025. - Thanks.

======== Original question content that was posted initially

We have an older Unidrv printer driver migrated forward to VS2022 converted to native ARM64 driver for use on Surface Pro Windows 11. The migrated driver is installing and working on Windows x64 and installing and working under Test Signing mode on Windows ARM64 without any issues. We have an EV Code signing certificate that we have used for several years on Windows x64 without any problems.

 

During installation on Windows x64 we get the 'Publisher not trusted. Do you still want to install?' dialog that allows the user to say "Yes" to install the driver successfully.

 

The problem we have is that on Windows ARM64 in Regular Mode it will not let us install the driver and exits with the "Printer driver was not installed" Error. The log file shows "publisher of an Authenticode signed catalog has not yet been established as trusted" message.

 

We expect that the Windows ARM64 Add Printer install would behave similarly to Windows x64, but ARM64 will not let us install the printer driver even though it recognizes “The driver has an Authenticode signature.” Instead ARM64 just immediately responds with “Printer Driver was not installed”.

 

Here is the Add Printer selection dialog that shows it recognizes the valid signing;

User's image 

  • Here is the Windows x64 SetupAPI.dev.log showing the 'signed in Authenticode', leading to the 'Do you want to install' dialog and then successful install:User's image
  • Here is the Windows ARM64 SetupAPI.dev.log showing the 'signed in Authenticode', but then resulting in the "Driver package signer is unknown, and Code Integrity is enforced" (Error 0xE0000242) and failure:User's image

Here is the specific Surface Pro target platform we are using in development:

Device Name: DESKTOP - 8571g7;

PROCESSOR : Snapdragon(R) X 10-core X1P64100 @ 340 GHx 342 GHz

Installed RAM : 16.0 GB

System Type: 64 Bit Operating system ARM Based Processor

Edition: Windows 11 Pro with Version as 24H2

 

We checked the Code Integrity event log and it does not have anything related to the printer driver installation. We confirmed the certificate trust chain is present up through the Trusted Root Certification Authorities and also tried importing the certificates just to be sure. We confirmed the Windows ARM64 is not in ‘S’ mode or Protected Print Mode.

 

Other MS forum feedback is that Windows ARM64 intentionally enforces stricter Code Integrity policies than Windows x64, so ARM64 is rejecting the driver outright with error 0xE0000242, even though Windows x64 allows the User to install the Authenticode signed printer driver. The indication is that Windows ARM64 is working as designed, even though the behavior is different from longstanding Windows x64 behavior. It was suggested we try Q&A to see if there is a better answer available.

 

We understand that for a short while longer we can submit to WHQL to get a MS signed release certificate, but according to the https://learn.microsoft.com/en-us/windows-hardware/drivers/print/end-of-servicing-plan-for-third-party-printer-drivers-on-windows, WHQL will stop signing third party printer drives effective Jul-2025 except on a limited case by case basis and later will completely deprecate such release signing support.

 

The Windows article FAQ includes the following along with other items:

Q: Will vendor-supplied drivers be signed by WHCP (Windows Hardware Compatibility Program)?

A: Printer manufacturers can continue to submit printer drivers through the Partner Center hardware tool for driver validation and signing. However, in 2025 new printer drivers will be approved on a case-by-case basis for Windows Update or WHQL signing. Manufacturers and independent software vendors will need to provide customers with an alternative means to download and install those printer drivers.

Q: Will Windows prevent installation of new printer drivers?

A: Windows will continue to allow vendor-supplied printer drivers to be installed via separate installation packages.

 

How do we enable our Authenticode signed printer driver to be installed on Windows ARM64, similar to how Windows x64 behaves?

 

Does anyone have information about if WHQL will no longer sign third party printer drivers and Windows ARM64 refuses to accept third party EV Code signing certificates, how can third party printer drivers be supported on Windows ARM64 as the Windows FAQ says should be possible?

 

One general scenario we are working to support is a convention or event registration desk with stand-alone Surface Pro using a local printer to print attendee registration credentials, identification or other material.

Windows Hardware Performance
Windows Hardware Performance
Windows: A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.Hardware Performance: Delivering / providing hardware or hardware systems or adjusting / adapting hardware or hardware systems.
1,684 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Crystal-MSFT 53,821 Reputation points Microsoft External Staff
    2025-03-17T02:35:05.8633333+00:00

    @CAS_869, Thanks for posting in Q&A. From your description, it seems the issue is that the Signed ARM64 native printer driver will not install in Windows ARM64 but can install on Windows x64, And your finding is correct. Windows ARM64 intentionally enforces stricter Code Integrity policies than Windows x64 which cause our issue.According to Microsoft's end of servicing plan for third-party printer drivers, WHQL will continue to sign printer drivers on a case-by-case basis until July 2025. After that, new printer drivers will be approved only on a limited basis. While WHQL signing is still available, submitting your driver for WHQL certification might be the most straightforward solution. This process ensures that your driver is recognized as trusted by Windows ARM64.

    After the end of WHQL signing support, here are 3 suggestions I can think for you.

    1, Contact Driver provider to do code signed for the driver to ensure it can be trusted.

    2, Temporary disable Driver Signature Enforcement when we can ensure the driver is from a trusted source. Enable it back after the driver is installed.

    3, Send feedback to Windows Developer to see if the ARM behavior can change to the one as Windows x64.

    https://support.microsoft.com/en-us/windows/send-feedback-to-microsoft-with-the-feedback-hub-app-f59187f8-8739-22d6-ba93-f66612949332

    Hope the above information can give you some help.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.