Читать книгу Windows Server 2022 & Powershell All-in-One For Dummies - Sara Perrott - Страница 41

By choosing the Disable Driver Signature Enforcement option, you’re basically telling the system that it’s okay to load drivers that aren’t digitally signed. Microsoft requires drivers to be digitally signed by default, and it will prevent unsigned drivers from running. Microsoft does this because, when a driver is digitally signed, it’s seen as being authentic because you can verify from the digital signature that it came from the vendor it claims to be from. Digital signatures also guarantee that the driver hasn’t been altered in any way since it was released by the vendor.

Digital signatures use a code-signing certificate to encrypt the hash of a file. (Hashes are unique thumbprints — any change to the file will change the hash.) That encrypted hash is then bundled with the certificate and the executable for the driver. When the end user installs the driver, the hash of the file is decrypted with the public key in the certificate. The file gets hashed again on the end user’s system, and the new hash is compared to the decrypted hash. If they match, the driver hasn’t been tampered with.

If you choose to disable driver signature enforcement, you’ll be able to load unsigned drivers. Choose this option at your own risk: You could end up installing malware that presents itself as an unsigned driver.