After all this you can install the test-signed driver without signature errors. You also need the automatically generated test certificate ("WDKTest*") from the tap-windows6 build machine to the Windows certificate store on the HLK clients.
Then you need to install the HLK client software from the HLKInstall SMB share on the controller.
You also have to enable test signing so that you can load unsigned ("to be tested") drivers on both HLK client and support machine: The non-VPN interface through which the nodes communicate with the HLK controller should be named " MessageDevice?" and the tap-windows6 adapter on the support machine should be named "SupportDevice0". PS> ::OSVersion.Versionįor multimachine tests you need to name some of the devices on the HLK test client (that actually runs the tests) and support machine (second machine that is connected “back to back” through the VPN). To check Windows version from Powershell do: The version of HLK you need to install depends on the version of Windows you're attempting certify as described in Microsoft documentation. However, a cheap 10€ switch may end up working just fine.įor HLK software installation please refer to the official MS documentation, check out puppet-hlk and puppet-hlk_tap6_openvpn or try out the Windows Virtual Hardware Lab Kit. Slow switches can cause issues on some of the tests.
There are some additional requirements for tap-windows6 that stem from generic LAN testing prerequisites:
To be on the safe side use the same OS version and build as the HLK client. But because Wintun advertised itself as a virtual device it had a narrower scope and had to pass fewer HLK tests (~50 in total) than tap-windows6 (68 tests with filters applied).įor the HLK controller you can use a virtualized (Virtualbox, VMware) Windows Server 2016 or 2012r2 instance.įor tap-windows6 testing a support machine is also needed. Wintun was able to pass HLK testing without any physical HLK clients.
Additionally since HLK 1709 release HLK will support testing a single Windows 10 version only.Īccording to practical testing done by wintun developers it is possible to get a code signature that is valid for all Windows 10 platforms using the following HLK clients: This requirement is clearly outlined in the HLK 1809 release blog post. For example, if your goal is to get a signature for Windows Server 2019 you need to use HLK 1809. The HLK client Windows version and HLK versions need to be in sync as described in MS documentation. HLK testing always requires a HLK Controller/Studio node, plus one or more HLK clients. His work has now been merged to the upstream tap-windows6 project Sgstair patched tap-windows6 to pass the HLK tests.
Apparently that particular piece of MS documentation was written at a time when MS was _planning_ to require WHQL-certified drivers for Windows Server 2016+, then backpedaled and forgot to update the documentation. Our installers have attestation-signed drivers and no Windows Server 2016/2019 users have complained. This claim contradicts the "official" Microsoft documentation but trust me, it is true. An attestation-signed driver is good enough. NOTE: it is not required to pass the HLK tests just to get a driver that loads on Windows Server 2016/2019. Therefore some of the requirements documented in this article are bound to change.ĭifferent Windows versions have different kernel-mode signing options: Practical testing is often required to understand the requirements fully. Microsoft has some documentation about HLK testing and WHQL signing, but it is quite incomplete, and there is lots of room for speculation and anecdotes.