Microsoft Privileged Certificate Technology Requirements

Application code submitted to a certificate authority to be signed with a privileged certificate shall comply with the following requirements:

A.        Application code shall not:

  1. Modify the value or function of any security policy, including without limitation, any of the security policies accessible through the Security Policy CSP
  2. Modify any keys or name/value pairs in the following registry locations:
    1. HKLM\Drivers
    2. HKLM\Hardware
    3. HKLM\Init
    4. HKLM\Comm
    5. HKLM\Security
    6. HKLM\System
  3. Modify, add, or remove any certificates in the following CAPI stores:
    1. Privileged Execution Trust Authorities
    2. Unprivileged Execution Trust Authorities
    3. Software Publisher Certificate
  4. Modify the application and certification revocation lists
  5. Send any device configuration messages to the CM, block any device configuration messages being sent to the device, or modify the device configuration system
  6. Access or modify the Metabase, the Metabase CSP and the underlying database
  7. Modify or circumvent any DRM protection of any device, content, or applications
  8. Overwrite or shadow any system files
  9. Modify any part of the ROM image
  10. Modify the boot sequence
  11. Access any part of the device hardware through any means other than the APIs published in the Software Development SDK for the particular version of the MS Smartphone software.


B.        Application code shall only:

1.       access and use those APIs that are listed in the Software Development Kit (“SDK”) for the particular version of Microsoft Smartphone Software (e.g., 2002, 2003, etc.);

2.       access and use DeviceIDs and other device information only through system APIs listed in the SDK for the particular version of the Smartphone Software;

3.       access and use file systems through the file system APIs listed in the SDK for the particular version of such Microsoft Smartphone Software.


C.         Notwithstanding the requirements set forth in A and B of these Microsoft Privileged Certificate Technology Requirements, device driver application code may:

1.       Solely to the extent necessary for making the hardware peripheral device functional, modify the keys or name/value pairs in the registry locations the following registries:

a.       HKLM\Drivers

b.       HKLM\Hardware

c.       HKLM\Init

2.       Solely to the extent necessary for the development of the device driver:

a.        access and use any of the Smartphone Software APIs

b.       access the device hardware directly using means such as assembly code or direct memory manipulation

Comments (4)
  1. Mikel Berger says:

    Good news from the Windows Mobile team. The security infrastructure on Smartphone requires that an application be "trusted" in order to write to certain files, write to certain registry keys, or use certain APIs. Until recently, this meant going to each mobile operator and convincing them to sign your app (not exactly an easy task). Well, now we have something better: the Mobile2Market Privileged Certificate program. The goal of this is to enable ISVs to get their app signed with a single privileged certificate that all devices trust. If this is something you need, read the requirements. Once your app meets the requirements, send a mail to to get the rest of the details (process, costs, etc).

  2. selva_rajk says:

    How can create my own previlaged certificate,

    Thanks in advance.

  3. Andrew says:

    You just create a certificate, and install it in the previlaged area on the device. Then just sign your assembly with the certificate..

Comments are closed.

Skip to main content