Merge pull request MicrosoftDocs#3094 from jgeurten/patch-1

Updated signing guidance for integritycheck binaries

Author: Colin Robertson

docs/build/reference/integritycheck-require-signature-check.md

@@ -1,39 +1,36 @@
 ---
-description: "Learn more about: /INTEGRITYCHECK (Require Signature Check)"
-title: "/INTEGRITYCHECK (Require Signature Check)"
-ms.date: "11/04/2016"
-ms.assetid: 9e738825-2c98-40cd-8ad2-5d0d9c14893e
+description: "Learn more about: /INTEGRITYCHECK (Require signature check)"
+title: "/INTEGRITYCHECK (Require signature check)"
+ms.date: 04/21/2021
 ---
-# /INTEGRITYCHECK (Require Signature Check)
+# `/INTEGRITYCHECK` (Require signature check)
 
 Specifies that the digital signature of the binary image must be checked at load time.
 
-```
-/INTEGRITYCHECK[:NO]
-```
+> **`/INTEGRITYCHECK`**[**`:NO`**]
 
 ## Remarks
 
-By default, **/INTEGRITYCHECK** is off.
+By default, **`/INTEGRITYCHECK`** is off.
 
-The **/INTEGRITYCHECK** option sets—in the PE header of the DLL file or executable file—a flag for the memory manager to check for a digital signature in order to load the image in Windows. This option must be set for both 32-bit and 64-bit DLLs that implement kernel-mode code loaded by certain Windows features, and is recommended for all device drivers on Windows Vista, Windows 7, Windows 8, Windows Server 2008, and Windows Server 2012. Versions of Windows prior to Windows Vista ignore this flag. For more information, see [Forced Integrity Signing of Portable Executable (PE) files](https://social.technet.microsoft.com/wiki/contents/articles/255.forced-integrity-signing-of-portable-executable-pe-files.aspx).
+The **`/INTEGRITYCHECK`** linker option sets a flag, `IMAGE_DLLCHARACTERISTICS_FORCE_INTEGRITY`, in the PE header of the DLL file or executable file. This flag tells the memory manager to check for a digital signature in order to load the image in Windows. This option must be set for both 32-bit and 64-bit DLLs that implement kernel-mode code loaded by certain Windows features. It's recommended for all device drivers on Windows Vista, Windows Server 2008, and all later versions of Windows and Windows Server. Versions of Windows prior to Windows Vista ignore this flag. For more information, see [Forced Integrity Signing of Portable Executable (PE) files](https://social.technet.microsoft.com/wiki/contents/articles/255.forced-integrity-signing-of-portable-executable-pe-files.aspx).
 
-### To set this linker option in Visual Studio
+### Signing `/INTEGRITYCHECK` files
 
-1. Open the project **Property Pages** dialog box. For more information, see [Set C++ compiler and build properties in Visual Studio](../working-with-project-properties.md).
+Microsoft has new signing guidance for DLL and executable files linked by using **`/INTEGRITYCHECK`**. The guidance used to recommend a cross-signed certificate from the [cross-signing program](/windows-hardware/drivers/install/cross-certificates-for-kernel-mode-code-signing). However, the [cross-signing program is now deprecated](/windows-hardware/drivers/install/deprecation-of-software-publisher-certificates-and-commercial-release-certificates). We recommend you sign your **`/INTEGRITYCHECK`** files by using the Microsoft [Azure Code Signing](https://techcommunity.microsoft.com/t5/video-hub/reduce-developer-friction-with-azure-code-signing/m-p/1698637) program instead.
 
-1. Expand the **Configuration Properties** node.
+### To set this linker option in Visual Studio
 
-1. Expand the **Linker** node.
+1. Open the project **Property Pages** dialog box. For more information, see [Set C++ compiler and build properties in Visual Studio](../working-with-project-properties.md).
 
-1. Select the **Command Line** property page.
+1. Select the **Configuration Properties** > **Linker** > **Command Line** property page.
 
-1. In **Additional Options**, enter `/INTEGRITYCHECK` or `/INTEGRITYCHECK:NO`.
+1. In **Additional Options**, enter *`/INTEGRITYCHECK`* or *`/INTEGRITYCHECK:NO`*. Choose **OK** to save your changes.
 
 ## See also
 
 [MSVC linker reference](linking.md)<br/>
-[MSVC Linker Options](linker-options.md)<br/>
-[Forced Integrity Signing of Portable Executable (PE) files](https://social.technet.microsoft.com/wiki/contents/articles/255.forced-integrity-signing-of-portable-executable-pe-files.aspx)<br/>
-[Kernel-Mode Code Signing Requirements](/windows-hardware/drivers/install/kernel-mode-code-signing-requirements--windows-vista-and-later-)<br/>
+[MSVC linker options](linker-options.md)<br/>
+[Forced integrity signing of portable executable (PE) files](https://social.technet.microsoft.com/wiki/contents/articles/255.forced-integrity-signing-of-portable-executable-pe-files.aspx)<br/>
+[Kernel-mode code signing requirements](/windows-hardware/drivers/install/kernel-mode-code-signing-requirements--windows-vista-and-later-)<br/>
 [AppInit DLLs and Secure Boot](/windows/win32/dlls/secure-boot-and-appinit-dlls)