This is a brief description of what's changed in Windows 10 build 1607 (aka Anniversary Update aka Redstone 1) with respect to driver signing.

If the following conditions are met:
- 1607 installed from scratch, i.e. not upgraded
- UEFI secure boot is enabled

the system will not load new (signed with a certificate issued after July
29th 2015) cross-signed drivers. Our upstream/Fedora drivers are cross-signed, our RHEL WHQL-ed drivers are not and will *not* be affected by this change.

Fedora and other users of our pre-WHQL drivers have the following options to work around this:

1. disable secure boot
2. use an older virtio-win build - anything up to and including 102 will work
3. set a special secret registry key to fall back to allowing cross-signed drivers (this has been mentioned in MSFT communication but the specifics are not known at this point)

One possible way of solving this without resorting to work arounds would be using the so called attestation signing to have Fedora Win10 drivers signed by Microsoft without WHQL. This would be limited to client Win10 though, at least based on the information published here:

https://msdn.microsoft.com/en-us/windows/hardware/drivers/develop/attestation-signing-a-kernel-driver-for-public-release

"An attestation signed driver will only work for Windows 10 Desktop, it will not work for other versions of Windows, such as Windows Server 2016, Windows 8.1, or Windows 7."