Signed Windows PV drivers now available

Features Oct 10, 2025

After years of waiting and countless back-and-forth with Microsoft, we're glad to announce that the XCP-ng Windows PV Drivers are now signed and available for download. Find the latest downloads here:

Releases · xcp-ng/win-pv-drivers
Windows PV Drivers for XCP-ng. Contribute to xcp-ng/win-pv-drivers development by creating an account on GitHub.
GitHubxcp-ng

The XCP-ng Windows PV drivers are now supported for production use, and are the recommended choice going forward. Our drivers provide improved performance and extra features for Windows guests without needing any testsigning configuration.

💡
Hey, it’s Friday! 🎉
Even though these drivers are production-ready, we still recommend waiting until next week before testing them on critical systems.
And as always: snapshot your VM (and ideally, back it up) before upgrading, especially if you’re replacing previously installed Citrix tools.

For those who want to find out more, here's a retelling of what happened, and a quick update of our progress on the Windows drivers since last time.

The story so far

Our last blogpost described the work behind our 9.0-series XCP-ng Windows PV drivers. In short, the new PV driver package combines upstream drivers with a new installer and guest agent, while incorporating numerous improvements that we have contributed upstream. However, it was (at the time) still an experimental product that couldn't be used in production due to lack of Microsoft signatures.

Windows PV drivers: update and roadmap
From downstream fixes to upstream collaboration, here’s where we stand with Windows PV drivers. And where we’re headed next!
XCP-ng BlogTu Dinh

The process of rebuilding the Windows drivers began several years ago, with several false starts. Requesting a Microsoft driver signature ended up being very difficult; it turns out that the registration process for Microsoft's hardware program was broken on their end, causing our and other developers' accounts to be stuck without any progress for years.

When the 9.0 driver project was started, we also started obtaining a new code-signing certificate and hardware account in parallel. It's only after many tickets and redirection in the labyrinthine Microsoft support system that we managed to restore access to the partner portal. We also stumbled upon a Microsoft support agent who was aware of the issue and pushed for an internal fix to the hardware registration process. (Big thanks to Microsoft Support for reaching out to the right departments and giving us regular updates during the entire months-long process)

FAQ

  • Can I use the XCP-ng drivers in production?
    Yes, we recommend using the XCP-ng drivers in production.
  • Can I use these drivers with guest Secure Boot?
    Yes.
  • Should I move from other drivers?
    We recommend using the XCP-ng drivers whenever possible. XCP-ng drivers get the latest fixes and improvements from Vates.
  • Do I need to uninstall existing drivers?
    Yes, if you're using the following:
    • XCP-ng Windows drivers 8.2 or earlier
    • XenServer Windows tools or drivers (including when using the "Manage Citrix PV drivers via Windows Update" option)
    • Specifically for the 9.0.9137 release: If using any testsigned drivers from XCP-ng
  • Any important notes before using the XCP-ng drivers?
    Read our release notes carefully before installing. Make sure to create backups/snapshots. Report any issues to Vates support or the XCP-ng forum.

Improvements since last time

While it hasn't been very long since our last update, here are a few improvements already integrated in the XCP-ng drivers:

Reworked unplug mechanism

In the Xen PVHVM model, the hypervisor offers both paravirtualized and emulated devices to the VM. Before the paravirtualized drivers could be initialized, it's up to the VM to "unplug" the emulated devices to avoid conflict between the two.

Traditionally, the unplug process of Xen drivers on Windows has long been stateful, depending on the saved location of the Xen PV platform device to decide whether to enable the PV drivers or not. This was implemented to support Windows Update targeting of driver package, which used two platform devices instead of one, one of which could disappear when the Windows update support is disabled.

While the fallback worked, it was also non-deterministic and caused device IDs to change unpredictably. Any system configuration change (software updates, toggling the Windows Update setting) could lead to loss of network settings or reactivation of emulated devices. It did not support Windows upgrades, causing upgrade failures or even BSODs in some cases. Furthermore, Windows PE and offline driver injection via DISM were not supported, so it was not possible to deploy drivers via MDT or SCCM.

With the 9.0.9136/9137 release of our drivers, we reworked the activation of PV drivers to be deterministic and predictable, resolving all of the above issues. Better yet, the rework has been completely integrated in upstream code, and is fully opt-in for anyone compiling the drivers from sources.

Network driver improvements (in progress)

The Windows PV network drivers talk with the network backend via multiple rings. For efficient and performant operation, each VIF uses one pair of transmitter/receiver rings for each queue, plus one global control ring. The Windows drivers currently use a synchronous method for communicating with the control ring, causing poor system performance and possible lockups during network configuration changes.

We are currently reworking the network driver configuration code to better align with Windows driver requirements and avoid various issues with VIF hotplug, receive-side scaling and so on. We are also looking to improve the performance of key algorithms in the network driver (namely checksumming). First results are really promising!

Bug fixes

Other bug fixes were included in this release, notably:

  • Fixed compatibility with NVMe device passthrough
  • Fixed several network unplug issues
  • Supported TimeSyncMode option to disable automatic Xen-based time sync in AD environments

See the release changelogs for more information.

Wrapping up

Our release of the signed drivers is a significant step forward for Windows guest support on XCP-ng. But this is just the beginning; we will continue to improve the Windows PV drivers and integrate our changes upstream. Future improvements will not just involve Windows drivers, but rather to improve the Windows guest experience as a whole.

Finally, a word of thank to our users, who have given us precious feedback during the development process. As usual, be sure to reach out to our community forum for more updates on the Vates VMS virtualization solution.

Tags

Tu Dinh

XCP-ng developer, working on improving Windows guest support.

Recommended for you