Security and stability improvements unique to Windows Vista x64
Windows Vista x64 will mandate all kernel modules are digitally signed by Microsoft. This is unique to the x64 (AMD64/Intel EM64T) build of the software, and does not apply to 32-bit (x86) builds or IA64 (Itanium) builds.
By doing this, vendors who write code that runs in kernel mode will need to get there code certified by Microsoft. In essence - if it's running in Kernel Mode - it's been checked by Microsoft. (UPDATE: Or the publisher has been issued with a Publisher Identity Certificate by Microsoft, which allows them to sign their own software)
Even users with administrator privileges cannot load unsigned kernel-mode code on x64-based systems. This applies for any software module that loads in kernel mode, including device drivers, filter drivers, and kernel services.
What this amounts to is both a security and stability enhancement because unsigned kernel modules will be blocked from loading (period).
Malware designed to use kernel modules and run in kernel mode will have a hard time in the x64 Vista timeframe.
This latest change, combined with enhancements that prevent kernel patching in x64 (since Windows Server 2003 SP1) will help reduce the attack surface for kernel mode malware in Windows Vista.
That's great news and another good reason to evaluate both x64 hardware and Windows Vista.
References:
Patching Policy for x64-Based Systems http://www.microsoft.com/whdc/driver/kernel/64bitPatching.mspx
Digital Signatures for Kernel Modules on x64-based Systems Running Windows Vista
http://www.microsoft.com/whdc/system/platform/64bit/kmsigning.mspx
