Setting Driver Signing policy programatically

Setting Driver Signing policy programatically: Posted by Gordy on May 30th, 2005; Hi Ive read through the other posts and MS KB articles related to the setting
of the driver signing policy. I cant determine if there is any way of
setting this
policy as we require.

We have a large number of PCs (with no KB and no monitor) in remote,
often non-networked environments. All installations at the sites must be
unattended (bar insertion of a CD and pressing a proprietry interface
button). These machines have a large range of periphial devices attached.
Some of the devices are proprietary (and have signed drivers), others
are from 3rd parties (and are both signed and unsigned). Historically we
have installed all the SW on these machines from scratch each time we
need to install anything (even a single msi). We have been able to do this
by setting the driver signing policy in either unattend.txt (for standard
installs) or sysprep.inf (for sysprep'd drive images).

We are now in an XP Pro SP2 environment and have a need to (occasionally)
install unsigned drivers after an initial installation has been completed.
This
can occur days or months after the initial deployment. For example, a new
device is plugged into the unit and we need to install the SW / drivers for
just that device.

We were previously able to set the driver signing policy using the regsitry
or rather we used SECEDIT and GPUPATE. As the machines are often not on
a domain (or even networked) setting the domain policy is not an option; we
need to set it locally. The customers who own the units are not prepared to
have driver signing permanently switched off.

If SECEDIT or GPUPDATE are used now (to either set the policy to "ignore"
or to "block", then we get the error logged in setupapi.log (as described in
298503).

"Permachine codesigning policy settings appear to have been tampered with.
Error 13. The Data is invalid"
Default of 1 restored to policy.

This appears to indicate that we cant set the policy to "block" or "ignore"
it will always go to "warn" if you try to programatically set it.

Whilst I understand the reasons for tightening up on this setting we have a
definite need to bypass this standard security for our business. For new
devices and our own devices we now insist on signed drivers. We are still left
(for now) with many legacy devices with unsigned drivers. The only solution I
have just now is to spy for the warning windows and fire keypresses at the
dialogs. Obviously this is less than ideal.

Any help or comments appreciated.; Posted by Mark Roddy on June 2nd, 2005; Gordy wrote:
install if you build your own install package.

--

=====================
Mark Roddy DDK MVP
Windows 2003/XP/2000 Consulting
Hollis Technology Solutions 603-321-1032
www.hollistech.com; Posted by Bryan S. Burgin [MSFT] on June 2nd, 2005; Sorry, but this is working as designed.

Bryan S. Burgin
bburgin@online.microsoft.com

This posting is provided "AS IS" with no warranties, and confers no rights.

Similar Posts

Install Printer-Driver / Plugin programatically (Drivers) by Tobias Erichsen
Programatically uninstalling an USB driver (Drivers) by Guillaume
how to replace signed driver programatically (Drivers) by Raj
Obtaining driver version programatically (Drivers) by sunny
Setting WLAN SSID/Channel programatically (Drivers) by Philip Lee