Setting Driver Signing policy programatically

Discussion in 'Windows Vista Drivers' started by Gordy, May 30, 2005.

  1. Gordy

    Gordy Guest

    Hi Ive read through the other posts and MS KB articles related to the setting
    of the driver signing policy. I cant determine if there is any way of
    setting this
    policy as we require.

    We have a large number of PCs (with no KB and no monitor) in remote,
    often non-networked environments. All installations at the sites must be
    unattended (bar insertion of a CD and pressing a proprietry interface
    button). These machines have a large range of periphial devices attached.
    Some of the devices are proprietary (and have signed drivers), others
    are from 3rd parties (and are both signed and unsigned). Historically we
    have installed all the SW on these machines from scratch each time we
    need to install anything (even a single msi). We have been able to do this
    by setting the driver signing policy in either unattend.txt (for standard
    installs) or sysprep.inf (for sysprep'd drive images).

    We are now in an XP Pro SP2 environment and have a need to (occasionally)
    install unsigned drivers after an initial installation has been completed.
    can occur days or months after the initial deployment. For example, a new
    device is plugged into the unit and we need to install the SW / drivers for
    just that device.

    We were previously able to set the driver signing policy using the regsitry
    or rather we used SECEDIT and GPUPATE. As the machines are often not on
    a domain (or even networked) setting the domain policy is not an option; we
    need to set it locally. The customers who own the units are not prepared to
    have driver signing permanently switched off.

    If SECEDIT or GPUPDATE are used now (to either set the policy to "ignore"
    or to "block", then we get the error logged in setupapi.log (as described in

    "Permachine codesigning policy settings appear to have been tampered with.
    Error 13. The Data is invalid"
    Default of 1 restored to policy.

    This appears to indicate that we cant set the policy to "block" or "ignore"
    it will always go to "warn" if you try to programatically set it.

    Whilst I understand the reasons for tightening up on this setting we have a
    definite need to bypass this standard security for our business. For new
    devices and our own devices we now insist on signed drivers. We are still left
    (for now) with many legacy devices with unsigned drivers. The only solution I
    have just now is to spy for the warning windows and fire keypresses at the
    dialogs. Obviously this is less than ideal.

    Any help or comments appreciated.
    Gordy, May 30, 2005
    1. Advertisements

  2. Gordy

    Mark Roddy Guest

    I could be wrong but I think that driver signing policy can be preset on
    install if you build your own install package.


    Mark Roddy DDK MVP
    Windows 2003/XP/2000 Consulting
    Hollis Technology Solutions 603-321-1032
    Mark Roddy, Jun 2, 2005
    1. Advertisements

  3. Sorry, but this is working as designed.

    Bryan S. Burgin

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Bryan S. Burgin [MSFT], Jun 3, 2005
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.