Can difxapp2 install authenticode signed drivers on XPSP2
A simple question. The authenticode documentation says that drivers can be signed with authenticode on Windows 2003 and above. But WHQL has to be used for 9x/2000. No mention XP.
Does the latest service pack enable XP to install authenticode signed drivers?
thanks
Does the latest service pack enable XP to install authenticode signed drivers?
thanks
0 Comments
[ + ] Show comments
Answers (9)
Please log in to answer
Posted by:
kkaminsk
19 years ago
Posted by:
meastaugh1
19 years ago
Posted by:
kkaminsk
19 years ago
Well this is a grey area for me too. The last time I spoke to a developer they said this functionality would not be included until Longhorn. With the release of 2.0 I saw features that were not going to exist until Longhorn. I would say yes but I have never done it so my opinion does not count for much.
Posted by:
kkaminsk
19 years ago
The manual does sound promosing.
Wizard Installation of Signed WHQL-Class Driver Packages on Windows XP and Windows 2000
By default, the DIFx tools perform a wizard installation of driver packages with WHQL signatures and Authenticode signatures. The following considerations apply:
• If a driver package has a valid WHQL signature, Setup does not display a driver signing dialog box. If the WHQL signature is not valid, Setup displays a driver signing dialog box or block installation, depending on the driver signing option set for a computer (Ignore, Warn, or Block).
• Setup handles a driver with an Authenticode signature in the same way that Setup handles unsigned driver packages. Depending on the driver signing option set for a computer, Setup displays a driver signing dialog box or block installation (Ignore, Warn, or Block).
Wizard Installation of Signed WHQL-Class Driver Packages on Windows XP and Windows 2000
By default, the DIFx tools perform a wizard installation of driver packages with WHQL signatures and Authenticode signatures. The following considerations apply:
• If a driver package has a valid WHQL signature, Setup does not display a driver signing dialog box. If the WHQL signature is not valid, Setup displays a driver signing dialog box or block installation, depending on the driver signing option set for a computer (Ignore, Warn, or Block).
• Setup handles a driver with an Authenticode signature in the same way that Setup handles unsigned driver packages. Depending on the driver signing option set for a computer, Setup displays a driver signing dialog box or block installation (Ignore, Warn, or Block).
Posted by:
meastaugh1
19 years ago
Posted by:
kkaminsk
19 years ago
There is a layer of security in there. The reason you would go through the trouble of signing your drivers is if you wanted only signed drivers (internal or Microsoft WHQL) to be installed on machines in the organization. This gives you control over which drivers are certified for your environment as well as some protection from people installing keyloggers or rootkits.
So it really comes down to your Active Directory security policy more than anything. Microsoft has given you a choice instead of forcing you to only use WHQL signed drivers like they did in DIFx 1.0.
So it really comes down to your Active Directory security policy more than anything. Microsoft has given you a choice instead of forcing you to only use WHQL signed drivers like they did in DIFx 1.0.
Posted by:
meastaugh1
19 years ago
The reason you would go through the trouble of signing your drivers is if you wanted only signed drivers (internal or Microsoft WHQL) to be installed on machines in the organization.
The policy in place is that signed drivers are installed by anyone, but local administrator rights are required to install unsigned drivers.
• Setup handles a driver with an Authenticode signature in the same way that Setup handles unsigned driver packages.
The reason I ask, is because I want to install unsigned drivers silently so when a standard user plugs in a pnp device (with unsigned driver) it will install silently, and not prompt for local administrator credentials. If authenticode signed drivers are treated the same as unsigned drivers, I guess this is not possible?
Apologies if I've misunderstood.
Posted by:
kkaminsk
19 years ago
You are correct. They are still pushing the WHQL signing for maximum functionality. I still think they should allow silent installs if the driver has been signed internally. I think it is somewhat ridiculous that you cannot silently install a driver that has been internally certified. Why punnish the corporate user for what the vendor chose. I have had vendors express their disinterest in WHQL certification of their drivers. It costs money and they do not see a direct benefit. Honestly who is not going to buy hardware based on the driver certification status.
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
so that the conversation will remain readable.