Software Deployment

As far as I understand things all versions of XP should install signed drivers. It is when the driver is not signed that things become more complex.

Sorry, I don't think I made the question clear in my original post.

I have some unsigned drivers, and I'd like to sign them myself using authenticode. Will this work on XP?

Well this is a grey area for me too. The last time I spoke to a developer they said this functionality would not be included until Longhorn. With the release of 2.0 I saw features that were not going to exist until Longhorn. I would say yes but I have never done it so my opinion does not count for much.

The manual does sound promosing.

Wizard Installation of Signed WHQL-Class Driver Packages on Windows XP and Windows 2000

By default, the DIFx tools perform a wizard installation of driver packages with WHQL signatures and Authenticode signatures. The following considerations apply:

• If a driver package has a valid WHQL signature, Setup does not display a driver signing dialog box. If the WHQL signature is not valid, Setup displays a driver signing dialog box or block installation, depending on the driver signing option set for a computer (Ignore, Warn, or Block).

• Setup handles a driver with an Authenticode signature in the same way that Setup handles unsigned driver packages. Depending on the driver signing option set for a computer, Setup displays a driver signing dialog box or block installation (Ignore, Warn, or Block).

If setup handles authenticode signatures the same way as it does unsigned drivers, can you tell me what the point is in authenticode signature?

There is a layer of security in there. The reason you would go through the trouble of signing your drivers is if you wanted only signed drivers (internal or Microsoft WHQL) to be installed on machines in the organization. This gives you control over which drivers are certified for your environment as well as some protection from people installing keyloggers or rootkits.

So it really comes down to your Active Directory security policy more than anything. Microsoft has given you a choice instead of forcing you to only use WHQL signed drivers like they did in DIFx 1.0.

The reason you would go through the trouble of signing your drivers is if you wanted only signed drivers (internal or Microsoft WHQL) to be installed on machines in the organization.

The policy in place is that signed drivers are installed by anyone, but local administrator rights are required to install unsigned drivers.

• Setup handles a driver with an Authenticode signature in the same way that Setup handles unsigned driver packages.

The reason I ask, is because I want to install unsigned drivers silently so when a standard user plugs in a pnp device (with unsigned driver) it will install silently, and not prompt for local administrator credentials. If authenticode signed drivers are treated the same as unsigned drivers, I guess this is not possible?

Apologies if I've misunderstood.

You are correct. They are still pushing the WHQL signing for maximum functionality. I still think they should allow silent installs if the driver has been signed internally. I think it is somewhat ridiculous that you cannot silently install a driver that has been internally certified. Why punnish the corporate user for what the vendor chose. I have had vendors express their disinterest in WHQL certification of their drivers. It costs money and they do not see a direct benefit. Honestly who is not going to buy hardware based on the driver certification status.

Ok

Thanks anyway.