Software Deployment

this is on the right track,

You can relax the permissions, install the drivers, the reinstate the permissions.

Hi there


Unsigned printers can be packed acording to MSIMaker look at his PnPDriver templater it can do it. you find it at this forum in the top

You can allso sign driver the driver.

Se Microsoft "Using Authenticode to Digitally Sign Driver Packages"

you will need MakeCat.exe and signtool.exe


Sweede ;-)

Thanks for reply .

One quick question . I am currently trying to test the freely available unsigned driver
V1.32 BETA USB-Ir Adapter Driver Installation Program for STIR4200 , available at http://www.sigmatel.com/products/tech-support.htm .

The set up for this database is in setup.exe format . DO Ihave to first repackage this set up into an MSI and then apply the template process mentioned in your reply .

Also signing a driver using Authenticode requires a digital certificate to be obtained from certifying authorities . In which case we have to pay for the digital certificate i guess . Please correct me if I am wrong .

Cheers ,
V

Hi Sweede ,

I read on of your posts on packaging unsigned drivers where you mentioned of creating cat file and signing the driver .

Could you please elaborate or provide some pointers on creating the CAT file .

Any suggestions will be really appreciated .

Cheers ,
V

http://itninja.com/question/device-drivers---found-solution!

May be of assistance

nmi

Thanks ,

I tried packaging an unsigned driver usinbg admin studio but it did not allow me to do so .

Are there any other means you are aware of ehich might be helpful while packaging unsigned drivers .

I do not want to use authenticode as this process requires a digital certificate and i assume it requires money .


Cheers ,

Viv

This depends on who you are deploying to. If you are depolying to your internal organisation ONLY and your orgainsation has a solid PKI strategy, then you should have a CA somewhere (Certificate Authority). You should be able to create a certificate, have your organisation trust the certificate and sign the drivers using that.

I think :)

Rgds

Paul

Sorry , We do not have any CA in our organization . We have to rely on external vendors . Which has become a bottleneck cause this will come with some price .

Hence we want to make sure that there is no other way except purchasing Certs. before taking this step . I have seen quite a few posts about packaging unsigned drivers but they are not comprehensive enough to make a decission .


Cheers ,
V

If you have Windows Server in your organisation (which I'm sure you do) CA is part of it. You can create your own certificates for use with this, can't you?

Apologies , I had no clue that CA is part of Windows server as I am purely from dev background .

I will now investigate into this further.

Thanks for the clarification .

Cheers ,
V

I will caution you that its a Good Idea (tm) to have a solid PKI strategy in place, which obviously your organisation doesn't. Mainly becuase, fair enough, you go to a windows server, issue certs, choose to trust them. Then another project issues ANOTHER certificate, perhaps from a Novell server, trusts it, another department does something else, and before you know it you have a certificate nightmare on your hands where your organisation has to keep track of multiple certs doing the same thing from different sources. What happens if that server gets decommissioned or assimilated into another server, will the certs migrate across? Definately think about the end to end process before just creating a cert and trusting it.

In my opinion :)

I had a discussion with the Server team in my Org. We do not have any PKI strategy or CA at the moment .

It seems it will take a while before they implement this .Seems its another showstopper :(

I guess I have to find an alternate way to resolve this issue .

Cheers ,
V

I have downloaded the driver you posted and I'm going to attempt it tomorrow. I don't have the Sigma device tho so I'll just take an infra red device with me and see how it goes. No promises but I like the challenge.

Really appreciate your help .

Also I am trying to package the same driver now using DIFXAPP 2.0

I am getting following error in my installation log files : DIFXAPP: ERROR more than one driver package found in C:\WINDOWS\inf\

Has anyone experienced this error before .

I followed following steps :

1) Created the driver Installer database (Installshield Repackager as the original driver set up is not MSI)
2) Applied DiFxApp.msm to the Installer Database
3) Added the Component (which contains the INF file ) to the component table
4) Added Flag value in the component table to 8 for Legacy install (unsigned driver)
5) Saved the new merged MSI
6) Installed the driver Package with msiexec options for verbose logging

As I am trying this for the first time , I might be having a completely wrong understanding .

Cheers,
V

Hi All ,

I am starting this thread again .

I am packaging Axicon 600 Barcode viewer , which has an unsigned driver .

I used DIFXAPP 2.0 to package the driver , fine . But when i tried installing the driver I got the OS level security prompt to Continue / Stop installation .

I had an impression that if I install the unsigned in legacy mode (DIFXAPP 2.0) then I will not get this message .

Am I missing something here ? Any pointers will be of great help .

Cheers,
V

hi viv,
The security prompt that you receive may be coz of the security policy that has been set up on your computer or any GP's that are implemented by your organization. You may need to work with the security group at your company to confirm this. Hope this was helpful.

cheers,
srid.

Yes you are right , but the GPO team does not want to change the Group policy setting for a few number of drivers .

We get around this issue by a not so good way of using Auto IT scripts to click the security prompt during installation to continue .

Till now I haven't come across any other nice option to overcome this issue .

Cheers ,
V

Hi
I am in unsigned driver hell at the moment.
I would like to certify my own cat files and I tried for ages to get that to work without success so far.
Any tips/how to would be useful.
Also what GP settings do I need to change to allow unsigned drivers to be deployed. I have tried changing a few things without success so far.
It only seems to work if I login in as admin and change it manually.

Cheers

ORIGINAL: ZeroHour

Hi
I am in unsigned driver hell at the moment.
I would like to certify my own cat files and I tried for ages to get that to work without success so far.



I know you can sign your own files, but the system isn't setup to accept these. Only Microsoft can officially "sign" the drivers (or a 3rd party sanctioned by MS). Otherwise everyone would do it. The reasoning for this is so that only fully tested drivers are allowed onto the system (to prevent the problems well documented in the past).

Yeh thats what I was thinking as I seemed to do it all right.
Its just making life on a enterprise diffecult because you cant just roll a drivers msi out which would do the job.
Its something they are solving in longhorn though.

Any more thoughts/ideas?

Hi ,

I had to write an AUTO IT script along with using DIFxApp 2.0 to to send {Enter} key when security prompt for unsigned driver pops up . This will "select continue Installation" option and will go ahead with the drivers installation .

The only down side of this script is that it does not run if the user if logged off / has locked the machine during installation .

Cheers ,
V

So I take it that it wont work if deployed with AD?

Cheers

ORIGINAL: ZeroHour

So I take it that it wont work if deployed with AD?

Cheers


I suspect you'd have to run the Autoit script as part of a logon sequence and then deploy the msi via GPO's to get it to work.

When Autoit runs it just leaves a small icon in the task bar so its pretty innocuous.

nmi

I haven't come across any other solution except AutoIT .

Alternativley GPO settings for unsigned driver can be relaxed to ignore unsigned drivers for which I think your GP team will discourage you for obvious reasons .

Cheers ,
V