6

How to get rid of the "Windows can't verify the publisher of this driver software" window? Policy setting didn't work.

I have tried the following suggested solutions however neither one has worked. I am working on Driver Validation test automation using C# language and I would like to avoid the user interaction while installing/uninstalling drivers. Could you please help me getting rid above security warning?

Two ways I have tried which did not work:

Command line:

  1. open the command line with "Run as Administrator" and excute the following commands:
    bcdedit.exe -set load options DDISABLE_INTEGRITY_CHECKS bcdedit.exe -set TESTSIGNING ON

  2. Restart your computer

Policy:

  1. Open gpedit.msc
  2. Expand User Configuration> Administrative Templates > System > Driver Installation
  3. In the right panel, double click on ‘Code Signing for Device Drivers’.
  4. Choose ‘Enabled’ in the window that appears. In the underlying options, choose ‘Ignore’. This disables drivers signing in Windows 7, and now you can install unsigned drivers in Windows 7.
  5. Click Apply, OK. Restart your computer to install unsigned drivers.

The solutions provided by the tech expert members didn't solve my problem. Can anybody provide a working solution? I would be highly appreciate it.

Andre Silva
  • 4,782
  • 9
  • 52
  • 65
user2361926
  • 61
  • 1
  • 1
  • 3

1 Answers1

2

I was reading about this issue. Please refer Gizmo001 answer on social technet forum.

Import the certificates prior to install
Follow these steps:
1. install the software once manually by confirming that the unsigned drivers shall be used
2. go to %windir%\inf and search for the latest OEM??.INF file; open it (notepad) and verify by its contents that this is the driver you wish to install automatically next time
3. go to %windir%\system32\catroot{any ID}\OEM??.CAT (<- same number as in step 2); right click on this file, select properties, go to "Digital Signatures" tab, mark the certificate, click on details
4. on the next window click "Show Certificate"
5. on the next window open the "Details" tab and click "Save to File..."
6. collect this/all certificates
7. deploy these certificates
7.1 either in a batch /cmd script using "certutil.exe -f -addstore "TrustedPublisher" "MYFILE.cer" prior to setup
7.2 or by Group Policies (computer \ Policies \ Windows \ Security \ Public Key Policies \ add your files here )
8. run your setup just the way you wanted

Vikrant
  • 1,149
  • 12
  • 19
  • 1
    Do we need to restart after adding certificate to the store? I have currently signed my drivers using a valid certificate, still windows is showing the warning. To avoid the warning I have explicitly imported the certificate into the machine. Even after this the warning persists during installation. Do you have any comments? – amesh Dec 23 '17 at 12:56
  • I found that one has to install the certificate from the .cat file to Trusted Publishers *and* Trusted Root Certification Authorities. Then you should be able to install a driver package without confirmation panel. In addition your .cat file (and the .sys file) must have a digital signature (in my WinDRBD project we didn't sign the .cat file for self signed certificates to date). This should work for (at least) Server 2019 and Server 2016. If not please let me know. – Johannes Thoma Aug 15 '22 at 11:23