none
Temporary Disable Driver Signing Check in Windows 7

    Question

  • I am injecting drivers from HP into my Windows 7 automated installation.  As the machine boots up, a window pops up that says "Windows can't verify the publisher of this driver software" and gives the option to "Install this driver software anyway."  Is there a way to temporarily disable the driver signing check temporarily?  I must automate the image process without any user interaction.  Are there settings that I can apply in the Unattend.xml file that can accomplish this?  Any suggestions would be helpful.  Thanks!
    Brian Hall www.bhall.com
    Wednesday, July 22, 2009 5:06 PM

Answers

  • A policy could controls this behavior. To find it, please:

    1. Start->Run->GPEdit.msc
    2. Navigate to 

    User Configuration->Administrative Templates->System->Driver Installation->Code signing for drivers

    If you cannot access UI to change the policy, you may change the related Registry value:

    Location: [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Driver Signing]
    Value Name: BehaviorOnFailedVerify
    Data Type: REG_DWORD (DWORD Value)
    Value Data: (0 = Ignore, 1 = Warn, 2 = Block)

    To bypass verify, we need to set the value to 0 (Ignore) use the following command.

    reg add "HKCU\Software\Policies\Microsoft\Windows NT\Driver Signing" /v BehaviorOnFailedVerify /t reg_dword /d 00000000 /f

    It can be referred when you create the xml file.


    Arthur Xie - MSFT
    Friday, July 24, 2009 9:53 AM
    Moderator

All replies

  • A policy could controls this behavior. To find it, please:

    1. Start->Run->GPEdit.msc
    2. Navigate to 

    User Configuration->Administrative Templates->System->Driver Installation->Code signing for drivers

    If you cannot access UI to change the policy, you may change the related Registry value:

    Location: [HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows NT\Driver Signing]
    Value Name: BehaviorOnFailedVerify
    Data Type: REG_DWORD (DWORD Value)
    Value Data: (0 = Ignore, 1 = Warn, 2 = Block)

    To bypass verify, we need to set the value to 0 (Ignore) use the following command.

    reg add "HKCU\Software\Policies\Microsoft\Windows NT\Driver Signing" /v BehaviorOnFailedVerify /t reg_dword /d 00000000 /f

    It can be referred when you create the xml file.


    Arthur Xie - MSFT
    Friday, July 24, 2009 9:53 AM
    Moderator
  • Thank you very much for the reply!  I am drastically changing my deployment process, so I'm not sure if I'll have to implement this yet, but it's great to have it.  It will no doubt come in handy in the future.
    Brian Hall
    www.bhall.com
    Friday, July 24, 2009 3:10 PM
  • First I found this topic on another site:
    http://www.ocforums.com/showthread.php?t=619617

    this guy tries to turn it off not with the command way, I tried this and it indeed doesn't work...

    Then I found your post...

    I open cmd runed as admin, then I copy past your line (reg add "HKCU\Software\Policies\Microsoft\Windows NT\Driver Signing" /v BehaviorOnFailedVerify /t reg_dword /d 00000000 /f), It says succesfull. After that I try to re-install the same thing I tried before....
    I still get the same error... ( "the red box")

    am I doing something wrong?
    Wednesday, November 11, 2009 3:06 PM
  • Hi All,

    I have the same requirement where I need to bypass the driver signing warning in Windows 7. I tried the above given fixes, but none helped yet.

    Any help on this would be greatly appreciated.

    Thanks,

    Chetan

     

     

     

    Wednesday, October 06, 2010 9:01 AM
  • Same here. None of the fixes proposed all over the internet work i.e.

    1. gpedit.msc method

    2. reg add method

    3. bcdedit -set loadoptions DDISABLE_INTEGRITY_CHECKS

    none of them works on Windows 7.

     

    Wednesday, October 20, 2010 11:26 PM
  • Ok, I worked all weekend figuring this out and I think I have it now. I am not geeky, but very intuitive...I tested it across 4 different platforms successfully. 2 different desktops...and 2 different laptops. Here is how I did it.

    1. Turn off driver signing, and reboot so the settings stick. (Use the driver signing off.bat below)

    2. Turn UAC to the second from the bottom selection and reboot to make the settings stick. (Use the UAC Lower.bat below)

    3. Place the UAC Raise.bat and Driver Signing On.bat files in the sysprep folder.

    4. Call the scripts you placed in the sysprep folder in the last pass of the Answer File:

    Unattend/Components/7 oobe System/AMD64_Microsoft-Windows-Shell-Setup_neutral\First Logon Commands

    Sysprep your image as normal using oobe.

     

    Scripting Info:

    UAC Lower.bat (use this script to drop UAC before you sysprep)

    C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t REG_DWORD /d 0 /f

    UAC Raise.bat (Put this in a .bat file and place in Sysprep folder)

    C:\Windows\System32\cmd.exe /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t REG_DWORD /d 1 /f

    Driver Signing Off.bat (Use this script to disable driver signing before you sysprep)

    bcdedit -set loadoptions DISABLE_INTEGRITY_CHECKS
    bcdedit -set TESTSIGNING ON

    Driver Signing On.bat (Place this in a .bat file and place in Sysprep folder)

    bcdedit.exe -set loadoptions ENABLE_INTEGRITY_CHECKS
    bcdedit.exe -set TESTSIGNING OFF

     

    • Proposed as answer by Roman Johnston Monday, January 10, 2011 3:04 PM
    Monday, January 10, 2011 3:04 PM
  • I'm trying to install 50 print drivers on a Windows 2008 R2 RDS.  6 of them prompt for driver signing.  I've tried your instructions and this does not work.  Do you have any special tips for Windows 2008 R2?  No one has a solution posted for this.
    Sunday, February 06, 2011 6:05 AM
  • !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!   FOR ALL PEOPLE !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

    English people: If you don't speak spanish please use google to traslate as I use it when I need something in english... Jijijiiji

    Todo lo anterior debería ser funcional, pero si luego de hacer todo eso no logran quitar elegantemente ese molesto mensaje, solo les queda hacer lo siguiente y que les tiene que funcionar SI o SI.

    1. Descargar e instalar: ApplicationCompatibilityToolkitSetup.exe 12.0 MB, dentro de este viene una herramienta que se llama Compatibility Administrator que es la que se va a usar.

    http://www.microsoft.com/download/en/details.aspx?id=7352

    2. Una vez instalado iniciamos Compatibility Administrator.

    3. Click Derecho sobre New Database > Create New > Application Fix...

    4. Name of the program to be fixed: nombre de tu programa

    Name of the vendor for this program: vendedor

    Program file location: C:\windows\system32\msiexec.exe

    Nota: la linea anterior por si el programa que está dando el mensaje es un fichero.msi, si ese un fichero.exe, se debe dar entonces la ruta: \\ruta_de_mi_fichero\fichero.exe o usar el boton Browser para localizarlo.

    5. Siguiente

    6. Siguiente

    7. Seleccionar en esta lista: NoSignatureCheck

    8. Siguiente

    9. Finalizar

    10. Save, poner un nombre al fichero.sdb y a la base de datos, puede ser el mismo.

    11. Click derecho sobre la bd que has creado y guardado (Custom Database > Tu BD)

    12. Install, puedes ya cerrar este programa.

    Nota: Si deseas instalar esta bd de forma silenciosa y por red, puedes usar el siguiente comando en la linea de comandos CMD >sdbinst -q \\ruta\mibasededatos.sdb

    13. Intenta instalar el programa o driver que te estaba sacando el mensaje.

    14. Es con mucho gusto.



    VICTOR MANUEL NIEBLES
    Friday, October 14, 2011 10:08 AM
  • Hello to Everyone!

    I tried to follow these instructions in Win7 64b and VMWare GSX Server software, but without success.

     

    Regards.

    Tuesday, January 03, 2012 5:24 PM