Driver Signing Registry Values Cannot Be Modified Directly in Windows (298503)


The information in this article applies to:

  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, 64-Bit Enterprise Edition
  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows XP 64-Bit Edition
  • Microsoft Windows XP Home Edition
  • Microsoft Windows Small Business Server 2003, Premium Edition
  • Microsoft Windows Small Business Server 2003, Standard Edition
This article was previously published under Q298503

SUMMARY

In the versions of Microsoft Windows listed at the beginning of this article, programmatic modification of the HKEY_LOCAL_MACHINE\Software\Microsoft\Driver Signing registry key cannot be used to bypass the warning prompt that is initiated when an unsigned driver is installed on the computer.

This behavior is by design. The prompt cannot be disabled because its purpose is to prevent operating system instability. All of the manufacturers who provide Windows 2000, Windows XP, and Windows Server 2003 drivers are encouraged to have their drivers signed. In the past, manufacturers could get around this requirement by incorporating a registry change to the Driver Signing key that prevented the prompt and allowed an unsigned driver to be installed without the user knowing that the driver was unsigned.

MORE INFORMATION

To specify a policy that allows unsigned drivers to be installed, implement one of the following:
  • Incorporate the driver installation into Setup by using the DriverSigningPolicy=ignore setting. (See related articles.)
  • Implement a driver signing policy in a Windows 2000 or Windows Server 2003 domain by using Group Policy:
    1. Under Administrator Tools, in the Active Directory Users and Computers snap-in, right-click the domain root, click Properties, and then click the Group Policy tab.
    2. Click the default domain policy, and then click Edit.
    3. Expand Computer Configuration, expand Windows Settings, and then expand Security Settings. Expand Local Policies, expand Security Options, and then modify Device: Unsigned driver installation Behavior to the setting that you want to use.

      NOTE: This policy is a domain-wide policy.
  • Microsoft recommends that manufacturers submit their drivers to the Windows Hardware Quality Lab (WHQL) for logo certification.
NOTE: To set the policy on the local computer (in the case where no domain policy is applied, click Start, point to Settings, click Control Panel, and then double-click Printers and Other Hardware. In the See Also window to the left, select System and on the Hardware tab, click Driver Signing, and then the desired level.

NOTE: Windows queries for the policy and ensures that it matches the entry that is stored for it in an alternate location. However, if the operating system determines that the Driver Signing Policy registry key has been tampered with, the operating system automatically resets to the correct values (or the default value, which is Warn and Ignore for non-driver signing policy).

Windows also logs one or more messages into the Setupapi.log file whenever the Driver Signing Policy registry key is tampered with:

#E412 Permachine codesigning policy settings appear to have been tampered with. Error 13: The data is invalid.

#W415 Codesigning policy database resynchronized to default values.

#W413 Default of 1 restored to "Policy" value under HKEY_LOCAL_MACHINE\Software\Microsoft\Driver Signing.

Modification Type:MajorLast Reviewed:10/10/2003
Keywords:kbenv kbhowto KB298503
©2003 Microsoft Corporation. All rights reserved.