Driver signing registry values cannot be modified directly in Windows


Summary


In the versions of Microsoft Windows listed at the beginning of this article, programmatic modification of the HKEY_LOCAL_MACHINE\Software\Microsoft\Driver Signing registry key cannot be used to bypass the warning prompt that is initiated when an unsigned driver is installed on the computer.

This behavior is by design. The prompt cannot be disabled because its purpose is to prevent operating system instability. All the manufacturers who provide Windows 2000, Windows XP, and Windows Server 2003 drivers are encouraged to have their drivers signed. In the past, manufacturers could bypass this requirement by incorporating a registry change to the Driver Signing key that prevented the prompt and allowed an unsigned driver to be installed without the user knowing that the driver was unsigned.

More Information


To specify a policy that allows unsigned drivers to be installed, use one of the following:
  • Incorporate the driver installation into Setup by using the DriverSigningPolicy=ignore setting. (See related articles.)
  • Implement a driver signing policy in a Windows 2000 or Windows Server 2003 domain by using Group Policy:
    1. Under Administrator Tools, in the Active Directory Users and Computers snap-in, right-click the domain root, click Properties, and then click the Group Policy tab.
    2. Click the default domain policy, and then click Edit.
    3. Expand Computer Configuration, expand Windows Settings, and then expand Security Settings. Expand Local Policies, expand Security Options, and then modify Device: Unsigned driver installation Behavior to the setting that you want to use.

      Note This policy is a domain-wide policy.
  • We recommend that manufacturers submit their drivers to the Windows Hardware Quality Lab (WHQL) for logo certification.
Note To set the policy on the local computer where no domain policy is applied, follow these steps:
  1. On the desktop, right-click My Computer, and then click Properties.
  2. Click the Hardware tab, and then click Driver Signing in the Drivers area.
  3. In the What action do you want Windows to take? area, click the desired action, and then click OK two times.
Note Windows queries for the policy and makes sure that it matches the entry that is stored for it in an alternative location. However, if the operating system determines that the Driver Signing Policy registry key has been tampered with, the operating system automatically resets to the correct values (or the default value that is Warn and Ignore for non-driver signing policy).

Windows also logs one or more messages into the Setupapi.log file whenever the Driver Signing Policy registry key is tampered with:
#E412 Permachine codesigning policy settings appear to have been tampered with. Error 13: The data is invalid.
#W415 Codesigning policy database resynchronized to default values.
#W413 Default of 1 restored to "Policy" value under HKEY_LOCAL_MACHINE\Software\Microsoft\Driver Signing.