Signed drivers are displayed as unsigned in System Center Configuration Manager

Applies to: Microsoft System Center 2012 Configuration ManagerMicrosoft System Center 2012 R2 Configuration ManagerMicrosoft System Center Configuration Manager 2007 More

Symptoms


Consider the following scenario:
  • An administrator tries to import drivers into System Center Configuration Manager.
  • The site server is running Windows Server 2008 R2.
  • The drivers are signed.

In this scenario, the drivers may be imported successfully, but they may be displayed as unsigned in the System Center Configuration Manager console. You can see this through either of the following methods:
  • Navigate to the Software Library -> Operating Systems -> Drivers node in the System Center 2012 Configuration Manager console. When the Signed and Signed By columns are added, the Signed column for the imported drivers displays No, and the Signed By column is blank.
  • When you inspecting the Properties of the imported drivers in the Software Library -> Operating Systems -> Drivers node of the System Center 2012 Configuration Manager console, Digital signer field on in the General tab displays Unsigned.
The System Center Configuration Manager logs do not reveal any errors. However, when you view the Setupapi.app.log file in the C:\Windows\inf directory, you'll see the following error:
Setupapi.app.log

>>> [SetupVerifyInfFile - \\<UNC_Path_To_Driver>\<Driver>.inf]
>>> Section start <Date> <Time>
cmd: C:\Windows\system32\wbem\wmiprvse.exe -Embedding
! sig: Verifying file against specific (valid) catalog failed! (0x80096002)
! sig: Error 0x80096002: The certificate for the signer of the message is invalid or not found.
! sig: Verifying file against specific Authenticode(tm) catalog failed! (0x800b0100)
! sig: Error 0x800b0100: No signature was present in the subject.
<<< Section end <Date> <Time>
<<< [Exit status: FAILURE(0x800b0100)]

Cause


Some drivers are signed by a newer signing method that is not recognized or natively supported by Windows Server 2008 R2. Therefore, these drivers cannot be imported into System Center Configuration Manager if the site server is running Windows Server 2008 R2.

Resolution


To resolve the problem, install one or both of the following hotfixes on the site server that's experiencing the problem:

2837108 You cannot import a Windows 8 signed driver on a Windows Server 2008 R2-based WDS server

2921916 The "Untrusted publisher" dialog box appears when you install a driver in Windows 7 or Windows Server 2008 R2

Notes
  • Hotfix 2837108 will resolve the issue even if WDS is not installed on the site server.
  • These hotfixes will add the necessary support to Windows Server 2008 R2 to natively recognize the newer signing methods.

To fully fix the problem, restart the site server after you install hotfix 2837108 or hotfix 2921916. Do this even if the installation process does not prompt you to restart.

After you install hotfix 2837108 or hotfix 2921916 and then restart the server, any affected driver that's already in the System Center Configuration Manager console will have to be removed and then reimported.

More Information


Surface Pro 3 drivers are an example of drivers that exhibit this problem. Because Surface Pro 3 drivers are signed by the newer signing method, they are affected by this issue. You may be able to import them into System Center Configuration Manager when the site server is running Windows Server 2008 R2, but they will be displayed as unsigned until either hotfix 2837108 or hotfix 2921916 is installed on the site server.

If you cannot import the drivers at all, see the following Knowledge Base article:

3025419 Can't import drivers into System Center Configuration Manager