alohadin
asked on
Windows 10 - Driver Signature Enforcement
Hi,
We have a siftware that we have to deploy to many PC's.
On a few devices we receive a prompt that the driver is not digitally signed.
Disabling Secure Boot and afterwards disabling Digital Signature Enforcement allows us to install the software.
This is of course not an acceptable solution...
The actual warning is:
A digitally signed driver is required.
But then again, on other devices with the exact same Windows version installed, we can install the software without any warnings or prompts.
Is there a way to check if Driver Signature Enforcement is actually enabled?
The devices are:
Microsoft Surface Pro 3 - Windows 10 build 1607
On Windows 8.1 the software can also be installed without problems.
Not even sure why we receive this prompt suddenly as we use the software for a couple of years now without any issues.
We have a siftware that we have to deploy to many PC's.
On a few devices we receive a prompt that the driver is not digitally signed.
Disabling Secure Boot and afterwards disabling Digital Signature Enforcement allows us to install the software.
This is of course not an acceptable solution...
The actual warning is:
A digitally signed driver is required.
But then again, on other devices with the exact same Windows version installed, we can install the software without any warnings or prompts.
Is there a way to check if Driver Signature Enforcement is actually enabled?
The devices are:
Microsoft Surface Pro 3 - Windows 10 build 1607
On Windows 8.1 the software can also be installed without problems.
Not even sure why we receive this prompt suddenly as we use the software for a couple of years now without any issues.
You need to get your software digitally signed because the rules changed with Version 1607 and Microsoft is enforcing digital signatures to make sure the software does not break Windows 10. This is new and nothing to do with Windows 8.
ASKER
btan:
You don't see a lot in the Surface UEFI menu.
You can either Enable or Disable Secure Boot -> It is enabled by default and no changes have ever been made here.
My question is, why does the installation work on some devices and on others it produces the warning and does not work.
So I was wondering if there is a way to check and compare the digital driver signature settings on the device where it works and where it doesn't.
The devices should be identical.
In group policy that setting is not configured.
John Hurst:
I am aware of that and that is not the point.
I am wondering why it works on one device and not on another running the exact same copy and Windows 10 version. Even the same model and same Firmware.
Btw... The software is, according to the publisher (Forcepoint), digitally signed.
-> It is their latest version available
You don't see a lot in the Surface UEFI menu.
You can either Enable or Disable Secure Boot -> It is enabled by default and no changes have ever been made here.
My question is, why does the installation work on some devices and on others it produces the warning and does not work.
So I was wondering if there is a way to check and compare the digital driver signature settings on the device where it works and where it doesn't.
The devices should be identical.
In group policy that setting is not configured.
John Hurst:
I am aware of that and that is not the point.
I am wondering why it works on one device and not on another running the exact same copy and Windows 10 version. Even the same model and same Firmware.
Btw... The software is, according to the publisher (Forcepoint), digitally signed.
-> It is their latest version available
I am wondering why it works on one device and not on another running the exact same copy and Windows 10 version. Even the same model and same Firmware.
Make sure all Windows AND Driver updates are done and the same on both machines.
Make sure all Windows AND Driver updates are done and the same on both machines.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
"I am wondering why it works on one device and not on another running the exact same copy and Windows 10 version. Even the same model and same Firmware." - double check if the windows version is 1607 for all of them because it sounds as if some are still on earlier versions.
ASKER
I will check out SignTool...
The devices are preloaded with SCCM with the same OS image and same driver package.
I am pretty sure they are identical.
The devices are preloaded with SCCM with the same OS image and same driver package.
I am pretty sure they are identical.
Check that. It could be that what you distributed was the version before 1607 and some (only some) have updated to 1607 already.
ASKER
McKnife,
I manage SCCM and software dpeloyment in our company. Trust me, it is build 1607 on all devices.
Not via an upgrade.
I manage SCCM and software dpeloyment in our company. Trust me, it is build 1607 on all devices.
Not via an upgrade.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have checked the driver with SignTools and the drivers are signed.
I've also logged a case with the vendor last week.
After investigating the issue and also after complaints from other customers as well, they have acknowledged that there is a problem and classified it as a bug.
They're working on a solution.
I hope the bug-fix release will be available soon.
Thanks for all your support.
It's not something we can solve.
I've also logged a case with the vendor last week.
After investigating the issue and also after complaints from other customers as well, they have acknowledged that there is a problem and classified it as a bug.
They're working on a solution.
I hope the bug-fix release will be available soon.
Thanks for all your support.
It's not something we can solve.
ASKER
The vendor has acknowledged that there is a bug in the current release.
They are working on a bug fix.
They are working on a bug fix.
http://maxedtech.com/about-testmode/
Another means is to use BCDEDIT command e.g. bcdedit /enum ACTIVE /v
You should then see something like
nointegritychecks Yes
testsigning No
Another mean is check GPO
e.g. In the Group Policy Editor, navigate to User Configuration → Administrative Templates → System → Driver Installation.
Double-click on Code signing for device drivers in the right-side pane.
In the windows that opens, checked if it is Enabled instead of Ignored or Not configured.