none
Windows 7 Silent Driver Install RRS feed

  • Question

  • Dear all,

    Recently we switched to a new certificate for signing the cat-file of our MiniDriver implementation. However, ever since, silent installations will no longer work (tested on Windows 7, fully updated).

    During a silent install, the message "Would you like to install this device software?" pops up. It does display the publisher properly, and it does have an "Always trust" option. Now, in the past, we could simply add our certificate to the trusted publisher's certificate store in order to prevent this message from showing. This no longer works (it has no apparent effect); I tested this both through MMC and through the command "certutil -addstore -f TrustedPublisher cert.cer".

    The situation is as follows: we have an EV code signing certificate, provided by Symantec. We have used this to sign the cat-file as follows (as per the instructions on the Symantec website: https://knowledge.symantec.com/support/code-signing-support/index?page=content&actp=CROSSLINK&id=SO20529):

    signtool.exe sign /v /ac "MSCV-VSClass3.cer /s MY /n "Company name" /fd sha256 /tr http://sha256timestamp.ws.symantec.com/sha256/timestamp catfile

    Indeed, validation seems to work:

    signtool.exe verify /v /kp catfile
    signtool.exe verify /v /pa catfile

    both confirm the certificate as "verified".

    So far, so good. However, even during a silent install, the question ("Would you like to install this device software?") pops up. I added our certificate to both the user and computer wide trusted component store, but to no avail.

    I went to do a bit more research, and I found that the following command does *not* pass validation:

    signtool.exe verify /v catfile

    which seems odd to me. Investigation this, I ended up enabling the CAPI2 logs, and found that an error occurs. The error has the message "The certificate is not valid for the requested usage." (value 800B0110). Here, the "ExtendedKeyUsage" has an "orMatch" of the following values: Windows Hardware Driver Verification (1.3.6.1.4.1.311.10.3.5), Windows System Component Verification (1.3.6.1.4.1.311.10.3.6), or OEM Windows System Component Verification (1.3.6.1.4.1.311.10.3.7).

    Our certificate has none of these extended usages.

    The same error pops up when I attempt to do a silent install. There are a few more errors, regarding CRL servers not being available (which is weird; the links work fine when I try manually), but I don't think the others are relevant (I may very well be wrong, here).

    So, how can I allow my users to perform a silent install? Is the error regarding the ExtendedKeyUsage related; and if so, how do I fix it?

    Thanks in advance,

    Gerben

    Monday, November 27, 2017 2:52 PM

Answers

  • See this:

    http://www.osronline.com/ShowThread.cfm?link=286767#T2

    -- pa

    Thanks for your reply! However, your answer (while very useful to me), was not the case here. The problem existed on Windows 7, which as far as I can find does not have the same restrictions (am I correct here?)

    The issue turned out to be that a specific hot-fix wasn't installed: https://support.microsoft.com/en-us/help/2921916/the-untrusted-publisher-dialog-box-appears-when-you-install-a-driver-i

    So that fixed it in my case. However, will this work on all Windows 7 machines, or can secure boot cause issues there as well?

    Thanks!

    • Marked as answer by GerbenL Wednesday, February 14, 2018 12:05 PM
    Tuesday, November 28, 2017 8:09 AM

All replies

    • Marked as answer by Doron Holan [MSFT] Tuesday, November 28, 2017 3:22 AM
    • Unmarked as answer by GerbenL Tuesday, November 28, 2017 9:26 AM
    Tuesday, November 28, 2017 1:43 AM
  • See this:

    http://www.osronline.com/ShowThread.cfm?link=286767#T2

    -- pa

    Thanks for your reply! However, your answer (while very useful to me), was not the case here. The problem existed on Windows 7, which as far as I can find does not have the same restrictions (am I correct here?)

    The issue turned out to be that a specific hot-fix wasn't installed: https://support.microsoft.com/en-us/help/2921916/the-untrusted-publisher-dialog-box-appears-when-you-install-a-driver-i

    So that fixed it in my case. However, will this work on all Windows 7 machines, or can secure boot cause issues there as well?

    Thanks!

    • Marked as answer by GerbenL Wednesday, February 14, 2018 12:05 PM
    Tuesday, November 28, 2017 8:09 AM
  • Also, I just tested the same installer on a Windows 10 machine with secure boot enabled, and the silent installer works fine.

    Actually, this only confuses me more. Do you have any idea why this works? It concerns a MiniDriver implementation.

    Thanks in advance,

    Gerben

    Tuesday, November 28, 2017 9:26 AM
  • Hmm, a short answer is, because Win10 and Win7 have diverged. Having a single install package for both is now hard. So, make separate packages, signed per each OS requirement: Win7 with sha256 patch, Win7 without sha256 (if needed) and Win10 variants (self-signed or MS-signed).

    Regards,

    -- pa

    Tuesday, November 28, 2017 3:55 PM