fbwf causing "publisher could not be verified"

Question

hey people

After deploying my image with imagex on every boot I get some "The publisher could not be verified" messages for ie4uinit.exe, regsvr32.exe, winmail.exe, unregmp2.exe, rundll32.exe, sidebar.exe and mctadmin.exe

I have FBWF enabled for the system drive exluding one folder and one file. If I turn the FBWF off, these messages disappear. I thought "okay now this is verified" and turned it back on but that didnt help at all.

Also I have a little trouble with my windows wallpaper. If the FBWF is on, the wallpaper ist almost completly grey. If I move a program over the grey spot, the background image is coming to light. The background image is the file excluded from FBWF.

Any ideas?

Answer 1

The best way to deploy and image is to sysprep the image and create a master. FBWF will have to be disabled when you run sysprep, but a sync call in a sysprep unattended file can turn FBWF back on for each clone.

---

www.annabooks.com / www.seanliming.com / Book Author - Pro Guide to WE8S, Pro Guide to WES 7, Pro Guide to POS for .NET

Answer 2

This is the way I am using it.

Driver installation and stuff->sysprep->capture->on first boot a batch file with network settings, registry settings and FBWF.

Answer 3

So the issue comes up after FBWF is set from the batch file?

---

www.annabooks.com / www.seanliming.com / Book Author - Pro Guide to WE8S, Pro Guide to WES 7, Pro Guide to POS for .NET

Answer 4

Yes exactly

Answer 5

I've only got guesses at this point. If FBWF is not enabled with the batch file but manually enabled, does the issue appear?

---

www.annabooks.com / www.seanliming.com / Book Author - Pro Guide to WE8S, Pro Guide to WES 7, Pro Guide to POS for .NET

Answer 6

yes it appears even if I enable it manually

Answer 7

bump

Answer 8

I'm having this exact same issue, I'm actually building the system through a SCCM 2007 R2 task sequence and after all is complete, enable FBWF at the very end. Whether I do it manually or through a batch script, no difference. I am doing this on a Windows ThinPC. I turned off UAC in hopes that it needs elevation but no help. 

I had previously tried the same step with EWF and no issues with that, but with FBWF, no resolution. 

Answer 9

also noticed even after all "ok" clicks for the run during the logon, now try launching Windows Explorer and there's another prompt again, tried control panel\manage user accounts, same prompts again. Seems enabling fbwf disables something somewhere (these executables all of a sudden are reported as publisher not being verified). 

Answer 10

it's "nice" to know that I'm not the only one..FBWF would be such a great feature to use if it wouldnt be doing this. 

I had a running build but wasnt satisfied with the packages in my answer file..sadly I wasn't able to rebuild the working version.

I'll continue trying and will reply once I have any news.

Maybe someone else comes up with a little tip :)

Answer 11

I had fbwf working without any fuss in a simple test. (Normally I use EWF).

---

=^x^=

Answer 12

let me tell you a bit more about my environment, maybe it helps.

Shuttle slim pcs equiped with a small SSD and 2GB RAM.

Windows 7 Embedded with some features in it, if you want a list, here it is http://pastebin.com/5J1mcDrv.

Right now the shuttles are used to open a remote desktop session to a virtual computer but we want to bring some processes down from the datacenter to the local machine. To prevent the SSD from getting full we want to use the FBWF. Since FBWF is easier to handle with exceptions we've chosen it over EWF.

Answer 13

okay the post is now at least 4 month old, but:

when you got opening-"unsigned-Warnings"-warnings about Windows Files (rundll or regedit) then you must add both

C:\Windows\System32\catroots + catroot(2) Dirs to the exclusionlist :) it solves the problem :)

also you must add your profilepath to the list to the exclusions (without temp-Directorys) :)

Answer 14

okay the post is now at least 4 month old, but:

when you got opening-"unsigned-Warnings"-warnings about Windows Files (rundll or regedit) then you must add both

C:\Windows\System32\catroots + catroot(2) Dirs to the exclusionlist :) it solves the problem :)

also you must add your profilepath to the list to the exclusions (without temp-Directorys) :)

even if this thread is old, I'm still looking into it! Thank you very much for your reply, I will test it out as soon as I get back to the office. Is the profile path really necessary?

It would be nice of you if you check this thread from time to time, I think I'll be in the office next week.

And in case you wonder

I just created a new account because I didnt remember the mail adress linked to the other account ^^ this might be my third microsoft account

Answer 15

sorry the answer worse a mistake :( you need the line:

fbwfmgr /addexclusion %systemdrive% \Windows\System32

on x64-Clients you maybe must also add

fbwfmgr /addexclusion %systemdrive% \Windows\sysWoW64

now it works also on my WES7 Thinclient :)

i meaned with "also you must add your profilepath to the list to the exclusions", to see the Wallpaper :)

you should try add the absolute-path to the wallpaper instead!

Answer 16

By adding \windows\system32 to the exclusion list, you have opened up the registry, which is one area most people want to protect. Why use FBWF at all?

---

www.annabooks.com / www.seanliming.com / Book Author - Pro Guide to WE8S, Pro Guide to WES 7, Pro Guide to POS for .NET

Answer 17

I've excluded my wallpaper path allready :)

I want to use fbwf to better control exclusions..the ewf isn't as easy as fbwf with exclusions

Answer 18

Understood that FBWF allows exclusions, but opening \Windows\System32 is a not recommended. It would be better to have no filter at all.

Are you building the image? Or are you configuring something like a thin client?

---

www.annabooks.com / www.seanliming.com / Book Author - Pro Guide to WE8S, Pro Guide to WES 7, Pro Guide to POS for .NET

Answer 19

Understood that FBWF allows exclusions, but opening \Windows\System32 is a not recommended. It would be better to have no filter at all.

Are you building the image? Or are you configuring something like a thin client?

---

www.annabooks.com / www.seanliming.com / Book Author - Pro Guide to WE8S, Pro Guide to WES 7, Pro Guide to POS for .NET

I'm configuring a thinclient, then sysprep and take an image to easy roll out the os with imagex.

Since flash isn't working nice over remote desktop with a slow internet connection we would like to bring some load to the clients local graphics card and use f.ex. the internet explorer local. This would write stuff on the harddrive and that's what I don't want it to do.

Thanks again for coming back to my issue..much appreciated.

Answer 20

Sadly I don't have good news. Excluding system32 didnt work out the issue.

Answer 21

on my site it works, what do you have put in the exclusion-list?! after the reboot on My TC it stops showing warning-messages <.< ...

on a TC you should only start a the shell, thats needed at all, in our enterprise, we start Citrix instead of the local Shell (explorer) <.< ...

im using only the exclusion of system32 on my private TC there are also only the Desired apps preinstalled.

maybe in your cases you should use EWF ... :(

Answer 22

Excluded is the background file which we want to be able to switch now and then, one folder where we have a config file for our connection broker and as suggested system32.

Answer 23

So was this the final solution, exclude the entire system32 folder? I'm encountering the same error(s) on POSReady 7 builds - after enabling FBWF, every reboot results in "publisher not verified" errors for regsvr32.exe, rundll32.exe, fbwfmgmt.exe. Start file explorer, notepad - get the error.

Answer 24

Again, not recommended to open system32 folder. Only exclude what needs to be opened for full read-write access.

---

www.annabooks.com / www.seanliming.com / Book Author - Pro Guide to WE8S, Pro Guide to WES 7, Pro Guide to POS for .NET

Answer 25

No this did not help at all. :-) going to work on win8 embedded sooner or later

Answer 26

I built a clean image from the POSReady 7 DVD, pushed EWF & FBWF onto the image & installed the mbd LAN driver only, downloaded and installed MS updates along the way, testing FBWF as I went (command line program, not Windows pgm from FBWFMgmtToolInstall_x86.exe). FBWF OK until I upgraded to IE11 (required for our JavaPOS software). Then the "publisher not verified" errors reappeared. Uninstalled KB2670838, which came w/ the IE11 upgrade. This caused IE to go back to IE8, which is the default install from the PR7 DVD, "publisher not verified" errors gone. Re-update to IE11, errors come back. Many complaints exist for KB2670838, mostly for font rendering.

Paul

Answer 27

Install KB2645895 on the system, then the error is gone. You don't have to open the system32 folder, if you do that, then you don't need the fbwf anymore because the system isn't really protected anymore...

Answer 28

Even more than three years after, this seems to be THE answer...

Answer 29

Don't tell me you came around to testing that :)

It's nice that something good came out of this topic, even if it wasn't for me. We stopped our efforts with Embedded 7 a couple of months later

Edit: I can't mark it as answer since I opened the thread with my other account that is locked but it's great that Sean was able to do it.

Answer 30

I waited to see if there was any new answer. It seem the best so I marked it. If it is not, then unmark. I have never seen the original issue myself.

---

Sean Liming - Book Author: Starter Guide Windows 10 IoT Enterprise - www.annabooks.com / www.seanliming.com

Answer 31

After hitting this issue my only option seems installing the KB2645895 and see whether it solves the issue or not. Unfortunately, I'm not able to get that KB nor the Windows6.1-KB2645895-x64.msu file. Any ideas about where could I get it?

Thanks in advance,

Félix

Answer 32

Please reach out to your Microsoft distributor to get assistance with the udpate.

---

Sean Liming - Book Author: Starter Guide Windows 10 IoT Enterprise - www.annabooks.com / www.seanliming.com

Answer 33

Please reach out to your Microsoft distributor to get assistance with the udpate.

---

Sean Liming - Book Author: Starter Guide Windows 10 IoT Enterprise - www.annabooks.com / www.seanliming.com

OK, thanks for the answer