Digital Signature Warnings During Setup with Driver Installation Policy Enabled

While you are installing Internet Explorer 6, installation may stop, and you may receive a security dialog with the following message: If you then click More Information, you may receive the following error message:

This behavior occurs because the following security policy setting is set to either: Warn but allow installation or Do not allow installation:The default setting for the Devices: Unsigned driver installation behavior policy is Silently succeed.

To temporarily work around this behavior, you can set the Device: Unsigned driver installation behavior policy to Silently succeed. To do this, you must use the Group Policy Editor (Gpedit.msc) and follow these steps:

1. Click Start, and then click Run.
2. In the Open box, type:
   gpedit.msc
3. Expand Local Computer Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options.
4. Right-click Devices: Unsigned driver installation behavior, and then click Properties.
5. Note the current policy setting.
6. Change the policy setting to Silently succeed.
7. Quit the Group Policy Editor.
8. Restart the Computer, and then install Internet Explorer 6.

To restore your original settings, repeat steps 1 to 4, set your policy back to what you noted in step 5, quit the Group Policy Editor, and then restart the computer.

By default, the driver installation in Windows 2000 is set to Silently succeed for setup programs that use the Setup API and digital signatures. For example, Microsoft hotfixes and service packs use Setup API and digital signatures to verify their authenticity because they are frequently downloaded from public Web sites. At this setting, the user who installs the program does not receive any error messages even if there are missing signatures or there are digital signatures that are not valid associated with the program the user installs. This setting, however, may permit users to install software from untrusted sources. Such software may introduce untrusted software onto the computer. This is also true for any other setup program that does not provide a way for the administrator to verify its authenticity (for example, any other setup program that does not use Setup API and digital signatures).

Unfortunately, most installation software does not provide a way for administrators to validate the authenticity of that software. Microsoft recommends that you set the unsigned driver installation behavior policy setting to Warn but allow installation. With this setting, the user receives an error message when there is a problem verifying the authenticity of a software installation package that uses Setup API and digital certificates. There is a drawback to this setting because some software installation packages may contain components that do not have digital signatures.

The unsigned driver installation behavior policy applies only to setup programs that use the Setup API and digital signatures. System administrators may incorrectly believe that this policy applies to all the software that users install to a particular computer. If a program that uses Setup API and digital signatures does not store the hashes for all the files that it installs in a setup manifest, or does not sign that manifest correctly, the user may be prompted one or more times that there is a problem with the digital signature for this program. This behavior occurs when the Setup API checks the file manifest and compares the checksums. This does not mean that the program is not signed. It means that one or more of the installer files are not signed or are not listed in the manifest. That is the reason for the warning.

Because you may receive a modal dialog box when you install programs that use Setup API and digital signatures that are not packaged correctly, during an unattended installation of programs from known sources, the recommendation is to temporarily set the driver installation policy to Silently succeed, and then reset to the policy after the installation completes. If the software installation can be performed by a push method when there are no users on the computer, then there is potentially very little additional risk introduced by temporarily changing this policy.