Microsoft KB Archive/822207

= Digital Signature Warnings During Setup with Driver Installation Policy Enabled =

Article ID: 822207

Article Last Modified on 12/3/2004

-

APPLIES TO


 * Microsoft Internet Explorer 6.0

-





SYMPTOMS
While you are installing Internet Explorer 6, installation may stop, and you may receive a security dialog with the following message:

Digital Signature Not Found
The Microsoft digital signature affirms that software has been tested with Windows and that the software has been tested with Windows and that the software has not been altered since it was tested.

The software you are about to install does not contain a Microsoft digital signature. Therefore, there is no guarantee that this software works correctly with Windows.

Unknown software package

If you want to search for Microsoft digitally signed software, visit the Windows Update Web site at http://windowsupdate.microsoft.com to see if one is available.

Do you want to continue the installation?

Yes No More Information

If you then click More Information, you may receive the following error message:

Microsoft Windows
Windows did not find a Microsoft signature associated with the software package you want to install.



CAUSE
This behavior occurs because the following security policy setting is set to either: Warn but allow installation or Do not allow installation:

Local Computer Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Devices: Unsigned driver installation behavior

The default setting for the Devices: Unsigned driver installation behavior policy is Silently succeed.



WORKAROUND
To temporarily work around this behavior, you can set the Device: Unsigned driver installation behavior policy to Silently succeed. To do this, you must use the Group Policy Editor (Gpedit.msc) and follow these steps:  Click Start, and then click Run. In the Open box, type:

gpedit.msc

 Expand Local Computer Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options. Right-click Devices: Unsigned driver installation behavior, and then click Properties. Note the current policy setting. Change the policy setting to Silently succeed.</li> Quit the Group Policy Editor.</li> Restart the Computer, and then install Internet Explorer 6.</li></ol>

To restore your original settings, repeat steps 1 to 4, set your policy back to what you noted in step 5, quit the Group Policy Editor, and then restart the computer.

<div class="moreinformation_section">

MORE INFORMATION
By default, the driver installation in Windows 2000 is set to Silently succeed for setup programs that use the Setup API and digital signatures. For example, Microsoft hotfixes and service packs use Setup API and digital signatures to verify their authenticity because they are frequently downloaded from public Web sites. At this setting, the user who installs the program does not receive any error messages even if there are missing signatures or there are digital signatures that are not valid associated with the program the user installs. This setting, however, may permit users to install software from untrusted sources. Such software may introduce untrusted software onto the computer. This is also true for any other setup program that does not provide a way for the administrator to verify its authenticity (for example, any other setup program that does not use Setup API and digital signatures).

Unfortunately, most installation software does not provide a way for administrators to validate the authenticity of that software. Microsoft recommends that you set the unsigned driver installation behavior policy setting to Warn but allow installation. With this setting, the user receives an error message when there is a problem verifying the authenticity of a software installation package that uses Setup API and digital certificates. There is a drawback to this setting because some software installation packages may contain components that do not have digital signatures.

The unsigned driver installation behavior policy applies only to setup programs that use the Setup API and digital signatures. System administrators may incorrectly believe that this policy applies to all the software that users install to a particular computer. If a program that uses Setup API and digital signatures does not store the hashes for all the files that it installs in a setup manifest, or does not sign that manifest correctly, the user may be prompted one or more times that there is a problem with the digital signature for this program. This behavior occurs when the Setup API checks the file manifest and compares the checksums. This does not mean that the program is not signed. It means that one or more of the installer files are not signed or are not listed in the manifest. That is the reason for the warning.

Because you may receive a modal dialog box when you install programs that use Setup API and digital signatures that are not packaged correctly, during an unattended installation of programs from known sources, the recommendation is to temporarily set the driver installation policy to Silently succeed, and then reset to the policy after the installation completes. If the software installation can be performed by a push method when there are no users on the computer, then there is potentially very little additional risk introduced by temporarily changing this policy.

Additional query words: Win2000 Win2k WinXP IE

Keywords: kbprb KB822207

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.