Novell recommends installing the Novell Client 4.83 SP1 for Windows NT/2000/XP (or later version of the client) if encountering the warnings described in this document. Compared to previous client releases, the 4.83 SP1 and later clients are designed to be more successful at asserting the customer's intent that printer driver installations should be completed in a transparent manner. Note the following additional points:
1. Some of the fixes included in 4.83 SP1 and later client releases only occur at the time a printer driver is uploaded to the NDPS Resource Management Service (RMS) broker. If a particular printer driver continues to invoke the driver signing policy warning even on workstations with the 4.83 SP1 client installed, re-upload the printer driver in question from a workstation that has the 4.83 SP1 client installed such that these additional fixes can be implemented.
2. If the local Windows workstation user accounts are not members of the Administrators group, an issue with the specifically the 4.83 SP1 client release may prevent the fixes for driver signing policy prompts from working as intended. For additional information on this issue see "NDPS RPM fails after applying 4.83 SP1 for users and power users".
Alternatively, or in addition, the driver signing policy of the Windows workstations can be set to "Ignore" such that prompts regarding unsigned drivers are simply not generated by Windows. This can be set manually in the System control panel, using a Microsoft group policy, or at Windows install time via the Windows installation UNATTEND.TXT file. See the Microsoft documentation references in the discussion portion of this document for additional information on changing the Windows driver signing policy.
Starting with Windows 2000 and Windows XP, Microsoft requires that driver software such as Windows printer drivers obtain the testing and digital signature applied by the Windows Hardware Quality Labs (WHQL).
Although it is still possible to install drivers that do have digital signatures, whether or not a Windows 2000 or Windows XP workstation will allow this action and what prompts the user might encounter are defined by the "driver signing policy" in force on that workstation.
By default, both Windows 2000 Professional and Windows XP Professional ship with the driver signing policy set to "warn". This means the interactive user will be advised when a driver being installed lacks a digital signature, and the user will be provided an opportunity to either continue anyway or abort the installation. The other settings the policy allows are "block" (which prevents any attempt to install an unsigned driver) and "ignore" (which does not alert nor prevent the installation of unsigned driver).
More information on the driver signing process and the ways in which Windows operating systems make use of the signature can be found in the document "Driver Signing / File Protection" (Windows Platform Development).
The first issue:
When iPrint or NDPS is installing a Windows printer driver, on Windows 2000 and Windows XP the driver signing policy could cause the installation process to be interrupted by Windows either denying installation of an unsigned driver, or asking the end-user for confirmation to install the unsigned driver.
On Windows 2000 Professional, it was possible by way of registry data to temporarily override the driver signing policy of the local workstation. Because one of the goals for pushing printers to a workstation using NDPS Remote Printer Management (RPM) is to make the process transparent to the end-user, NDPS would override the driver signing policy during installation of printer drivers and then restore the original policy setting when installation was complete.
With the release of Windows XP, the option to temporarily override the driver signing policy was eliminated. This prevents third-party software from simply disabling the driver signing policy from their setup application or .INF file, but it also prevents applications such as NDPS Remote Printer Management (RPM) from using this mechanism to implement an administrator's intent (which in the case of RPM is to provide transparent printer installation for the end-user).
Note that even with Windows 2000, there were occasions when the driver signing policy would revert to "warn" even when temporarily disabled by NDPS. If a driver were attempting to replace or update a file under Windows File Protection (WFP), a policy of "warn" would be enforced regardless of the driver signing policy being set to "ignore". For additional information see Microsoft Knowledgebase document Driver Signing Set to "Warn" During Windows 2000 Setup (Q216754).
Currently the only way to effectively prevent a user from being prompted if the administrator intends to provide transparent printer driver installation support is to set the default Windows driver signing policy to "ignore" prior to NDPS Remote Printer Management (RPM) delivering printers to the workstation. Information on how to change the default driver signing policy on a workstation can be found in the "Driver Signing" section in the Windows XP Professional Resource Kit.
The second issue:
The Windows Hardware Quality Labs (WHQL) creates a signature for a set of files submitted by a vendor once that specific set of files has passed a qualifying test process. This signature will validate that a particular set of files being installed at a Windows workstation is the same set of files that went through the WHQL test process, without any modifications or updates also being present that were not included in the testing process.
One of the files included in the signature generated for a Windows printer driver is the .INF file for installing that driver. When a Windows printer driver is uploaded to the NDPS Resource Management Service (RMS), part of that process entails re-writing the driver's .INF file to remove information not related to the specific printer driver being uploaded, and also to correct any issues such as where source files will be queried from during the automated installation of the driver later at the user workstation.
Because the .INF for the printer driver is being changed, the .INF no longer matches the signature generated for the .INF file that passed WHQL testing. As such, once the Windows printer driver is uploaded to the NDPS RMS, the digital signature as a whole is no longer valid even though the driver files themselves have not been changed or modified.
Under Windows 2000 this would not have been as noticeable because the driver signing policy was being successfully overridden in most cases. Both drivers that never had a signature, as well as signed drivers for which the .INF had been modified by NDPS, were being installed transparently for the end-user even though no signature or no valid signature was present. With Windows XP an administrator or user would have to set the default Windows driver signing policy on the workstation to ˇignoreˇ in order to achieve the same level of transparency.
The issues described here and their effect on an administrator being able to transpa.rently push NDPS printers to Windows 2000 and Windows XP desktops are under investigation by Novell. Additional information when available will be provided in this document.
How to Set the Driver Signing Policy for Windows 2000 Unattended Setup (Q236029)
Driver Signing Set to "Warn" During Windows 2000 Setup (Q216754)
Driver Signing for Windows (Windows Platform Development)
Driver Signing / File Protection (Windows Platform Development).