Force Windows to Rank All Valid Digital Signatures Equally

  • Article

Applies To: Windows Server 2008

You can use this procedure to instruct Windows to not prefer a device driver package that is signed by a Microsoft Windows Publisher certificate over a package signed by another Authenticode certificate.

By default, Windows ranks a device driver package that is signed by a Microsoft Windows Publisher certificate better than if it was signed by some other, valid Authenticode certificate. This criterion for ranking is more important than other criteria, including version numbers. This means that, by default, Windows will pick an driver signed by a Microsoft Windows Publisher over a newer version driver package if it was signed by someone else. So, if you customize a device driver package for your environment, and want to ensure that it is chosen instead of another driver, you must enable this policy, and then ensure that the other criteria result in a better rank for your driver.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure.

To force Windows to rank all valid digital signatures equally

  1. Open Group Policy Management Editor.

  2. In the navigation pane, open the following folders: Computer Configuration, Administrative Templates, System, and Device Installation.

  3. In the details pane, double-click Treat all digitally signed drivers equally in the driver ranking and selection process.

  4. Click Enabled to enforce the setting.

  5. Click OK to save your change.

Additional considerations

  • To open Group Policy Management Editor, click Start, then in the Start Search box, type mmc gpedit.msc, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.

  • If you edit policy settings locally on a computer, you will affect the settings on only that one computer. If you configure the settings in a Group Policy object (GPO) hosted in an Active Directory domain, then the settings apply to all computers that are subject to that GPO. For more information about Group Policy in an Active Directory domain, see Group Policy (https://go.microsoft.com/fwlink/?LinkId=55625).