Driver doesn't load, shows error code 52 in device manager on Windows 10 x64
If you're automating software and drivers, sometimes it happens that Windows 10 doesn't load a driver. Since MS raised the bar for driver signing and everything security in general to unbelievable heights, there are far less problems with rootkits, but way more with drivers.

Even hardware manufacturers as Nvidia and Intel can't keep up with the current update rate and hey who needs QA when you're at one of these firms anyway and thus, from time to time, un- or wrongly signed non-production beta drivers are being published for end consumers.

You're downloading driver packages, extract them, shove them upon your test share, import them into your endpoint management server system without a problem, automate them and deploy them. Dism grabs them and imports them into the local driver store. After OSD is done, system is being patched and software is being installed, all is good. Machine ships to the end customer, user logs in. OS activates each and every security subsystem that EFI, secureboot, Driverguard etc pp. provides and loads up the drivers in the store.

Inf is readable, cab file signature is A-OK, loading driver but oh my what's that, one of the 50 driver libraries or SYS files is not signed properly, a cert in the chain is too old or there is no CA certificate because someone at Intel signed the libraries with a cert published by 'Microsoft Media' certificate used in Windows Vista (an OS published in 2007 A.D.) to sign the driver libraries. In the year 2021. Congrats, you now have n machines out there in the home offices without WLAN & without a graphics driver. Best wishes from Intel (one more reason why I prefer AMD).

There are two solutions to avoid this: either you check each and every file of each and every driver you want to use before importing & deploying them. This means that you'll check millions of files. Or you just trust the manufacturer / distributor who provides the drivers, import them and fix if any errors occur. This is what 99% of the sysadmins do and what MS recommends.

If however you want to check the driver files before importing them, here is a powershell one-liner to recursively check all binaries in the current path for non-valid signatures. It outputs any binaries in the search path which are not signed properly.

Get-ChildItem -Recurse | where {$_.extension -in ".dll", ".exe", ".sys" } | Where { ! $_.PSIsContainer } | Get-AuthenticodeSignature | Where-Object {$_.status -ne "Valid"} | Select-Object status, path

Have fun, stay healthy.
Fritz

#windows #drivers #driver #admin #hardware #cert #signature

1

There are no comments yet.