unattended driver signing policy change

[Br4tt3]

Hi!

We are playing around with installing backup exec unattended which is a mess... anyway, one of things we got in front of us; installing drivers to the tape devies unattended. This is somewhat of a problem as, our setting of the Win2003 servers are set to "Warn" when it comes to driver signing options.... to tackle the issue we have done the following:

1. written a vbs file that executes secedit.exe

2. secedit the parses an .inf file which we produced with the "Security Templates" MMC... which looks as below!

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Registry Values]
MACHINE\Software\Microsoft\Driver Signing\Policy=3,0

And the secedit command looks as:

cmd /c echo y | secedit /configure /db "C:\Program Files\<company>\Logs\WARNBUTINSTALL.sdb" /cfg "C:\Program Files\<company>\Security\WARNBUTINSTALL.inf" /overwrite /log "C:\Program Files\<company>\Logs\WARNBUTINSTALL.log" /verbose

The script works the first around, but once u have "disabled" the check and then turned it on again, there is no way in h*** to set the config back to "SILENT SUCCEED"! So, if we wanna be able to do this multiple times, what wrong with it? Found some info on this scenario from guys that wanted to pack stuff with unsigned drivers but with no luck.....

I know that it is no a good idea to alter only the reg values, rather run the secedit command to have it switched, but then again, I wanna be able to turn on and off multiple times....

[Br4tt3]

For every time I reboot the server, I can change the driver signing configuration once via the script.... so it works, every time I boot the machine. Comparing that to the GUI, I can change the settings as many times I want to without a reboot...

Any ideas?