Signature checking of drivers in automation is not working correctly causing Deploy Anywhere (DA) to not use drivers that are a correct match. This matching
The Deploy Image task will fail to complete if the signature checking of driver doesn't complete successfully.
The DA logs will show the following with an affected NIC (Intel 82579 in the example below):
File:..\WinDeviceDriverRetargeterWin32.cpp Line:2743 Function:Ghost::WinDeviceDriverRetargeterWin32::MatchInfFileToDevices()
This driver can be considered for retargetting. Rank is 257. DB source is DA DriverDatabase. INF path is W:\Task Handler\DriversDB\Intel.netvwifibus.inf.220.127.116.11_1\Netwsw00.INF
File:..\InfFile\InfFile.cpp Line:2768 Function:Ghost::InfFile::IsDriverValid()
W:\Task Handler\DriversDB\Intel.netvwifibus.inf.18.104.22.168_1\Netwsw00.INF is not signed.
File:..\WinDeviceDriverRetargeterWin32.cpp Line:2792 Function:Ghost::WinDeviceDriverRetargeterWin32::MatchInfFileToDevices()
W:\Task Handler\DriversDB\Intel.netvwifibus.inf.22.214.171.124_1\Netwsw00.INF is invalid. Not including in device INF matching."
Though the driver matches, (Rank is 257), because the MS Win32 API (SetupVerifyInfFile) function doesn't properly detect that the driver is signed, (Netwsw00.INF is not signed), DA does not use the driver. (Not including in device INF matching.)
Note: The MS Win32 API that is in WinPE works correctly for older drivers but fails for newer drivers. If the system is booted into production both the old and new driver pass the driver signature check.
Symantec has issued a point fix that resolves this issue. The point fix code will be included in 'Pointfix_v4'.
To apply the fix now, follow the steps below on the Notification Server system:
Note: UAC may completely block this process. You should disable this prior to beginning and re-enable later if need be.
- Download and install the latest version of DeployAnywhere from KB Tech186664.
- Download the zip file attached to this KB to the Notification Server. Extract all the files somewhere. The desktop is fine as it includes a self-contained installer.
- Run "install.cmd" with administrative rights from the TECH200444 folder. You will be prompted to press a key at the end of the install, but it should indicate the installation was successful.
Note: It will cycle all the services and IIS, most likely requiring a re-login to the console.
- Verify the file was installed correctly by browsing C:\windows\assembly for the DLL. It should exist again with the proper date and version. It will be displayed as 'Altiris.Deployment' '7.1.7858' dated today. The version was not updated from MP1.1.
Note: The issue was resolved by making the DS task handler supply the '/bypassdrvvali=all' by default to the DeployAnywhere command line.
DS 7.1 up to and including MP1
Imported Document Id
updated Altiris.Deployment.dll that adds the /bypassdrvvali=all to the DeployAnywhere command line
TECH200444.zip (304.3 KB)