Installing Test Builds of Inbox
Drivers on Windows Vista
July 18, 2006
Abstract
Microsoft® Windows Vista™ provides a mechanism to rank Microsoft-signed and
third party–signed drivers equally, so driver developers can install private builds of
inbox drivers for testing purposes. This paper describes how driver developers can
configure driver signature ranking in Windows Vista so they can install and test their
drivers.
This information applies for the Windows Vista operating system.
The current version of this paper is maintained on the Web at:
http://www.microsoft.com/whdc/driver/install/pnp_inbox.mspx
References and resources discussed here are listed at the end of this paper.
Contents
Introduction ............................................................................................................................. 3
How Setup Ranks Driver Signatures on Windows Vista ......................................................... 3
Creating a Private Build that Outranks an Inbox Driver ........................................................... 4
Configuring Windows Vista to Rank Driver Signatures Equally .............................................. 5
Installing the Updated Version of the Driver Package ............................................................. 5
Resources ............................................................................................................................... 5
Installing Test Builds of Inbox Drivers on Windows Vista - 2
Disclaimer
This is a preliminary document and may be changed substantially prior to final commercial release of the
software described herein.
The information contained in this document represents the current view of Microsoft Corporation on the
issues discussed as of the date of publication. Because Microsoft must respond to changing market
conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot
guarantee the accuracy of any information presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights
under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval
system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or
otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property
rights covering subject matter in this document. Except as expressly provided in any written license
agreement from Microsoft, the furnishing of this document does not give you any license to these
patents, trademarks, copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places and events depicted herein are fictitious, and no association with any
real company, organization, product, domain name, email address, logo, person, place or event is
intended or should be inferred.
© 2006 Microsoft Corporation. All rights reserved.
Microsoft, Windows, Windows Server, and Windows Vista are either registered trademarks or
trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners.
July 18, 2006
© 2006 Microsoft Corporation. All rights reserved.
Installing Test Builds of Inbox Drivers on Windows Vista - 3
Introduction
Microsoft® Windows Vista™ provides a mechanism that can be used to install
updated versions of Microsoft-signed drivers. Ordinarily, a Microsoft-signed driver
outranks a driver that is signed by a third party, which makes it difficult for driver
developers to install private builds of an inbox driver.
This paper describes how driver developers can configure Windows Vista to install
updated versions of Microsoft-signed drivers by configuring group policy to treat
drivers that are signed by Microsoft the same as those that are signed by third
parties. The information in this paper applies only to driver installation packages
that contain an INF file and a CAT file.
Important: Windows Update depends on Microsoft Windows®-signed drivers
having priority over drivers that have third-party signatures. Configuring a system to
treat Microsoft-signed drivers the same as drivers that are signed by third parties
can interfere with the ability of Windows Update to provide the correct drivers to
consumers. Any combination of drivers that are signed by a third party and a valid
Microsoft Windows publisher on a consumer system that is running Windows Vista
can result in an installation failure for drivers that are delivered by Windows Update.
The group policy setting that is described in this paper should be used only by
driver developers who are testing private builds of inbox drivers or by enterprise
network administrators who sign driver packages internally for installation within the
enterprise. It should not be used in set up applications in production environments
for drivers to be delivered by Windows Update. Vendors who must distribute an
updated version of a Microsoft-signed driver to customers should obtain a Microsoft
signature for the driver package in the usual way, such as submitting the driver
installation package to Windows Hardware Quality Labs (WHQL).
How Setup Ranks Driver Signatures on Windows Vista
When a Plug and Play device is installed on a system that is running
Windows Vista, Setup selects a driver on the basis of a number of factors such as
the hardware ID or compatible ID, date, and version. Setup analyzes these factors
to assign a rank that indicates how well the driver matches the device. The lower
the rank, the better a match the driver is for the device.
By default, Windows Vista ranks drivers that have a Microsoft signature for
Windows Vista better than drivers that have a third-party signature or drivers that
have a Microsoft signature for a Windows version earlier than the version that is
specified by the LowerLogoVersion value that is set for the device setup class of
the driver. The Microsoft signature types include the following:

Premium WHQL signatures and standard WHQL signatures

Signatures for inbox drivers

Driver Reliability Signature (DRS) signatures

Windows Sustained Engineering (Windows SE) signatures

A WHQL signature for a Windows version that is the same or later than the
Windows version that is specified by the LowerLogoVersion value that is set
for the device setup class of a driver
July 18, 2006
© 2006 Microsoft Corporation. All rights reserved.
Installing Test Builds of Inbox Drivers on Windows Vista - 4
Even when a driver with a third-party signature is in all other respects a better
match for the device, Setup selects the driver that has a Microsoft signature for
Windows Vista. (The use of a publisher identity certificate [PIC] for the third-party
signature does not change this behavior.)
For complete details about driver ranking, see "How Setup Selects a Driver" in the
Windows Driver Kit (WDK).
Creating a Private Build that Outranks an Inbox Driver
The AllSignersEqual group policy controls how Setup ranks Microsoft-signed
drivers and third party–signed drivers. When AllSignersEqual is TRUE, Setup
treats all Microsoft signature types and third-party signatures as equal with respect
to rank when selecting the driver that is the best match for a device.
Therefore, to install a private build of an inbox driver, ensure that the private build
outranks the Microsoft-signed version when signatures are treated equally. The
private build must also be digitally signed by using tools provided with the WDK.
The simplest way to ensure that the updated driver installation package outranks
the Microsoft-signed version when signatures are treated equally is to increment the
Date and Version fields in the INF file for the driver package. To do this, make the
following changes to the makefile that builds the INF file:
1. Modify the makefile to generate a new INF file for the driver package. For
example, add the following line to the makefile:
$(O)\sample.inf
2. Add a new section in the makefile to generate the new INF and modify the
reference to STAMPINF to add the new options. For example:
$(O)\ sample.inf: $(_INX)\ sample.inx $(_LNG)\ sample.txt
$(C_PREPROCESSOR_NAME) $(PREFLAGS) $(_LNG)\$(@B).txt >
$(O)\$(@B).txt1
copy /b $(_INX)\$(@B).inx+$(O)\$(@B).txt1 $@
@del $(O)\$(@B).txt1
stampinf -f sample.inf -d * -v * -c MyCatalogName.CAT
$(TSBINPLACE_CMD)
In the STAMPINF command line:

The -d * switch uses the current date as part of the DriverVer directive in
the INF file.

The -v * switch uses the current time for the version number (the same as
the PRIVATE_DRIVER_PACKAGE environment variable).

MyCatalogName.CAT is the produced catalog file name.
3. Sign the driver package with the same catalog name as in the stampinf
statement in the makefile, by using tools provided in the WDK.
For information about signing a driver package, see "Resources" at the end of
this paper.
July 18, 2006
© 2006 Microsoft Corporation. All rights reserved.
Installing Test Builds of Inbox Drivers on Windows Vista - 5
Configuring Windows Vista to Rank Driver Signatures
Equally
To configure the AllSignersEqual group policy on Windows Vista to rank driver
signatures equally:
1. Run the Group Policy editor, GPEdit.MSC.
2. Open Computer Configuration > Administrative Templates > System >
Device Installation.
3. Select Treat Drivers Signed by Microsoft the Same as Those Signed by
Others and click Properties.
4. On the Settings tab, select Enabled.
5. Open a command window, select Run As Administrator, and run the Group
Policy update utility, GPUpdate.exe, to ensure that the settings are updated on
the target system.
This configuration change is made once and applies to all subsequent driver
installations until AllSignersEqual is configured so that Microsoft signature types
outrank third-party signature types.
Installing the Updated Version of the Driver Package
After Windows Vista is configured to rank driver signatures equally, the private build
of the driver can be installed on the system:
1. Add the driver installation package to the driver store by using the pnputil.exe
utility that is provided with Windows Vista. For example:
pnputil.exe –a <package INF file>
2. Use the DevCon Remove command to remove the device or device class that
is served by the updated driver package and restart the target system. For
example:
devcon /r remove "PCI\VEN_8086&DEV_7110"
The DevCon tool is provided in the WDK. The new driver is loaded when the
device is reinstalled after the system is restarted.
To install the updated driver installation package interactively on the local system,
use Device Manager or the DevCon Update command.
Resources
Windows Driver Kit (WDK)
http://www.microsoft.com/whdc/driver/WDK/aboutWDK.mspx
See the Beta version of the WDK for updated information about the following topics:
How Setup Selects Drivers
http://msdn.microsoft.com/library/default.asp?url=/library/enus/DevInst_d/hh/DevInst_d/install-over_5f5ab2fb-a9a8-403f-a03b372a16bb2223.xml.asp
Kernel-Mode Code Signing Walkthrough
http://www.microsoft.com/whdc/winlogo/drvsign/kmcs_walkthrough.mspx
DevCon
http://msdn.microsoft.com/library/default.asp?url=/library/enJuly 18, 2006
© 2006 Microsoft Corporation. All rights reserved.
Installing Test Builds of Inbox Drivers on Windows Vista - 6
us/DevTest_g/hh/DevTest_g/DevCon_744d640a-c44e-4cb9-a68f60ce341d1c74.xml.asp
July 18, 2006
© 2006 Microsoft Corporation. All rights reserved.