Hi,
The release notes of haspdinst.exe RTE 7.52 contains three workarounds for handling unsigned vendor libraries in DeviceGuard on Windows 10 Enterprise systems. The first two workarounds involve the end user performing specific tasks to get vlib working. The third workaround is for the software vendor to provide the end user with an out-of-the-box experience. Therefore my focus is on this third workaround because it makes life easy for the end user, we all want that.
I contacted Gemalto support and they provided me with instructions on how to do this. We need to sign the vlib and then manually package the vlib in haspdinst.exe. What I would like to discuss is the following:
I did not create this Vendor Library (VLIB). Gemalto created the vendor library. If I would receive a file from company A that is signed by Company B I would not trust the file. A clear indication that something is not right. So in my opinion Gemalto should sign the vlib before they distribute them. If they would have signed the file then it would automatically end up in the custom haspdinst.exe generated by EMS and the end user would have the out-of-the-box experience that I think we all want. Am I missing something here? Why do we have to sign a file we did not create?
Regards,
Arno