Fix SPAPI_E_ONLY_VALIDATE_VIA_AUTHENTICODE (0x800F0245)

When this error shows up

You're installing a driver for some older hardware — maybe a printer, a network adapter, or a USB device that's been sitting in a drawer. The hardware is detected, Windows starts the driver install, then bam: error 0x800F0245. The device goes to 'Unknown Device' in Device Manager, or the install just rolls back.

I've seen this most often with drivers that were written for Windows 7 or 8.1 but are being installed on Windows 10 (20H2 or later) or Windows 11. The driver's INF file references a catalog (.cat) file that's signed with an older Authenticode certificate, but the catalog file itself was never cross-signed or contains no valid signature chain that Windows trusts anymore.

Root cause in plain English

Windows has two ways to verify a driver's signature. The first is through an embedded signature — the driver file itself contains a digital stamp. The second is through a catalog file, which is a separate .cat file that lists all the driver files and their hashes, and that catalog file is signed.

This error specifically means: 'I can only trust this driver if the catalog file is signed via Authenticode, and it either isn't, or the signature chain can't be verified.' There's no fallback to a different validation method. The driver's INF file explicitly says 'CatalogFile=something.cat' and that catalog file's signature doesn't meet Windows' current standards.

Microsoft tightened the rules around this starting with Windows 10 version 1607. Catalog files need to be signed with a certificate that chains to a trusted root, and the certificate must have been issued after July 29, 2015. Many older driver catalogs fail that check.

The fix: three ways to handle it

Option 1: Re-enable test signing mode (quickest, but leaves a warning watermark)

1. Open Command Prompt as Administrator. Click Start, type cmd, right-click 'Command Prompt', choose 'Run as administrator'.
2. Type this and press Enter:

   bcdedit /set testsigning on

3. After the command runs, you should see 'The operation completed successfully'.
4. Restart your PC. When it boots, you'll see 'Test Mode' in the bottom-right corner of the desktop. That's normal.
5. Try installing the driver again. The driver's catalog should now be accepted even if its Authenticode signature isn't fully trusted.
6. After the driver is installed and working, you can turn test signing off with:

   bcdedit /set testsigning off

   and reboot again.

Why this works: Test signing mode tells Windows to relax its signature validation. It's the nuclear option, but it's also the simplest. The watermark is annoying, so turn it off after the driver's installed.

Option 2: Remove the catalog reference from the INF file (no watermark, but requires editing)

1. Find the driver folder. It'll have files like something.inf, something.cat, and maybe some .sys or .dll files.
2. Right-click the .inf file, choose 'Open with', then pick Notepad.
3. Look for a line that starts with CatalogFile=. It might look like CatalogFile=driver.cat or similar.
4. Delete that entire line. Or put a semicolon at the start of the line to comment it out: ;CatalogFile=driver.cat
5. Save the file. You'll need admin rights to save it back — if Notepad complains, save it to your Desktop first, then copy it back to the driver folder.
6. Now right-click the .inf file and choose 'Install'. Windows will install the driver without checking the catalog file.

Why this works: The INF tells Windows which catalog to check. Remove that reference, and Windows doesn't look for a catalog at all. It'll still do basic signature checks on the driver files themselves (if they have embedded signatures), but it won't fail because of the catalog.

Option 3: Disable driver signature enforcement at boot (temporary, for testing)

1. Open Settings > Update & Security > Recovery.
2. Under 'Advanced startup', click 'Restart now'.
3. After your PC restarts, click Troubleshoot > Advanced options > Startup Settings > Restart.
4. After another restart, you'll see a list of options. Press 7 on your keyboard to select 'Disable driver signature enforcement'.
5. Windows will boot with signature checks turned off. Install your driver.
6. Next time you reboot normally, signature enforcement is back on.

Why this works: This temporarily tells Windows to skip catalog validation entirely. It's fine for testing, but you'll lose the driver if the PC restarts. It's not a permanent fix — use Option 1 or 2 instead.

What to check if it still fails

If none of the above work, you're dealing with a different problem. Check these:

• Is the driver 64-bit or 32-bit? You can't install a 32-bit driver on a 64-bit version of Windows. Check the driver folder — if the .sys files are in a 'x86' folder, you've got the wrong bits.
• Is the driver signed at all? Right-click any .cat file, choose Properties, Digital Signatures tab. If the list is empty, the catalog isn't signed at all. You'll need to either sign it yourself (advanced) or switch to Option 2.
• Check the INF's architecture reference. In the INF file, look for a line like CatalogFile.NTAMD64 or CatalogFile.NT. If it's missing, Windows might not find the catalog at all.
• Look at the Event Viewer logs. Open Event Viewer, go to Windows Logs > System, filter by 'DriverFaults' or just look for errors around the time of the failed install. The details might give you a more specific reason than 0x800F0245.

I've fixed this error dozens of times. Option 2 is my go-to — no watermark, no permanent security reduction, just a clean install. Option 1 is faster if you're in a pinch. Skip the driver entirely if the manufacturer offers a newer version that's properly signed for your OS.