@kettch: I was thinking about the implementation for a business who is installing software from a 3rd party. The 3rd party may be distributing runtimes or other dependencies that are from another 3rd party who hadn't signed those. So the sysadmin doing the install could be faced with several levels of unsigned executable binaries (additionally the installation and its related binaries).
While the installation may be uneventful, the execution of part(s) of the system that were installed may exhibit errors or odd behavior when unsigned dlls are attempting to load. (not sure how Windows surfaces or would surface feedback on this type of condition)
Seems like we will initially be seeing sysadmins turn off signature checking during the installation phase then turn it back on when turning the system over to the user. Which I'm guessing (would like more info on this) would lead to sysadmins scratching their heads and having to "revisit" the installation and ultimately have to either turn off signature checking or ferret out the binaries that need to be signed and sign them with a local cert.
I don't know. Haven't been faced with customers in a configuration like this yet. But its coming.
Seems like if we want to encourage machine configurations which require all binaries to be signed, then we need to visit signing binaries that were compiled in the last X years and sign those to reduce the friction.