Windows XP SetupAPI refuses to install non-WHQL-signed .INFs from a service

My service is invoking SetupCopyOEMInf to install an Authenticode but not WHQL signed INF file. SetupCopyOEMInf is returning with CERT_E_WRONG_USAGE (0x800B0110) and the INF file is not being installed.

The major hint is provided by this line:

#E359 An unsigned or incorrectly signed file "foobar.cat" blocked (server install). Error 0x800b0110: The certificate is not valid for the requested usage.

Note the server install -- this is SetupAPI-speak for "unattended installation". Mostly, this is what happens when you insert a device for which you have a signed device driver (in Windows XP, only WHQL-signed) and its installed automatically (with a passive info balloon to let you know).

During the Windows XP era, Microsoft was encouraging developers to WHQL-certify their drivers by excluding non-WHQL drivers from automatic installation; that is, when the user would plug your device, he'd get the "Add New Hardware" wizard, even if the driver was ready (e.g. in the Driver Store). This has everything to do with the so-called signature scores.

While the user can apply a policy to ignore signature failures, it only applies to "client installs" (i.e. interactive). As if to spite, "server installs" on Windows XP are hopelessly WHQL-demanding.(*)

The workaround, in my case, was to invoke SetupCopyOEMInf from a regular process, which result in the following (success) message:

#E361 An unsigned or incorrectly signed file "foobar.cat" will be installed (Policy=Ignore). Error 0x800b0110: The certificate is not valid for the requested usage.

(*) Actually, not just WHQL -- any certificate featuring the "Windows System Component Verification" (1.3.6.1.4.1.311.10.3.6) purpose will do. An Authenticode certificate isn't one.