Correct. To use the non-MSFT signed approach, the driver has to add the cert to the registry beforehand somehow (eg. using certutil -addstore -f TrustedPublisher), which obviously rules out a straight install using Windows Update.