none
Permanently disable driver signature enforcement on Win 7 x64

    Question

  • Hello!
    I would like to install latest Catalyst drivers for Win7 but the problem is that I would have to disable driver signature enforcement on every reboot in order for the driver to work..
    Is there a way to permanently disable driver signature enforcement ?
    • Moved by OthorvathMVP, Moderator Saturday, February 07, 2009 2:48 PM (Moved from Windows 7 Installation, Setup, and Deployment to Windows 7 Hardware Compatibility)
    Friday, February 06, 2009 9:42 PM

Answers

All replies

  • Hi

    Try disabling signature check using easybcd free tool, that you can get from http://neosmart.net/dl.php?id=1

    Run easybcd, click advanced options button.

    Enabling loading of unsigned drivers is security risk!
    Saturday, February 07, 2009 1:16 AM
  • doesn't work.

    I installed AtiTrayTools and it didn't want to load the driver for it because it is not signed.
    What else?
    Saturday, February 07, 2009 11:02 AM
  •  Turning off the digital certificate signed driver mandatory requirement in Windows 7 64-bit is not supported.
    Carey Frisch
    Saturday, February 07, 2009 1:34 PM
  • ok install signed driver then.

    Why you install unsigned driver if there is signed drivers.

    If there is not driver designed for w7 install driver for vista using compatibility mode to run driver setup
    Saturday, February 07, 2009 4:47 PM
  • Ati Tray Tools doesn't have a signed driver since its a community application with no $$$ to spare for certification program
    Tuesday, February 10, 2009 12:43 PM
  • Open a command prompt as an admin and type

    bcdedit -set loadoptions DISABLE_INTEGRITY_CHECKS

    bcdedit -set TESTSIGNING ON

    See security risk warning above.

    If it doesn't work for whatever reason you can just remove loadoptions with bcedit and switch testsigning off.

    bcdedit /deletevalue loadoptions

    bcdedit -set TESTSIGNING OFF

    if this breaks something for whatever reason sorry, goodluck.
    • Proposed as answer by daat99 Thursday, February 03, 2011 2:44 PM
    Tuesday, February 10, 2009 3:23 PM
  •  Turning off the digital certificate signed driver mandatory requirement in Windows 7 64-bit is not supported.
    Carey Frisch

    Well thanks for that, this pretty much completely blocks several free programs like PeerGuardian that don't have money to pay for the signing. Please tell me there is a chance there will be an option for this in final release, at least some registry hack if not something more user-friendly. There is no reason to force a security option on users. If you wish, you can hide it deep inside some settings that only expert users will know how to get to anyway.
    Saturday, June 27, 2009 2:40 PM
  • In Vista, the solution was to sign the driver yourself.  You can see how to do it here

    http://samsclass.info/335/335_S09.shtml#projects

    Look at "Proj X11: Digitally Signing an Application".  I know that works for applications, and I think it works for drivers too, but I haven't tested it.
    • Proposed as answer by payrok Thursday, August 28, 2014 7:30 PM
    Saturday, August 29, 2009 6:41 AM
  • Here's a link with instructions on how to do it legit from within Windows using the Group Policy Editor.

    http://bit.ly/19wYgB
    Wednesday, December 16, 2009 4:21 PM
  • also doesnt support the new cards.... 
    Sunday, December 27, 2009 7:44 PM
  • Here's a link with instructions on how to do it legit from within Windows using the Group Policy Editor.

    http://bit.ly/19wYgB

    This does not work as I have just tried it. And all i'm trying to do is install official updated sound drivers.

    This has to be one of the biggest pains in the ____ ever.
    Tuesday, January 05, 2010 7:05 AM
  • You can install unsigned drivers using DSEO and testmode. It is a permanent solution, but you have to sign drivers individually.

    Follow the steps of this somewhat related guide , omitting the part about old driver version, and this is how to get Ati Tray Tools to work.

    Regards.
    • Proposed as answer by BATP Saturday, March 06, 2010 6:48 PM
    Saturday, March 06, 2010 6:48 PM
  • These two commands alone worked great for me on Win7-64:

    bcdedit -set loadoptions DISABLE_INTEGRITY_CHECKS
    bcdedit -set TESTSIGNING ON

    • Proposed as answer by Brian Borg Wednesday, December 19, 2012 2:21 AM
    Friday, March 26, 2010 10:28 PM
  • Reboot using advanced start up options and there is an option to turn off signature enoforcement.


    Reboot as normal and press F8. Then select " Disable Driver Signature Enforcement". Then install the unsigned driver. I had to do this for development using libusb.

    • Proposed as answer by Charles1979 Saturday, January 29, 2011 3:18 PM
    Saturday, January 29, 2011 3:18 PM
  • well why does windows give you chance to turn it off by pressing f8 then selecting disable driver signature enforcement??

     

    Sunday, April 24, 2011 9:10 PM
  • i know this Doth Be Old, But Have you gotten a Chance to Check out <a href="http://www.citadelindustries.net/rdp.php">ReadyDriver Plus</a>? I've found it to Be Most Helpful! Thanks Again!

    ~Classic JAM

    Wednesday, August 10, 2011 1:42 AM
  • BATP,

    DSEO worked for me. (Win 7 x64). Thanks for your suggestion.

    Windows crashed for first reboot, but after second reboot, "Technisat Virtual Network Adapter" is working now

    Regards,

    Tuesday, October 15, 2013 11:01 PM
  • Tried this, it doesn't work.

    Simon

    Saturday, January 04, 2014 1:28 PM
  •  This option works fine for me... "Open a command prompt as an admin and type

    bcdedit -set loadoptions DISABLE_INTEGRITY_CHECKS

    bcdedit -set TESTSIGNING ON  "

    See security risk warning above.
    Friday, January 17, 2014 8:46 PM
  • Doing it the first time failed for my problem but here is what i did

    go to start button and type in cmd highlight over it and right click

    select run as admin

    typed this (for whatever reason i thought it was odd to have a random directory):

    "cd\" and then i hit the enter button

    then the command prompt did the thing it was supposed to and said:

    "C:\"

    THEN... and only then did following your instructions worked when using:

    bcdedit -set loadoptions DISABLE_INTEGRITY_CHECKS
    bcdedit -set TESTSIGNING ON

    i seriously do not know how and what it had to do with it but i don't care as it worked.

    thank you


    • Edited by Endorakai Saturday, February 15, 2014 5:19 AM
    Saturday, February 15, 2014 5:18 AM
  • for those of you who want to bypass the security dialog which occurs when installing non-MS-WHQL-signed drivers on Windows 7 64Bit (and Windows 8, 8.1) there was only a single solution for me that worked for scripted, automated, unattended or silent installations: import the certificates prior to install

    Follow these steps:

    1. install the software once manually by confirming that the unsigned drivers shall be used

    2. go to %windir%\inf and search for the latest OEM??.INF file; open it (notepad) and verify by its contents that this is the driver you wish to install automatically next time

    3. go to %windir%\system32\catroot\{any ID}\OEM??.CAT (<- same number as in step 2); right click on this file, select properties, go to "Digital Signatures" tab, mark the certificate, click on details

    4. on the next window click "Show Certificate"

    5. on the next window open the "Details" tab and click "Save to File..."

    6. collect this/all certificates

    7. deploy these certificates

    7.1 either in a batch /cmd script using "certutil.exe -f -addstore "TrustedPublisher" "MYFILE.cer" prior to setup

    7.2 or by Group Policies (computer \ Policies \ Windows \ Security \ Public Key Policies \ add your files here )

    8. run your setup just the way you wanted :D

    Note:

    I was not able to bypass windows driver signature checks on Windows 7 SP1 Enterprise x64 using
    - Bcdedit.exe /set nointegritychecks ON
    - Bcdedit.exe /set testsigning ON
    - Bcdedit.exe /set loadoptions DDISABLE_INTEGRITY_CHECKS
    - Group Policy / Users / Settings / Administrative Templates / System / Drivers / Signature = ignore
    - Application Compatibility (ApplicationCompatibilityToolkitSetup.exe http://www.microsoft.com/download/en/details.aspx?id=7352 ) set NoSignatureCheck, Export DB, sdbinst -q \\path\dbfile.sdb)

    • Proposed as answer by Goot1981 Wednesday, April 23, 2014 8:53 PM
    Wednesday, March 12, 2014 9:17 AM
  • I was so excited after seeing this, then I started to try it and ...  :/  I got to step 3...  In step 2 my file is called "oem4.inf", but on step 3 there is no file called "oem4.CAT".  There are a few others but not "4".

    Also, is there a way to tell what drivers are currently NOT signed on my server 2008 r2 box?

    Thanks for the attempt.  :/


    Arvo Bowen III

    Saturday, March 15, 2014 7:08 AM
  • It totally worked for me, thanks Gizmo0001 i've been banging my head against the wall on an automated install all day.

    I too did not have a matching .cat file, but the oem*.inf file had a "[Version]" section. In there it has a "CatalogFile=" parameter or whatever its called where it lists the name of the associated .cat file. Once you have that just do a search for that file name and walla, you're set to proceed with Gizmo0001's procedure.

    In my case I had been trying to manually export the cert after a manual install from the "Trusted Publishers" in certmgr.msc and then import it elsewhere. For some reason it didnt like that. It could be that I was importing it manually and didnt use the certutil.exe so maybe thats where the hangup was. Anyway Gizmo001's method will without a doubt get you to the correct certificate at least.


    Also i'd like to mention that although I dont know what that bcedit stuff is, the certificate option Gizmo0001 offered sounds like a better option to me from an automated install standpoint and possibly more secure? Maybe someone with more expertise in this area can weigh in on that?
    • Edited by Goot1981 Wednesday, April 23, 2014 9:08 PM
    Wednesday, April 23, 2014 8:57 PM
  • Hi! Thanks for your help!

    I can follow your advice to number 4. but I cannot understand after number 5.

    there are some questions

    1. In number 5, "Save to file..." ---> where is the exact directory that  save the file ?

              after click the save button, i must designate the directory that file would saved.

    2. In number 6, what means   'collect this / all certificates'  ??

             i have problem with my oem13.cat (newly installed driver) , do I save all oem file ? (oem0 ~ oem12 ?)

    3. Deploy this certificate in a batch or by group policies

            1) i saved my file(certificate) in backgroud,

                and prompt that script using cmd, but there are message something like this ' cannot find file'

            2) So, I tried second method. but i cannot understand thie method

                what is group policies?  and i cannot find that directory (computer \ policies \ windows \ security \ public key policies \ )

    Please help me.

    i am not good at english, sorry

     

    Thursday, May 15, 2014 4:05 PM
  • Typical wrong answer of an Microsoft employee who not want users getting control over their own machines.

    Shame on you!

    Friday, June 27, 2014 7:41 AM
  • That did the trick. Just don't ask M$ employees as they not telling you the trust all the time :P
    Friday, June 27, 2014 7:42 AM