none
Disable driver signature enforcement permanetly at boot-up, how?

    Question

  • Hi all.

     

    I have several devise drivers that are not digitally signed but otherwise work happily under windows server 2008.

     

    At present, during booting up, I need to go thorugh the loop F8 to manually disable "digital driver enforcement", but this is good for the current session only.

     

    Is there a clever way to permanently disable digital driver enforcement, so that I do not have to use the F8 option manually every time?

     

    Thanks.

     

    Regards,

    Cukkas

     

     

    Saturday, October 13, 2007 10:18 PM

Answers

  • Hello Cukkas,

     

    There are 2 ways to disable digital driver signatyre enforcement; the 1st way is using command-line tool cmd.exe to execute this command-line bcdedit.exe /set nointegritychecks ON , the 2nd method which is recommended is to diable it through Group Policy Object (GPO),

     

    1. Start --->> Run ---> GPEdit.msc

    2. Enable and Ignore Code signing for drivers policy under User Configuration --->>

        Administrative Templates ---->> System ---->> Driver Installation --->> Code signing for drivers

       

        Check this figure 

       

     

    Sunday, October 14, 2007 9:31 AM
  • Hi Sherif,

    Thank you for your suggestions.

    I tried both methods that you mentioned,

    1) command-line

        bcdedit.exe /set nointegritychecks ON
       

        the operation is completed successfully, but it makes no difference when it reboots.

         On re-boot, the bootmanager will stop, saying


          " ...\windows\system32\drivers\fastx2k.sys" is not digitally signed,

          then I need to proceed to use F8 option to manually "disable digital signature enforcement" to continue
          booting up the
    OS.

    I also use this command line (which apparently works in Vista from whose forum I obatined the command line):

    bcdedit /set loadoptions DISABLE_INTEGRITY_CHECKS

    the operation is completed successfully, but again it makes no difference when it reboots.

    2) Your second method does not solve my need - I need to disable digital driver enforcement during boot-up.

    Any other ideas I can try?

    Thank you again.

    Regards,
    Cukkas




    Sunday, October 14, 2007 4:18 PM
  • http://www.vistabootpro.org/
    Tuesday, October 16, 2007 10:39 AM
  • Hi Kane3162,

    Thank you for the suggestion.

    I had used an earlier version of VistaBootPro before, but it didn't work.

    Today, I downoload the latest version 3.3 which warned during installation of potential slight probelm using it on Windows Server 2008. Big mistake - the OS wouldn't bootup at all after using the programme to set disable digital driver enforcement. I have to use backup BCD file to restrore and recover.

    Any body who has a working solution to this problem? Much appreciated if you could post it here.

    Thank you.

    Regards,
    Cukkas
    Wednesday, October 17, 2007 4:31 PM

All replies

  • Hello Cukkas,

     

    There are 2 ways to disable digital driver signatyre enforcement; the 1st way is using command-line tool cmd.exe to execute this command-line bcdedit.exe /set nointegritychecks ON , the 2nd method which is recommended is to diable it through Group Policy Object (GPO),

     

    1. Start --->> Run ---> GPEdit.msc

    2. Enable and Ignore Code signing for drivers policy under User Configuration --->>

        Administrative Templates ---->> System ---->> Driver Installation --->> Code signing for drivers

       

        Check this figure 

       

     

    Sunday, October 14, 2007 9:31 AM
  • Hi Sherif,

    Thank you for your suggestions.

    I tried both methods that you mentioned,

    1) command-line

        bcdedit.exe /set nointegritychecks ON
       

        the operation is completed successfully, but it makes no difference when it reboots.

         On re-boot, the bootmanager will stop, saying


          " ...\windows\system32\drivers\fastx2k.sys" is not digitally signed,

          then I need to proceed to use F8 option to manually "disable digital signature enforcement" to continue
          booting up the
    OS.

    I also use this command line (which apparently works in Vista from whose forum I obatined the command line):

    bcdedit /set loadoptions DISABLE_INTEGRITY_CHECKS

    the operation is completed successfully, but again it makes no difference when it reboots.

    2) Your second method does not solve my need - I need to disable digital driver enforcement during boot-up.

    Any other ideas I can try?

    Thank you again.

    Regards,
    Cukkas




    Sunday, October 14, 2007 4:18 PM
  • http://www.vistabootpro.org/
    Tuesday, October 16, 2007 10:39 AM
  • Hi Kane3162,

    Thank you for the suggestion.

    I had used an earlier version of VistaBootPro before, but it didn't work.

    Today, I downoload the latest version 3.3 which warned during installation of potential slight probelm using it on Windows Server 2008. Big mistake - the OS wouldn't bootup at all after using the programme to set disable digital driver enforcement. I have to use backup BCD file to restrore and recover.

    Any body who has a working solution to this problem? Much appreciated if you could post it here.

    Thank you.

    Regards,
    Cukkas
    Wednesday, October 17, 2007 4:31 PM
  • Hi Cukkas,

    I'm having the same dilemma over here but on Vista x64, there seems to be no solution.

    I'm glad I found this post though, hopefully we can find a solution.

    Regards,
    xslikx
    Thursday, October 18, 2007 9:39 PM
  • that is HIGHLY unusual..... I have used it since Beta 2 and not had the no-boot problem you describe.... what settings are you using by chance when you make the change? do you just change the boot options?
    Monday, October 22, 2007 1:19 AM
  • Hi Kane3162,
     
    My situation on Vista is the same Cukkas is experiencing more or less.

    It's happening for me because Promise (http://www.promise.com/) makes no compatible 378 IDE driver for x64 OSs and Vista x86/x64, so I'm left with no choice but to use a driver which originated from a laptop called D900T (http://www.sagernotebook.com) that happens to work on x64 OSs and on Vista x64 when digital signature enforcement is disabled.

    It was originally hosted at - http://www.sagernotebook.com/ftp/win64b/Win64B_ATA.exe but that URL no longer exists because they removed the file.

    I'm not sure if the laptop company made the driver or if Promise did, but everything about them surfaced here http://www.planetamd64.com/index.php?showtopic=7928

    Currently there is also a Vista version of this driver which apparently originated from Vista 5744 and bypasses digital signature enforcement.
    The problem with this driver is that the transfer rate is limited to 150 Kb/s so I'm left with the previous drivers mentioned which were designed for XP x64 but work on Vista when digital signature enforcement is disabled.
    The driver works great otherwise, but every time i reboot I'm required to press F8 and choose to disable digital signature enforcement or i receive an error: "0x0000428 \Windows\system32\drivers\videx64.sys Windows cannot verify the digital signature for this file."

    Promise has stated themselves:

     Promise wrote:
    No we do not have or plan to release 64 bit drivers that will allow your 378 chipset to work as a regular IDE drive as that chipset is RAID only and not dependent on the driver. Moreover all driver support for this product is not available thru promise because this chipset is imbedded on your mainboard. This will need to be supported thru your mainboard manufacturer

    You have to register to view these but i figured i might as well link them incase they're of any use to resolving this problem.

    XP x64 driver link - http://www.planetamd64.com/index.php?automodule=downloads&showfile=850
    Vista x64 driver link - http://www.planetamd64.com/index.php?automodule=downloads&showfile=1240
    Other XP x64 / Vista x64 driver link - http://www.planetamd64.com/index.php?automodule=downloads&showfile=1291

    Motherboard: Asus A8V Deluxe - http://www.asus.com/products4.aspx?modelmenu=2&model=238&l1=3&l2=15&l3=0
    Chipset: Via K8T800PRO - http://www.via.com.tw/en/products/chipsets/k8-series/k8t800pro/





    Regards,
    xslikx
    Monday, October 22, 2007 4:03 AM
  • Hi  All,

    To answer Kane3162's question, the only setting in VistaBootPro that I used was  to check the option  to disable digital driver enforcement, but the PC would refuse to bootup again.

    Hi, xslikx,  my motherboard  is ASUS  SK8V,  which has  a similarly  imbedded  378 Promise  raid/IDE  chipset  for SATA connetors as your motherboard.  I am using  the IDE setup using the same driver that you mentioned, and  it works  fine for  the two drives that are connected to these connectors.  I  have not  tried them under raid  setup, so I can't tell whether  that setup works.

    As you said, it would be nice to be able to get rid of digital driver enforcement during boot-up. It also means I can remotely re-boot the PC as well. Hope someone can come up with a solution.

    Regards,
    Cukkas

    P/s: Do you know a 64 bit driver for Canoscan scanner ( model 8400F) that works under Windows Server 2008 64 bit?


    Monday, October 22, 2007 6:59 PM
  • Hey Cukkas,

    That initially came out to me as a huge surprise that were both dealing with the same promise driver issue, but at the same time it doesn't surprise me that others are having problems with them as well.

    I sent a technical inquiry to Asus last night and got a reply this morning regarding the Promise driver issue, their reply was:

     Asus Support Team wrote:
    Hello,

    Asus does not write driver software, we receive it from the hardware/chipset manufacturers of the components we use, and simply repackage them with the Asus installer/logos in some cases. You will need to contact Promise to see if/when such a driver may be available. Also, there is no plan at present to support Vista on any Socket 939 (A8 series) motherboard, in either 32 bit or 64 bit versions, largely due to a lack of solid driver support.

    Regards,

    Asus Support Team

    Please do not reply to this message. If you need further assistance please call our technical support line at (812) 282-2787 Monday-Friday from 8:30am-Midnight EST.

    So apparently i would just get the run-around by contacting either Promise or Asus about this driver.

    Regarding the Canoscan scanner 8400F, you're best off trying either 8400F Scanner Driver Ver. 10.2.3.1a (Windows Vista64) 2007-10 or 8400F Scanner Driver Ver. 10.2.3.1a (Windows XP x64) 2007-10.
    They can be found here - http://www.usa.canon.com/consumer/controller?act=ModelInfoAct&tabact=DownloadDetailTabAct&fcategoryid=351&modelid=10242

    I see you've already tried one of them from this topic - http://forums.microsoft.com/TechNet/ShowPost.aspx?PostID=2285944
    but its probably worth trying the XP x64 version if the Vista x64 version isn't working for you on server 2008 x64.

    Either way it seems that Canon will fully support all Vista/Server2008 in the future, but as for Promise things look grim.

    Regards,
    xslikx
    Monday, October 22, 2007 10:58 PM
  • has anybody here tried http://www.tweak-uac.com/? I was thinking of trying it out.

    thanks,

    gargolita

    Sunday, November 04, 2007 4:15 AM
  • Does anyone know how to resolve the problem?

    It's proving impossible to do remote re-booting of the server.

    Thank you.

     

    Cukkas

    Wednesday, November 14, 2007 4:50 PM
  • Hi All,

     

    I had a lightbub moment while I was taking a shower last weekend: what if I use the hibernate function (which is standard log off option in a laptop) and how will the Windows server 2008 repsond?

     

    There is no hibernate switch in Window server 2008 log off, but you can try this string on a short cut on desktop:

     

     

                    rundll32.exe powrprof.dll, SetSuspendState

     

    Log off by clicking on this shortcut, and the PC will hibernate. The next time you power on the PC, it switches on and recover to its previous state, bypassing the driver enforcement check. No need for a F8 intervention anymore.

     

    It works for me. Let me know if it works for you too.

     

    Regards,

    Cukkas

     

     

     

    Wednesday, December 19, 2007 10:50 PM
  • In the GA (General Availability) release Microsoft has announced that this is not going to be possible even by hitting F8. The digital signature enforcement will become turned on automatically and you will not be able to turn it off on bootup at all. This makes for real problems with enhanced drivers, and will force companies to work in greater detail to ensure they have Microsoft's signature or approval on drivers. The only way to make this work now is by hitting F8, turning it off by changing the settings in gpedit.msc or any other means such as cmd prompt will not work at all. It is alway turned on by default on bootup.

    Thursday, December 27, 2007 8:36 PM
  • I just built a new home computer yesterday and, after installing OS (I worked around in just the os for several hours) then installing the drivers, the computer asked me to restart. I did and it came up with the black screen and "Windows failed to start.... File:\Windows\System32\drivers\sfsync04.sys, Status:0xc0000428, Info: Windows cannot verify the digital signature for this file.

     

    I was able to change my BIOS to reboot from the CDRom but all it did was put my first install into an ".old' file and completely reinstall Windows. I've added nothing else because I'm afraid it will just keep happening.

     

    1. This isn't just a server 2008 issue

    2. This isn't just an upgrade issue - new build with Vista Home Prem 64bit SP1

    3. Isn't just the Asus board - I have the Gigabyte GA-P35-DS3L motherboard but I can't tell you anything about Promise or even if the motherboard is faulty. (How do you know?)

    4. Why should brand name drivers cause such a problem?

    5. It obviously isn't the same file causing the problem but something inherent in the digital verification system.

     

    Mobo: Gigabyte GA-p35-DS3L  -- installed driver ... again, no driver installation yet for the second install

    CPU: Intel Q6700

    Vista Home Prem 64bit SP1  -- installed both times

    eVGA 8800GTS 512mb KO  -- installed driver 1st time

    2x2G Crucial RAM

    500G SATA Seagate HD

    Creative Sound Blaster X-Fi Audio  -- installed driver 1st time

    2 SATA DVDRW drives

    1 Floppy

    Zerotherm BTF90

    PC Power & Cooling 610W Silencer

    Dell 2408WFP 

    Logitech diNovo keyboard  -- installed software

    Antec P182SE

    MS Works 2006  -- installed software

    USB Graphics Tablet (about 4 years old)  -- installed driver/Corel Art Dabbler software

    Monday, May 05, 2008 8:19 PM
  • I may have found a work around - http://www.citadel.co.nr/readydriverplus/
    I haven't tried it yet but it looks promising.

    Wednesday, May 21, 2008 9:28 AM
  • Hi Cukkas

    Not sure if your still having the issue on boot, i was having the same issue with a server with an AMD CPU in, but there is an extra command you need to type in the following in the command prompt, after that it should boot up fine, but you do get a little message in the bottom left corner saying it's in test mode, but that's not a problem for me as it's just a test box anyway.

    bcdedit -set TESTSIGNING ON

    Hope that helps :)
    Tuesday, December 29, 2009 11:10 AM
  • I've been using ready driver plus for a long time now, and it works great as long as you don't hit any buttons during the "F8" screen. The way it works is that it basically hits "F8" automatically and makes the proper selection automatically. The reason I'm on this board now is I just did an install of Windows 7 and I forgot the name of ReadyDriverPlus. For now, it is the best solution and it works.
    • Proposed as answer by a80063r Sunday, January 03, 2010 7:18 AM
    Sunday, January 03, 2010 6:51 AM
  • Instead of trying a workaround, why not try signing the drivers in question using signtool.exe from Microsoft.

    SignTool

    The SignTool tool is a command-line tool that digitally signs files, verifies signatures in files, or time stamps files. For information about why signing files is important, see Introduction to Code Signing. The tool is installed in the \Bin folder of the Microsoft Windows Software Development Kit (SDK) installation path.

    SignTool is available as part of the Windows SDK, which you can download from http://go.microsoft.com/fwlink/?linkid=84091.

     

    Here is the syntax for SignTool:

    signtool [Command][Options][FileName …]

    The following commands are supported by SignTool.

     

    I am not sure that this will work, as I have not had this problem so far; I was looking for information on another problem when I cam acrossed this, but thought maybe this might help.

     

    Regards,

    Micro

    Monday, May 24, 2010 12:41 AM
  • Nope.

    All this lets you do is sign a driver package for submission to MS (along with results to prove your driver passes their qualification tests). For this, you need to purchase a certificate from Verisign, pay MS for the submission, actually get the driver to pass all the MS qualification tests (which is by far the most difficult part of the process, even if the driver works perfectly).

    Then MS verifies your test results and if all is OK, they in their turn sign your driver package. This last bit is what is required by the "digital driver enforcement" (your own signing will not be accepted)!   :-(

    Joe.

     

    • Proposed as answer by WFC Saturday, April 14, 2012 2:23 AM
    • Unproposed as answer by WFC Saturday, April 14, 2012 2:23 AM
    Tuesday, August 10, 2010 5:57 AM
  • How can you do this for Windows ??

     

    Sunday, April 24, 2011 9:15 PM
  • Yes the F8 option still works with Windows 7 Professional 64 bit version.

    I just did it on my computer. For a non digital signature on a DVD Express DX2 driver

    What a pain thanks to Microsoft.

    Thanks for the info!!

    Sunday, March 25, 2012 3:06 AM
  • Hi, 

    I am turning my PC into a Server running Microsoft Server 2012/ But I get an error message driver not being digital for PC to use as server. Can you help me how to turn it off. I keep pressing F8 but nothing comes up on my screen. I wonder if maybe I have to press a different keystroke to get that menu before installation. 

    Thanks;

    Friday, September 20, 2013 5:37 PM