none
HOWTO: Create a Boot Configuration That Has No Driver Signature Checks. Disable Driver Integrity Checks and Install a Custom Non-Signed Driver

    General discussion

  • Hello,

    Recently, I had a task where I needed to install a custom non-signed driver onto my Windows 8 64-bit setup. As it is known, Windows has driver enforcement policies that, as a security measure, do not allow you to install non-signed drivers.

    I did not want to alter my current boot configuration so I decided to create a separate boot entry that would have driver signing policies disabled. For some reason I did not find any good source that would contain a step-by-step instruction on completing this task, so I decided that I'd better share my experience here.

    Lastly, there are multiple ways how you could turn off driver enforcement policies, but I find the way to do this via boot manager.

    Here's how you can do that.

    1. Press WindowsKey and type 'cmd' (without quotes) to find Command prompt, then click Command prompt icon. If you have User Account Control turned on, hold Ctrl+Shift keys pressed when clicking the icon.

    This will force Windows to ask you for elevation of command prompt. Elevation is necessary for editing Boot Configuration Database (BCD), the database used by Windows boot manager to store boot settings.

    2. In the User Account Control window click Yes to confirm elevation of command shell.

    3. At the command prompt type

    bcdedit

    to list your BCD entries.

    This will give you an output like:

    Windows Boot Manager
    --------------------
    identifier              {bootmgr}
    device                  partition=\Device\HarddiskVolume2
    path                    \EFI\Microsoft\Boot\bootmgfw.efi
    description             Windows Boot Manager
    locale                  en-US
    inherit                 {globalsettings}
    integrityservices       Enable
    default                 {current}
    resumeobject            {a329b5cf-fb29-11e1-a74d-f2c962d62240}
    displayorder            {a329b5d0-fb29-11e1-a74d-f2c962d62240}
                            {a329b5cc-fb29-11e1-a74d-f2c962d62240}
                            {a329b5ca-fb29-11e1-a74d-f2c962d62240}
                            {a329b5c2-fb29-11e1-a74d-f2c962d62240}
                            {current}
                            {a329b5d8-fb29-11e1-a74d-f2c962d62240}
    toolsdisplayorder       {memdiag}
    timeout                 30
    
    Windows Boot Loader
    -------------------
    identifier              {a329b5d0-fb29-11e1-a74d-f2c962d62240}
    device                  vhd=[D:]\win8prowmc01.vhdx
    path                    \Windows\system32\winload.efi
    description             Windows 8
    locale                  en-US
    inherit                 {bootloadersettings}
    recoverysequence        {a329b5d1-fb29-11e1-a74d-f2c962d62240}
    recoveryenabled         Yes
    isolatedcontext         Yes
    allowedinmemorysettings 0x15000075
    osdevice                vhd=[D:]\win8prowmc01.vhdx
    systemroot              \Windows
    resumeobject            {a329b5cf-fb29-11e1-a74d-f2c962d62240}
    nx                      OptIn
    bootmenupolicy          Standard

    The section that starts with Windows Boot Manager lists current settings for the boot menu. Here you find what boot entry is chosen by default, this is the one what you will boot into if you do not select any boot entry in the boot menu.

    The following record

    default                 {current}

    indicates that by default my Windows boots into configuration which I use at the moment (currently booted Windows configuration).

    To find out what exactly is current configuration, look into the list of boot entries, records that contain boot loader configuration and are titled as Windows Boot Loader in the bcdedit output.

    For example, the entry shown above is one of my boot configurations. This is one of the boot entries listed on the boot manager screen when I start my PC and it looks like:

    Windows Boot Loader
    -------------------
    identifier              {a329b5d0-fb29-11e1-a74d-f2c962d62240}
    device                  vhd=[D:]\win8prowmc01.vhdx
    path                    \Windows\system32\winload.efi
    description             Windows 8
    locale                  en-US
    inherit                 {bootloadersettings}
    recoverysequence        {a329b5d1-fb29-11e1-a74d-f2c962d62240}
    recoveryenabled         Yes
    isolatedcontext         Yes
    allowedinmemorysettings 0x15000075
    osdevice                vhd=[D:]\win8prowmc01.vhdx
    systemroot              \Windows
    resumeobject            {a329b5cf-fb29-11e1-a74d-f2c962d62240}
    nx                      OptIn
    bootmenupolicy          Standard

    This record has a unique GUID identifier that can be used to reference this boot entry, which is:

    identifier              {a329b5d0-fb29-11e1-a74d-f2c962d62240}

    If we look at the Windows Boot Manager settings, we'll see this entry is the first in order to be displayed in the boot menu on OS start (I marked the unique bits):

    displayorder            {a329b5d0-fb29-11e1-a74d-f2c962d62240}
                            {a329b5cc-fb29-11e1-a74d-f2c962d62240}

    It references my VHD drive, a virtual hard drive where my Windwos 8 setup is residing:

    device                  vhd=[D:]\win8prowmc01.vhdx

    And it also specifies that the boot manager must use UEFI BIOS extension code to access my Windows boot partition:

    path                    \EFI\Microsoft\Boot\bootmgfw.efi

    3. Now locate the current boot entry.

    Current boot entry contains boot settings used to boot into Windows configuration to which you are currently booted. It is referenced in the list of boot entries as a Windows Boot Loader record that has the {current} keyword inside and may look like:

    Windows Boot Loader
    -------------------
    identifier              {current}
    device                  vhd=[D:]\win8rtm.vhdx
    path                    \Windows\system32\winload.efi
    description             Windows 8 Enterprise RTM
    locale                  en-US
    inherit                 {bootloadersettings}
    recoverysequence        {a329b5c3-fb29-11e1-a74d-f2c962d62240}
    integrityservices       Enable
    recoveryenabled         Yes
    isolatedcontext         Yes
    allowedinmemorysettings 0x15000075
    osdevice                vhd=[D:]\win8rtm.vhdx
    systemroot              \Windows
    resumeobject            {a329b5c1-fb29-11e1-a74d-f2c962d62240}
    nx                      OptIn
    bootmenupolicy          Standard
    hypervisorlaunchtype    Auto

    Because we are more than happy with current configuration and want to base our new boot configuration on these settings, we need to copy this boot entry ({current}) to a new boot entry.

    This is done by running the following command:

    C:\Windows\system32>bcdedit /copy {current} /d "No Driver Signature Check"
     

    Parameter /d here indicates that the following sequence of characters specifies the display name for the new boot entry that we are creating. The name inside the double quotes will be displayed in the boot menu when you boot your Windows. In other words, if you know restart your system, you'll see the new No Driver Signature Check in the boot menu.

    When copied, the entry is automatically given a new GUID identifier, so upon running the command above, you'll see the following line returned (you'll have an other GUID since these are unique identifiers):

    The entry was successfully copied to {a329b5d8-fb29-11e1-a74d-f2c962d62240}.

    4. Make sure the entry has been successfully created.

    Run the same bcdedit. (You may specify /enum or /v, or both /enum /v parameters at the prompt to get more detail about boot entries, but simple bcdedit is just enough to see the new entry):

    C:\Windows\system32>bcdedit
    
    Windows Boot Manager
    --------------------
    identifier              {bootmgr}
    device                  partition=\Device\HarddiskVolume2
    path                    \EFI\Microsoft\Boot\bootmgfw.efi
    description             Windows Boot Manager
    locale                  en-US
    inherit                 {globalsettings}
    integrityservices       Enable
    default                 {current}
    resumeobject            {a329b5cf-fb29-11e1-a74d-f2c962d62240}
    displayorder            {a329b5d0-fb29-11e1-a74d-f2c962d62240}
                            {a329b5cc-fb29-11e1-a74d-f2c962d62240}
                            {a329b5ca-fb29-11e1-a74d-f2c962d62240}
                            {a329b5c2-fb29-11e1-a74d-f2c962d62240}
                            {current}
                            {a329b5d8-fb29-11e1-a74d-f2c962d62240}
    toolsdisplayorder       {memdiag}
    timeout                 30
    
    Windows Boot Loader
    -------------------
    identifier              {current}
    device                  vhd=[D:]\win8rtm.vhdx
    path                    \Windows\system32\winload.efi
    description             Windows 8 Enterprise RTM
    locale                  en-US
    inherit                 {bootloadersettings}
    recoverysequence        {a329b5c3-fb29-11e1-a74d-f2c962d62240}
    integrityservices       Enable
    recoveryenabled         Yes
    isolatedcontext         Yes
    allowedinmemorysettings 0x15000075
    osdevice                vhd=[D:]\win8rtm.vhdx
    systemroot              \Windows
    resumeobject            {a329b5c1-fb29-11e1-a74d-f2c962d62240}
    nx                      OptIn
    bootmenupolicy          Standard
    hypervisorlaunchtype    Auto
    
    Windows Boot Loader
    -------------------
    identifier              {a329b5d8-fb29-11e1-a74d-f2c962d62240}
    device                  vhd=[D:]\win8rtm.vhdx
    path                    \Windows\system32\winload.efi
    description             No Driver Signature Check
    locale                  en-US
    inherit                 {bootloadersettings}
    recoverysequence        {a329b5c3-fb29-11e1-a74d-f2c962d62240}
    integrityservices       Enable
    recoveryenabled         Yes
    isolatedcontext         Yes
    allowedinmemorysettings 0x15000075
    osdevice                vhd=[D:]\win8rtm.vhdx
    systemroot              \Windows
    resumeobject            {a329b5c1-fb29-11e1-a74d-f2c962d62240}
    nx                      OptIn
    bootmenupolicy          Standard
    hypervisorlaunchtype    Auto

    The entry has been created and given a unique a329b5d8-fb29-11e1-a74d-f2c962d62240 ID. It now has exactly same boot settings as the boot entry we used to boot into current configuration of Windows.

    5. Modify created  No Driver Signature Check entry and specify that Windows must have driver integrity checks disabled when booted using this boot entry.

    Any modifications to boot entries are made using /set parameter. To indicate that we modify a specific boot entry, we must specify the GUID for the No Driver Signature Check record, which is:

    identifier              {a329b5d8-fb29-11e1-a74d-f2c962d62240}
     

    In other words, to edit (add or change) an option for the boot entry, we need to use the following command syntax:

    C:\Windows\system32>bcdedit /set GUID <boot_option> [<option_value>]

    First, we must specify that we don't want integrity checks be made. This is done by adding the loadoptions option and setting it to DISABLE_INTEGRITY_CHECKS value:

    C:\Windows\system32>bcdedit /set {a329b5d8-fb29-11e1-a74d-f2c962d62240} loadopti
    ons DISABLE_INTEGRITY_CHECKS
    The operation completed successfully.

    6. Verify that load option has been added.

    Run the bcdedit command:

    Windows Boot Loader
    -------------------
    identifier              {current}
    device                  vhd=[D:]\win8rtm.vhdx
    path                    \Windows\system32\winload.efi
    description             Windows 8 Enterprise RTM
    locale                  en-US
    inherit                 {bootloadersettings}
    recoverysequence        {a329b5c3-fb29-11e1-a74d-f2c962d62240}
    integrityservices       Enable
    recoveryenabled         Yes
    isolatedcontext         Yes
    allowedinmemorysettings 0x15000075
    osdevice                vhd=[D:]\win8rtm.vhdx
    systemroot              \Windows
    resumeobject            {a329b5c1-fb29-11e1-a74d-f2c962d62240}
    nx                      OptIn
    bootmenupolicy          Standard
    hypervisorlaunchtype    Auto
    
    Windows Boot Loader
    -------------------
    identifier              {a329b5d8-fb29-11e1-a74d-f2c962d62240}
    device                  vhd=[D:]\win8rtm.vhdx
    path                    \Windows\system32\winload.efi
    description             No Driver Signature Check
    locale                  en-US
    loadoptions             DISABLE_INTEGRITY_CHECKS
    inherit                 {bootloadersettings}
    recoverysequence        {a329b5c3-fb29-11e1-a74d-f2c962d62240}
    integrityservices       Enable
    recoveryenabled         Yes
    isolatedcontext         Yes
    allowedinmemorysettings 0x15000075
    osdevice                vhd=[D:]\win8rtm.vhdx
    systemroot              \Windows
    resumeobject            {a329b5c1-fb29-11e1-a74d-f2c962d62240}
    nx                      OptIn
    bootmenupolicy          Standard
    hypervisorlaunchtype    Auto
     

    7. Add the option that turns on test signing mode and disables checks of driver signature.

    Adding the testsigning option and setting it to ON does the trick for us:

    C:\Windows\system32>bcdedit /set {a329b5d8-fb29-11e1-a74d-f2c962d62240} TESTSIGNING ON

    8. Now we have a boot entry that enables Windows not to do integrity checks and digital signature validation.

    We check it by running bcdedit:

    Windows Boot Loader
    -------------------
    identifier              {a329b5d8-fb29-11e1-a74d-f2c962d62240}
    device                  vhd=[D:]\win8rtm.vhdx
    path                    \Windows\system32\winload.efi
    description             No Driver Signature Check
    locale                  en-US
    loadoptions             DISABLE_INTEGRITY_CHECKS
    inherit                 {bootloadersettings}
    recoverysequence        {a329b5c3-fb29-11e1-a74d-f2c962d62240}
    integrityservices       Enable
    recoveryenabled         Yes
    testsigning             Yes
    isolatedcontext         Yes
    allowedinmemorysettings 0x15000075
    osdevice                vhd=[D:]\win8rtm.vhdx
    systemroot              \Windows
    resumeobject            {a329b5c1-fb29-11e1-a74d-f2c962d62240}
    nx                      OptIn
    bootmenupolicy          Standard
    hypervisorlaunchtype    Auto

    9. Type 'exit' without quotes to exit from command prompt, and restart Windows.

    Upon booting you will be present with a new boot option to start Windows in configuration that allows you to install custom non-signed drivers.

    Hope this will help anybody to create their own custom boot configurations.


    Well this is the world we live in And these are the hands we're given...



    Sunday, November 24, 2013 4:09 PM

All replies

  • Hi,

    Thank you for sharing the solutions & experience here. It will be very beneficial for other community members who have similar questions. 

    Regards,


    Kelvin hsu
    TechNet Community Support

    Tuesday, November 26, 2013 11:07 AM
    Moderator
  • Hi Exotic Hadron.

    All this info on creating a separate boot config with no driver signature checks on Windows 8.1 is great BUT there is one big problem.  The BCDEDIT -set TESTSIGNING ON command that was mentioned WILL FAIL TO WORK on UEFI based computers with the Secure Boot option enabled.  Disable the Secure Boot feature in UEFI setup first before using the BCDEDIT TESTSIGNING command.

    More info about the TESTSIGNING boot command here:

    https://msdn.microsoft.com/en-us/library/windows/hardware/ff553484%28v=vs.85%29.aspx

    "Note  Before setting BCDEdit options you might need to disable or suspend BitLocker and Secure Boot on the computer."


    • Edited by erpmanila3w Monday, January 26, 2015 6:05 PM
    Monday, January 26, 2015 6:05 PM
  • Sure thing. Thank you for mentioning this!

    Well this is the world we live in And these are the hands we're given...

    Tuesday, January 27, 2015 3:46 PM