What is Driver Signature Enforcement in Windows 10?
Driver Signature Enforcement in Windows 10 is a security feature of the operating system and some prior versions that require all kernel-mode drivers to be digitally signed by a trusted publisher. To Disable Driver Signature Enforcement in Windows 10, unsigned or incorrectly signed drivers can be installed. However, Windows will display warnings about the driver needing to be validated.
With enforcement enabled, only properly signed drivers trusted by Windows can be installed. Unsigned drivers will fail to install with an error like:
“Windows can’t verify the publisher of this driver software.”
Enforcement helps prevent untrustworthy or malicious driver software from being installed. But it can also block potentially useful unsigned drivers you may need to install.
Disabling enforcement allows any driver to be installed again, eliminating those blocking errors. But it reduces security, so only do so temporarily when absolutely required.
Key Takeaways
- Driver signature enforcement helps protect against potentially malicious, unsigned drivers. Disabling it reduces security.
- You can disable enforcement in several ways: via Advanced Startup Options, Group Policy Editor, Registry Editor, or by signing a boot driver.
- Disabling enforcement is a temporary solution. It would help if you tried to find signed drivers when possible and re-enable enforcement afterward.
- Test unsigned drivers thoroughly and create restore points before installing to limit risk.
- On x64 systems, you must disable enforcement and install unsigned drivers separately for both 32-bit and 64-bit systems.
When Do You Need to Disable Driver Signature Enforcement?
There are a few instances when you may need or want to disable enforcement:
- To install unsigned driver software: Developers may release unsigned drivers while testing or if they don’t want to pay for an official certificate. Disabling enforcement allows you to install these.
- For older/legacy hardware: Older hardware may only have unsigned legacy drivers available for it that no longer works with enforcement active.
- When troubleshooting driver issues: Occasionally, buggy drivers slip through, cause problems, or won’t install properly even when signed. Disabling enforcement can help resolve issues.
- To bypass restrictions: Some organizations use enforcement to lock down systems. Disabling it allows you to bypass those restrictions.
How to Disable Driver Signature Enforcement on Windows 10
There are a few different ways to disable enforcement on Windows 10:
- Through Advanced Startup Options
- Through Group Policy Editor
- Through Registry Editor
- By Signing a Boot Driver
Method 1: Through Advanced Startup Options
- Open the Start menu
- Click the Power button
- Hold Shift and click Restart
- On the Choose an Option screen, select Troubleshoot > Advanced options
- On Advanced Options, click Startup Settings > Restart
- After your PC restarts, you’ll see a list of startup settings
- Press F7 to select Disable Driver Signature Enforcement
- Windows will restart with enforcement disabled
This method allows you to boot into Windows 10 normally while keeping enforcement disabled for that session until you restart again.
Method 2: Through Group Policy Editor
- Open the Start menu and search for “gpedit.msc” to launch the Group Policy Editor
- Navigate to Computer Configuration > Administrative Templates > System > Driver Installation
- On the right pane, double-click on “Code Signing for Device Drivers”
- Select “Disabled” and click Apply and OK to disable enforcement
- You’ll need to restart your computer for changes to take effect
This permanently disables enforcement on the system until you re-enable it in the policy editor.
Method 3: Through Registry Editor
- Open the Start menu and search for “regedit” to launch the Registry Editor
- Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Policy
- On the right pane, double-click on “OverrideDriverInstallPolicy” and set the Value data to 1
- Close Registry Editor and restart your computer for changes to take effect
Like the group policy method, this permanently disables enforcement until you revert the registry change.
Method 4: By Signing a Boot Driver
- Install the Windows Driver Kit (WDK), which includes the SignTool utility
- Locate any boot driver (.sys file) on your system, such as cdrom.sys or aSCSI.sys in C:\Windows\System32\drivers
- Open the Developer Command Prompt for VS as Administrator
- Enter the command:
SignTool sign /v /s my /n "My Company Name" /t http://timestamp.digicert.com %cd%\cdrom.sys
Replacing cdrom.sys with the boot driver you want to sign. Update the /s and /n parameters with your own info.
- Restart your computer; enforcement will now be disabled
- The unsigned driver tricks Windows into thinking you disabled it
This method allows you to selectively disable enforcement without fully opening up your system to all unsigned drivers.
How to Work With Unsigned Drivers Safely
When running with enforcement disabled, take steps to minimize risks from potentially malicious unsigned drivers:
- Only ever disable enforcement temporarily; re-enable it after driver installation.
- Thoroughly research and test any unsigned drivers before installing them. Make sure they come from a trustworthy source.
- Check unsigned drivers on sites like VirusTotal to detect known malware.
- Create a System Restore point before installing unsigned drivers as a safety net.
- Install and test drivers one at a time to isolate any issues.
- Use a separate test machine first, if possible; wait to install it on your main system.
- Install an antivirus and anti-malware scanner to help detect compromised drivers.
- On 64-bit Windows, disable and install unsigned drivers separately for 32-bit and 64-bit systems.
Disable Enforcement Separately for 32-bit and 64-bit (on 64-bit Windows)
On 64-bit versions of Windows, you need to disable driver signature enforcement and install unsigned drivers separately for 32-bit and 64-bit systems:
For 32-bit Unsigned Drivers:
- Restart your computer and enter Advanced Startup Options as above
- Select Disable Driver Signature Enforcement. This disables enforcement only for 32-bit drivers
- Install your unsigned 32-bit driver
- Restart back into normal Windows
For 64-bit Unsigned Drivers:
- Follow the group policy or registry editor method above to disable enforcement fully (for both 32-bit and 64-bit)
- Install your unsigned 64-bit driver
- Re-enable enforcement via group policy or registry editor afterward
Without isolating them like this, unsigned 64-bit drivers will fail to install even with enforcement disabled from the startup options.
Best Tips for Working with Unsigned Drivers
Here are some additional tips for smoothly installing unsigned drivers with enforcement disabled:
- If you see the error “Element not found,” the unsigned driver is likely 64-bit, and you need to turn off enforcement via group policy or the registry first.
- Delete existing signed drivers before attempting to install unsigned ones if you encounter issues.
- Install drivers manually via Device Manager rather than relying on installer wizards, which may fail.
- Refer to your motherboard or hardware manufacturer’s website for proper unsigned drivers if possible.
- Some antivirus software may still block unsigned driver installation, you may need to disable it temporarily.
- If you accidentally installed an unsigned driver with enforcement still enabled, restart into the disabled state to install it properly.
- Windows may fail to load an unsigned driver on the next restart if Secure Boot is enabled, so you may need to disable this as well.
Final Words
Disabling driver signature enforcement opens up risks, but it is sometimes necessary to install unsigned drivers on Windows 10. Use the different methods outlined carefully and only temporarily turn off protection. Follow all security best practices to limit exposure to malicious unsigned code. Favor fully signed drivers from trustworthy sources whenever possible and promptly re-enable enforcement after installing anything unsigned.
Frequently Asked Questions
Do I need to disable Secure Boot, too?
Yes. Secure Boot performs similar driver integrity checks, which may block unsigned drivers even with enforcement disabled. If you continue to have issues, disable Secure Boot through your system firmware.
What risks am I taking by disabling driver signature enforcement?
Disabling enforcement reduces security and opens up your system to potential malware or rootkits hidden in unsigned drivers. Only turn it off temporarily when absolutely needed.
Does disabling enforcement affect performance?
No, disabling enforcement does not directly affect system performance or speed. It simply allows unsigned drivers to install.
What if I need to know which drivers are unsigned?
Use a tool like Unsigned Driver Scanner to detect all unsigned drivers installed on your system quickly. This helps identify them.
How can I troubleshoot unsigned driver errors?
Consult driver documentation, check Windows Logs for clues, verify you properly disabled enforcement for 32-bit or 64-bit, and research the specific error message online for solutions.
Will disabling enforcement void my Windows warranty?
Technically, yes, running with enforcement disabled is considered unsupported by Microsoft and may invalidate warranties.
Where can I find trustworthy, unsigned drivers?
Reputable sources like directly from the hardware manufacturer’s website or developer forums and communities are safest for unsigned driver downloads.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
