How to Configure Anti-Malware Boot-Start Driver Policy in Windows 10 | Tips & Tricks
To protect your system from boot time malware, starting from Windows 8, Microsoft has included a new feature called Secure Boot. This will launch the ELAM (Early Launch Anti-Malware) driver before any other driver at boot time. The function of ELAM is simple: it will evaluate every driver that is queued to launch at boot time and classify them into Good and Bad, the latter required for boot and Unknown categories. Windows Kernel then uses this classification to decide whether to initialize a driver or not.
If ELAM is blocking a known driver or if you want to manually configure what driver type should be allowed to load, you can configure the Early Launch Boot-Start Driver Initialization policy to achieve that.
Note: this guide is only intended for advanced users who know what they are doing. Do not change the policy settings unless you are 100-hundred percent sure. To be safe, create a system restore point before proceeding.
Group policy editor makes it easy to quickly configure early launch anti-malware boot-start drivers in Windows 10. You just have to select the initialization mode from a dropdown menu.
1. First, search for “gpedit.msc” in the Start menu and open it to launch Group Policy Editor. Go to the following policy folder “Computer Configuration -> Administrative Templates -> System -> Early Launch Antimalware.”
2. On the right panel double-click on the “Boot-Start Driver Initialization” policy.
3. In the properties window select the radio option “Enabled.” It will enable a few more settings under the “Options” section. Select one of the following options from the dropdown menu, and click on the “Apply” and “OK” buttons to save changes.
- Good only – Initialize drivers that are signed and untampered.
- Good and unknown – Initialize drivers that are good, are not labeled by the malware detection application, and not classified by the Early Launch Anti-Malware boot-start driver.
- Good, unknown and bad but critical – Initialize drivers that are good, unknown, and known bad drivers that are infected by malware but required to successfully boot into the machine.
- All – Initialize all drivers regardless of classification.
4. Restart your system to apply the changes.
From this point forward, the boot-start drivers will be initialized according to the policy setting. To revert back, select either the “Disabled” or “Not configured” options in the policy settings window.
Configure Early Launch Boot-Start Drivers from Regedit
If you don’t have access to Group Policy Editor, you can configure Early Launch Boot-Start driver initialization from the Registry Editor.
1. Open Registry Editor by searching for “regedit” in the Start menu. Go to the following location:
2. Right-click on the Policies key, select “New -> Key” and name the new key as “EarlyLaunch.”
3. On the right panel right-click and select “New -> DWORD (32-bit) Value.” Name the new value as “DriverLoadPolicy.”
4. Double-click on the newly created value. In the value data field, depending on what you want, enter one of the following values, and click on the “OK” button to save changes.
- Good only – 8
- Good and unknown – 1
- Good, unknown and bad but critical – 3
- All – 7
5. Restart your system, and the changes will be applied automatically.
If you want to revert back to the default behavior, simply delete the “DriverLoadPolicy” value under the EarlyLaunch key.
Image Credit: Dell XPS 15 (9550) Non-Touch
Is this article useful?