Install Unsigned Drivers on Windows 11: A Guide to Disabling Driver Signature Enforcement

Table of Contents

• Disable Driver Signature Enforcement on Windows 11/10¶
• How to Install Unsigned Drivers in Windows 11/10¶

When attempting to install certain hardware or software on Windows 11 or Windows 10, you might encounter a message stating “Windows requires a Digitally Signed Driver.” This occurs because Windows enforces driver signature checks by default. This security measure is in place to ensure that the drivers being installed come from a verified source and have not been tampered with, thereby protecting your system’s stability and security. However, there are specific scenarios where you might need to install a driver that is not digitally signed by Microsoft.

Driver signing is a process where a digital signature is associated with a driver package. This digital signature serves two primary purposes: verifying the integrity of the driver files (ensuring they haven’t been altered since they were signed) and confirming the identity of the publisher (the vendor who provided the driver). Normally, drivers distributed via Windows Update, hardware manufacturers, or reputable third-party sources are digitally signed and certified by Microsoft. If a driver lacks this certification, Windows will typically block its installation or prevent it from loading, especially on 64-bit versions of the operating system and with Secure Boot enabled. This policy is known as “driver signature enforcement.” While strict, it’s a vital layer of security designed to prevent malicious or poorly written drivers from compromising the Windows kernel and leading to system instability or security breaches.

Windows 11 and Windows 10, particularly fresh installations with Secure Boot active, are configured to load only kernel-mode drivers that have been digitally signed through the Microsoft Developer Portal. This enhanced security posture is designed to protect the core components of the operating system from unauthorized access or modification by untrusted drivers. Consequently, if you have a driver that doesn’t meet these stringent requirements, you will receive the “Windows requires a Digitally Signed Driver” error message. While disabling this enforcement is generally not recommended due to the security implications, it is possible to do so temporarily or, in some cases, semi-permanently through specific system configurations.

Understanding the risks before proceeding is paramount. Installing unsigned drivers can expose your system to various dangers. Unsigned drivers might be malicious, containing viruses, malware, or rootkits that can gain deep access to your system. Even if not intentionally harmful, unsigned drivers might be poorly developed, leading to system crashes (often manifesting as Blue Screen of Death or BSOD errors), instability, conflicts with other hardware or software, or unexpected behavior. Proceed with caution and only if you trust the source of the unsigned driver implicitly and understand the potential consequences. It is highly recommended to re-enable driver signature enforcement as soon as you have successfully installed the necessary unsigned driver and verified that it functions correctly.

If you find yourself needing to install an unsigned driver, Windows offers several methods to temporarily or conditionally disable driver signature enforcement. Each method has its own implications regarding permanence and interaction with other security features like Secure Boot. Choosing the right method depends on your specific needs and comfort level with system configuration. It is advisable to start with the least disruptive method, which is usually the temporary disabling option available through the Advanced Startup Options. This method bypasses the enforcement for a single boot session, allowing you to install the driver, and the enforcement automatically resumes upon the next restart.

When Might You Need to Install Unsigned Drivers?¶

There are limited legitimate reasons why you might need to disable driver signature enforcement:

• Legacy Hardware: You might have older hardware for which the manufacturer has not released updated, signed drivers compatible with Windows 11/10.
• Beta or Development Drivers: Sometimes, developers release beta or test versions of drivers that are not yet officially signed.
• Custom Hardware: You might be working with specialized or custom-built hardware (like some development boards or unique peripherals) that requires a specific driver not available elsewhere or signed by Microsoft.
• Educational or Testing Purposes: Developers or advanced users might need to test their own drivers or experiment with hardware at a low level.

In all these cases, you should obtain the driver from a trusted source (e.g., the original manufacturer’s website, a reputable developer community) and ideally verify its integrity using checksums or other methods if provided.

Disable Driver Signature Enforcement on Windows 11/10¶

There are a few options available to bypass or disable driver signature enforcement:

1. Use Advanced Boot Menu (Temporary Disable)
2. Enable Test Signing Mode (Semi-Permanent with Watermark)
3. Disable Integrity Checks (More Permanent, Requires Secure Boot Off)

Let’s explore each method in detail, outlining the steps and implications.

How to Install Unsigned Drivers in Windows 11/10¶

1] Use Advanced Boot Menu (Temporary)¶

This is the safest and most recommended method for temporarily disabling driver signature enforcement. It disables the enforcement for the current boot session only. Once you restart your computer normally, driver signature enforcement will be automatically re-enabled. This provides a window to install the unsigned driver without permanently compromising system security.

Here are the steps to access the Advanced Boot Menu and disable driver signature enforcement:

1. Access Recovery Environment: The easiest way to access the Advanced Boot Menu is through the Windows Recovery Environment (WinRE). You can do this by holding down the Shift key while clicking the “Restart” option in the Start Menu or on the login screen. Alternatively, if Windows fails to boot correctly multiple times, it will often automatically enter the recovery environment. Another method is to go to Settings > System > Recovery > Advanced startup and click “Restart now”.
2. Select Troubleshoot: Once your computer restarts into the Advanced Options screen, you will see several tiles or options. Click on the “Troubleshoot” tile to proceed. This section contains tools for system recovery and advanced configuration options.
3. Choose Advanced options: In the Troubleshoot menu, select “Advanced options.” This will present you with more granular control over startup behavior and system recovery tools.
4. Navigate to Startup Settings: Among the advanced options, find and select “Startup Settings.” This menu allows you to modify various Windows startup parameters, including safe mode, low-resolution video, and, crucially, driver signature enforcement.
5. Initiate Restart for Settings Change: The Startup Settings screen will inform you that you can change Windows startup behavior after a restart. Click the “Restart” button provided on this screen. Your PC will reboot to display a list of startup options that you can select.
6. Select “Disable driver signature enforcement”: After the computer restarts, you will see a menu titled “Startup Settings” with a numbered list of options. Look for the option that says “Disable driver signature enforcement.” This option is usually number 7. Press the corresponding number key on your keyboard (typically 7 or F7) to select this option and boot Windows with driver signature enforcement disabled.

Your PC will now boot into Windows with driver signature enforcement temporarily disabled. You can now proceed to install your unsigned driver. After successfully installing the driver and ensuring it works as expected, you can simply restart your computer normally. The next time Windows starts, driver signature enforcement will be active again, restoring your system’s default security level. This method is ideal for one-off driver installations.

2] Disable Integrity Checks (More Permanent, Requires Secure Boot Off)¶

This method uses the BCDedit command-line tool to configure the Windows Boot Manager to permanently disable the enforcement of driver integrity checks. This is a more drastic measure and carries higher risks. Furthermore, this command often requires Secure Boot to be disabled in your computer’s UEFI/BIOS settings to take effect, as Secure Boot itself enforces checks that conflict with this setting.

Warning: Disabling integrity checks permanently weakens a core security feature of Windows. Only use this method if absolutely necessary and you understand the significant security risks involved.

To disable driver signature enforcement using BCDedit:

1. Open Command Prompt as Administrator: You need elevated privileges to modify the Boot Configuration Data (BCD). Search for “Command Prompt” in the Start Menu, right-click on it, and select “Run as administrator.” Alternatively, search for “CMD,” right-click, and choose “Run as administrator.”

2. Execute the Disable Command: In the elevated Command Prompt window, type the following command and press Enter:
   

   bcdedit.exe /set nointegritychecks on
   

   
   This command instructs the Boot Manager to ignore the results of driver integrity checks during startup. If the command is successful, you should see a confirmation message like “The operation completed successfully.”
   • Note: If you receive an error message like “The value is protected by Secure Boot policy and cannot be modified,” it means Secure Boot is enabled in your computer’s UEFI/BIOS settings and is preventing the modification of the BCD. You must disable Secure Boot in your UEFI firmware settings before this command can work. Accessing UEFI settings usually involves pressing a specific key (like F2, F10, F12, Del, or Esc) immediately after powering on your computer. The exact key varies by manufacturer.

3. Restart Your Computer: After executing the command successfully and ensuring Secure Boot is disabled if necessary, restart your computer. Windows should now boot with driver signature enforcement permanently disabled. You can proceed to install your unsigned driver.

Re-enabling Driver Signature Enforcement:

To revert this change and re-enable driver signature enforcement, open Command Prompt as Administrator again and execute the following command:

bcdedit.exe /set nointegritychecks off

Press Enter. If successful, you will see the “The operation completed successfully” message. Remember to re-enable Secure Boot in your UEFI settings afterwards if you disabled it previously. Restart your computer for the changes to take effect.

This method provides a persistent disablement, meaning it stays active across reboots until you explicitly turn it off. Because of its permanent nature and the potential requirement to disable Secure Boot, it is the riskiest method discussed here.

3] Enable Test Signing Mode (Semi-Permanent with Watermark)¶

This method is another approach using BCDedit that enables a special “Test Mode” in Windows. In Test Mode, driver signature enforcement is relaxed, allowing the installation and loading of unsigned drivers. Unlike the previous BCDedit method, enabling Test Signing adds a “Test Mode” watermark to the bottom right corner of your desktop screen. This watermark serves as a constant visual reminder that your system is running in a less secure state, which is intended for testing purposes.

This method is typically used by driver developers to test their drivers before they are officially signed. It is less disruptive than completely turning off integrity checks (nointegritychecks) but still bypasses the standard enforcement. Like the nointegritychecks command, enabling Test Signing usually requires Secure Boot to be disabled in your UEFI/BIOS settings.

To enable Test Signing Mode:

Related: loading

1. Open Command Prompt as Administrator: As with the previous method, you need to open Command Prompt with administrative privileges. Search for “CMD,” right-click, and select “Run as administrator.”

2. Execute the Test Signing Command: In the elevated Command Prompt window, type the following command and press Enter:
   

   bcdedit /set testsigning on
   

   
   If the command executes successfully, you will see “The operation completed successfully.”
   • Note: If you encounter the error “The value is protected by Secure Boot policy and cannot be modified,” you must disable Secure Boot in your computer’s UEFI/BIOS settings before attempting this command again. Refer to your computer’s manual or manufacturer’s website for instructions on accessing UEFI settings.

3. Restart Your Computer: After successfully executing the command and ensuring Secure Boot is disabled if needed, restart your computer. Windows will now boot into Test Mode.

You will notice a “Test Mode” watermark on the desktop, usually in the bottom right corner. This indicates that driver signature enforcement is disabled, and you can install your unsigned driver.

Exiting Test Signing Mode:

To disable Test Signing Mode and remove the watermark, open Command Prompt as Administrator and execute the following command:

bcdedit /set testsigning off

Press Enter. If the command is successful, you’ll see the confirmation message. Restart your computer for the change to take effect. If you disabled Secure Boot, remember to re-enable it in your UEFI settings after exiting Test Mode and restarting.

This method offers a persistent bypass for testing but provides a visual cue (the watermark) and is generally considered safer than the nointegritychecks method as it’s specifically designed for a testing environment.

Comparing the Methods¶

Here’s a quick comparison of the three methods:

Method	Permanence	Requires Secure Boot Disabled?	Visual Indicator?	Recommended Use Case	Risks
Advanced Boot Menu (Option 7)	Temporary	No	No	One-time unsigned driver installation	Low (enforcement returns on reboot)
Enable Test Signing (bcdedit /set testsigning on)	Semi-Permanent	Yes (Usually)	Yes (Watermark)	Driver development, testing in a controlled environment	Moderate (persistent disablement, requires Secure Boot off)
Disable Integrity Checks (bcdedit.exe /set nointegritychecks on)	Permanent	Yes (Usually)	No	Generally not recommended - debugging only	High (permanent disablement, requires Secure Boot off, less controlled than Test Mode)

Important Considerations:

• Secure Boot: Both BCDedit methods (testsigning and nointegritychecks) often require disabling Secure Boot in your computer’s UEFI firmware settings. Secure Boot is a security standard that helps ensure that your PC boots using only software that is trusted by the PC manufacturer. Disabling it reduces your system’s protection against rootkits and other low-level malware that can load early in the boot process. Always re-enable Secure Boot after you are done installing the unsigned driver and have re-enabled driver signature enforcement.
• System Stability: Installing unsigned drivers, regardless of the method used to disable enforcement, can lead to system instability, crashes, or hardware malfunctions. Ensure you have a system restore point or backup before proceeding.
• Security Risks: The primary risk is installing malicious or compromised drivers. Always download drivers only from sources you absolutely trust.

How to Find Unsigned Drivers in Windows?¶

Windows provides a built-in tool called the File Signature Verification Tool, or sigverif, which can help you identify unsigned drivers and system files on your computer. This tool scans your system and lists files, including drivers, that do not have a digital signature. Identifying unsigned drivers is important because, as discussed, they pose potential security and stability risks.

To use the File Signature Verification Tool:

1. Press Windows Key + R to open the Run dialog box.
2. Type sigverif and press Enter or click OK.
3. The File Signature Verification tool window will open. Click the “Start” button.
4. The tool will scan your system files and drivers. This process may take a few moments.
5. After the scan is complete, a list of unsigned files will be displayed in a “Scan Results” window. This list includes the file name, its location, and the modified date.
6. Review the list. Pay close attention to files located in system directories (like C:\Windows\System32\drivers). If you identify an unsigned driver that you did not intentionally install (e.g., via one of the methods above) and cannot identify its source or purpose, it could potentially be malware or a problematic driver.
7. You can right-click on an item in the list and choose “Properties” to see more details about the file. Research any suspicious unsigned files online to determine if they are legitimate but unsigned, or if they are potentially harmful.
8. Close the tool when finished.

If sigverif identifies unsigned drivers that you are not familiar with, consider researching them thoroughly. If you suspect a file is malicious, run a full system scan with reputable antivirus software. You might also consider uninstalling hardware or software associated with the unsigned driver if it is causing issues or cannot be verified as safe.

What is Disable Driver Signature?¶

“Disable Driver Signature Enforcement” refers to the act of temporarily or permanently turning off a security feature in Windows that prevents the installation and loading of drivers that do not have a valid digital signature from a trusted authority (like Microsoft). By default, Windows enforces this policy to protect the integrity and stability of the operating system kernel and to prevent the execution of potentially harmful or unstable code at a low level.

Disabling this feature allows the operating system to load and install drivers even if they lack a digital signature. While this can be necessary in specific circumstances (like installing drivers for very old hardware or custom devices), it inherently increases the risk of system instability, crashes, and security vulnerabilities, including the potential for malware (like rootkits) to install and hide itself deeply within the system. Therefore, it is widely advised by security professionals and Microsoft not to keep driver signature enforcement disabled for longer than absolutely necessary. It is a measure to be used cautiously and reverted as soon as the task requiring it is complete.

Disabling driver signature enforcement should not be taken lightly. While the steps outlined above can help you install necessary unsigned drivers, they come with significant security trade-offs. Always ensure you obtain unsigned drivers from highly reliable sources. If possible, search for alternative, signed drivers first. If you must proceed, use the temporary method via Advanced Boot Options whenever feasible, as it minimizes the duration of the security vulnerability. If using the BCDedit methods, understand the interaction with Secure Boot and the visual cues (or lack thereof) indicating the system’s state. Prioritize re-enabling enforcement and Secure Boot once your task is finished to restore your system’s full security protection.

Have you ever needed to disable driver signature enforcement? Which method did you use, and what was your experience? Share your thoughts and questions in the comments below!