Czy wolisz polską wersję strony elektroda?
Nie, dziękuję Przekieruj mnie tamhow do i disable AV/driver-signature blocks on Windows 11?
Both actions markedly reduce system security; re-enable them immediately after the required task.
Security components involved
• Microsoft Defender Antivirus (real-time engine, cloud protection, core-isolation driver blocklist).
• Kernel-mode Driver Signature Enforcement (KMCS) enforced by Code-Integrity (CI) & Hyper-V–backed HVCI on 64-bit Windows.
• UEFI Secure Boot (ensures only trusted bootloaders/kernel drivers are executed).
• Optionally, Microsoft Vulnerable Driver Blocklist (a newer toggle in Win 11 22H2+).
Why the blocks occur
• Unsigned or test-signed drivers have no Microsoft-issued signature → CI refuses to load them.
• Low-level flash / firmware utilities perform direct I/O that Defender flags as suspicious.
• If HVCI/Memory Integrity is on, even some WHQL-signed but vulnerable drivers are blocked.
Interaction hierarchy
UEFI Secure Boot ▶ CI / HVCI ▶ Driver-Signature Enforcement ▶ Vulnerable-Driver Blocklist ▶ AV real-time engine.
Disabling a lower layer is ineffective unless the upper layer allows it. Therefore, for a permanent unsigned-driver workflow you must disable Secure Boot first.
A. DRIVER SIGNATURE ENFORCEMENT
One-boot (safe, recommended)
• Settings → System → Recovery → Advanced startup → Restart now
• Troubleshoot → Advanced options → Startup settings → Restart
• Press 7 or F7 = “Disable driver signature enforcement”.
• Install the unsigned driver → reboot (protection auto-restores).
Persistent developer/test mode (requires Secure Boot OFF)
• Enter UEFI firmware (Del/F2) → disable Secure Boot.
• Run elevated CMD:
bcdedit /set testsigning on
bcdedit /set nointegritychecks on• Reboot → Desktop shows “Test Mode” watermark.
• When finished:
bcdedit /set nointegritychecks off
bcdedit /set testsigning offand optionally re-enable Secure Boot.Group Policy (Pro/Enterprise only)
gpedit.msc → User Configuration → Administrative Templates → System → Driver Installation → “Code signing for device drivers” = Enabled / Ignore.
(Still overridden by Secure Boot & HVCI.)
Disable Microsoft Vulnerable Driver Blocklist (Win11 22H2+)
Windows Security → Device Security → Core isolation details → toggle “Microsoft Vulnerable Driver Blocklist”. Useful when a signed driver is blocked for exploit mitigation.
B. WINDOWS DEFENDER / ANTIVIRUS
GUI (temporary)
Windows Security → Virus & threat protection → Manage settings
• Turn off Tamper Protection (otherwise the next steps are ignored).
• Toggle Real-time protection, Cloud-delivered protection, Automatic sample submission to Off.
These automatically switch back on after the next reboot or some hours.
PowerShell (scriptable, requires Admin)
Set-MpPreference -DisableRealtimeMonitoring $trueRe-enable with $false.
Group Policy (permanent, Pro/Enterprise)
Computer Configuration → Administrative Templates → Windows Components → Microsoft Defender Antivirus → “Turn off Microsoft Defender Antivirus” = Enabled.
Also disable “Tamper Protection” via Intune/registry or the GUI beforehand.
Registry (Home SKU) – last resort
HKLM\SOFTWARE\Policies\Microsoft\Windows Defender → DWORD DisableAntiSpyware=1.
Must set TamperProtection=0 under HKLM\SOFTWARE\Microsoft\Windows Defender\Features first, or do the edit from WinPE.
Third-party AV – use vendor tray icon → “Pause/Disable”, or uninstall completely (Windows Security will reactivate automatically).
• Windows 11 23H2 adds built-in blocklist updates every Patch Tuesday; the toggle is now under “Kernel-mode Hardware-enforced Stack Protection”.
• Microsoft pushes Windows Driver Security (WinDS) program – future unsigned drivers will be harder to load even in Test Mode.
• Enterprise admins are moving to WDAC (Windows Defender Application Control) which supersedes simple signature enforcement toggles.
• Secure Boot DBX is updated against known bootloaders; keeping it enabled is advisable once work is done.
• BCDEdit testsigning sets the PE-loader into Test Signing (accepts drivers signed with self-signed certs in the test root store).
• nointegritychecks removes CI checks entirely – risky; use only offline.
• Disabling Secure Boot is done in firmware, not in Windows – every vendor menu differs (Look under Security → Secure Boot → Disable/Setup Mode).
• Tamper Protection writes protected registry values via ELAM and re-locks them; you must turn it off first.
• If Memory Integrity (HVCI) is on, you must disable it (Core Isolation page) before unsigned kernel code will load.
• Bypassing signature enforcement may violate corporate security policy, driver-distribution agreements, or EULAs.
• Loading unverified kernel drivers could hide malware/rootkits, exposing third parties if the machine is later reused on a production network.
• Always keep logs of actions for audit; consider an isolated test workstation rather than a daily-use PC.
Common pitfalls & fixes
• Unsigned driver still blocked → check that Secure Boot & HVCI are really off; systeminfo | find "Hyper-V Requirements" shows virtualization protections.
• BCDEdit fails with “The value is protected by Secure Boot policy” → Secure Boot still on.
• GUI toggles instantly revert → Tamper Protection not disabled or GPO overrides in place.
• Future cumulative updates can silently re-enable Defender or overwrite BCDEdit flags – always retest before critical tasks.
• Some OEM firmware will refuse to boot unsigned Option ROMs even with Secure Boot disabled.
• On ARM64 Windows 11, Test Mode requires additional cross-signing; steps differ.
• Windows Defender Application Control (WDAC) and Device Guard for granular driver policy.
• Using WHQL self-service Attestation Signing via Partner Center to avoid disabling security at all.
• Hyper-V isolated development VMs – you can attach USB devices and run unsigned drivers without touching host security.
• Open-source projects like signtool with local root CAs for internal driver testing.
Disabling AV and driver-signature blocks in Windows 11 is feasible but should be temporary and tightly controlled.
bcdedit /set testsigning on after disabling Secure Boot.