QUESTION :
I am sick of trying to disable “only signed driver” installation on Windows 10.
I tried running as admin:
bcdedit /set testsigning on
bcdedit /set nointegritychecks off
But to no avail.
Only rebooting and using “Startup options” and then “Disable driver signature enforcement” worked. But this is one time. How can I do this permanently?
This is extremely ridiculous – I wanted to install USBasp driver (for programming AVR microcontrollers) and I couldn’t…
P.S I have “Secure boot” disabled in BIOS.
ANSWER :
I think you meant to run :
bcdedit /set testsigning off
bcdedit /set nointegritychecks on
Note the “nointegritychecks on“.
In any case, the first one should have been enough and the second is not needed.
Secure Boot should also be disabled in the BIOS.
More info in the article
The TESTSIGNING Boot Configuration Option.
In all cases, you need to run:
bcdedit /set testsigning off
bcdedit /set nointegritychecks on
In some cases, this will be enough to install the driver.
In some cases, however, you will also need to do the following immediately before installing the driver:
1) Restart machine while holding down Shift key → Troubleshoot → Advanced Options → Startup Settings → Restart
2) When the Startup Settings screen appears, select “Disable Driver Signature Enforcement”
Monitor EDID overrides are an example of a type of driver that always needs the second method. I suspect, but am not sure, that the first method by itself works for drivers that have “test” signatures, whereas the second is needed for drivers that have no signature whatsoever.
Note that in my experience, performing the second method but not the first will in all cases allow the drivers to install, but cause them to cease functioning after the next reboot. Thus, the bcdedit commands are needed in all cases.
I really, really hope Microsoft reconsiders this policy in the future. This type of policy is something I expect on iOS, not my self-built PC. Even Apple’s own macOS gives users the ability to permanently allow unsigned kernel extensions.
Given admin and bootloader access, I should always be able to run unsigned code on my own machine. A mechanism that needs to be re-enabled after every boot, and which cannot be performed at all with a Bluetooth keyboard, should not be acceptable in a desktop OS with wide-ranging hardware targets.