Permanently Disable Driver Signature Enforcement on Windows 11

By default, Windows requires all device drivers to be digitally signed. If a driver is not digitally signed or the signing certificate has been revoked, Windows will refuse to install such a driver. If you need to install some legacy driver without a digital signature on Windows 11, it is recommended to manually sign the driver using a self-signed certificate (quite a complex but safe way). This post covers how to permanently disable the driver signature verification and install an unsigned driver in Windows 11 or 10.

In my example, when I tried to install an old GPU driver without a digital signature using the pnputil.exe /add-driver c:\drivers\*.inf /subdirs /install command or from File Explorer, the following errors occurred:

Error 0xE000022F: The third-party INF does not contain digital signature information.

Error 0x800B010C: A certificate was explicitly revoked by its issuer.

Disable Driver Signature Enforcement in Advanced Boot Mode

One of the startup modes in Windows allows you to choose to ignore driver signature verification at boot time. To reboot Windows in the advanced startup mode, hold down the Shift key and click Restart on the Start menu.

Windows will boot to the Windows RE recovery environment where you will need to select Troubleshoot -> Advanced Options -> Startup Settings -> Restart.

The computer will restart and a list of available advanced boot modes will appear. Press the F7 key (or Fn+F7 on laptops) to boot Windows with the Disable driver signature enforcement option enabled.

Windows doesn’t prevent you from installing unsigned drivers in this mode. If you try to install an unsigned driver, a security warning will appear:

Windows can't verify the publisher of this driver software.
The driver software you're attempting to install does not have a valid digital signature that verifies who published it, and could potentially be malicious software. You should only install driver software from publishers you trust. How can I decide which device software is safe to install?

To confirm driver installation, click Install this driver software anyway. The driver will be installed, but a device with an unsigned driver may show an exclamation mark and an error code 52 in Device Manager:

Windows cannot verify the digital signature for the drivers required for this device. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source. (Code 52)

You can use the built-in sigverif.exe (File Signature Checker) tool to list unsigned drivers that are installed but don’t have a signature. Run the tool and click the Start button. The utility will scan the Windows Driver Store and list unsigned driver files.

To use a device with an unsigned driver, you have to boot Windows using the F7 key into the advanced startup mode every time, which is inconvenient.

How to Permanently Disable Driver Signature Checks via CMD

To avoid manually selecting a boot mode with driver signature verification disabled each time you start Windows, you can use the bcdedit.exe command line too to change the Boot Configuration Data (BCD) store settings.

Open an elevated command prompt and run the following commands in sequence:

bcdedit.exe -set loadoptions DISABLE_INTEGRITY_CHECKS
bcdedit.exe -set TESTSIGNING ON
bcdedit.exe -set NOINTEGRITYCHECKS ON

Restart Windows:

shutdown -f -r -t 0

Windows will now always boot in test mode, skipping driver signature checks. In this case, a watermark appears in the lower-right corner of the desktop that says Test Mode and includes the version and build of Windows.

Ignore Code Signing for Device Drivers Using GPO

There is a separate option in the local Group Policy Editor (gpedit.msc) that allows you to ignore missing signatures during driver installation. This GPO option option only works on Windows 7 and 8, but not on Windows 10 or 11.

Open the local GPO editor and navigate to User Configuration ->Administrative Templates -> System ->Driver Installation.

Enable the Code Signing for Device Drivers policy and select the Ignore option in its settings.

Reboot the device and try to install an unsigned driver.