Ok if you are an average user of a new Vista computer sporting the latest version of the 64bit operating system to take advantage of all what your processors can give you, I am sure you had some problem installing some hardware or software due to not having properly signed drivers.

Run these commands at elevated command prompt and unsigned drivers will run no need to f8 on reboot

Bcdedit.exe /set TESTSIGNING ON

Bcdedit.exe /set TESTSIGNING OFF

Microsoft’s announcement that kernel-mode drivers for the x64 Edition of Vista will require digital signatures in order to load. Why? Kernel mode code is sensitive, both from security and stability standpoints, and requiring that this code be signed is a way of ensuring security, or at least accountability…

I definitely agree with that, but what really jumped out at me when I read about the signing requirement was why Microsoft would make driver signatures mandatory. Having some corporation force you to do something you were once allowed to do, does sort of leave a bad taste in one’s mouth—particularly when that corporation is Microsoft, which already has—in my opinion—too large a say regarding what we’re allowed/able to do with our computers.

I suppose that MS figures that the best way to ensure that vendors get in line with the signature scheme—particularly since participation isn’t free—is to force them. Also, I figure that Microsoft is starting the requirement off with the x64 Edition because there are many fewer preexisting drivers available for x64 than for the 32-bit versions of Windows, so the forcing signing on new 64-bit drivers might prove less of a hassle.

There are some workarounds.

To disable the signature enforcement checks permanently:

1) Turn on your computer.

2) Using an Administrator account, right-click the command prompt and

click Run.

3) Enter the following command: bcdedit /set nointegritychecks ON

4) Restart your computer.

5) Install the Beta driver.

To re-enable the driver signature enforcement checks:

1) Uninstall the Beta driver.

2) Using an Administrator account, right-click the command prompt

and click Run.

3) Run the following command: bcdedit /set nointegritychecks OFF

4) Restart your computer.

To disable signature enforcement checks on startup:

1) Restart your computer

2) During startup, press F8.

3) Select Advanced Boot Options.

4) Select Disable Driver Signature Enforcement.

5) Install the Beta driver.

6) Restart your computer.

This final measure would allow you to have a system in which the driver sig checking is persistently turned off, so if you really wanted forced checking turned off for good, you could have it that way. This passage mentions that the option is “available for prerelease builds,” so it may not end up being in the final Windows releases, which would make disabling sigs more of a hassle.

However, the bottom line is, Windows is a closed system, one that hangs its hat on integration and vendor control. There’s nothing wrong with producing a product in this way, trading flexibility for stability. Frankly, if you want to be able to fiddle with the innards of your OS, Windows isn’t for you, anyway. If the idea of your OS vendor not permitting you to do whatever you wish with your system, is distasteful for you (as it is for me), there are plenty of other OSes, such as Linux, the BSDs, and now, OpenSolaris, that permit this sort of flexibility.

I do think that Microsoft and Windows developers can achieve tighter, more predictably performing systems by locking things down more tightly, and requiring digital signatures for kernel mode drivers looks like a good way to achieve this.

Bookmark to: