Windows 10: Configure Early Launch AntiMalware Boot-Start Driver Policy

How to: Configure Early Launch AntiMalware Boot-Start Driver Policy

How to Configure Early Launch AntiMalware Boot-Start Driver Initialization Policy in Windows 8 and 10


As antimalware (AM) software has become better and better at detecting runtime malware, attackers are also becoming better at creating rootkits that can hide from detection. Detecting malware that starts early in the boot cycle is a challenge that most AM vendors address diligently. Typically, they create system hacks that are not supported by the host operating system and can actually result in placing the computer in an unstable state. Up to this point, Windows has not provided a good way for AM to detect and resolve these early boot threats.

Windows 8 and Windows 10 include a feature called Secure Boot, which protects the Windows boot configuration and components, and loads an Early Launch Anti-malware (ELAM) driver. This driver starts before other boot-start drivers and enables the evaluation of those drivers and helps the Windows kernel decide whether they should be initialized.

For more details about Early Launch Anti-malware, see:

• Early Launch AntiMalware - Windows 10 hardware dev
• Early launch antimalware (Windows)

The Boot-Start Driver Initialization Policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:

• Good -The driver has been signed and has not been tampered with.
• Bad - The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.
• Bad, but required for boot - The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.
• Unknown - This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver.

If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started.

If you disable or do not configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped.

If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized.

This tutorial will show you how to configure the Early Launch AntiMalware Boot-Start Driver Initialization Policy in Windows 8 and Windows 10.

*note You must be signed in as an administrator to be able to configure the Boot-Start Driver Initialization Policy.


CONTENTS:

• Option One: To Configure Boot-Start Driver Initialization Policy using Group Policy
• Option Two: To Configure Boot-Start Driver Initialization Policy using a REG file

OPTION ONE [/i] To Configure Boot-Start Driver Initialization Policy using Group Policy
*note The Local Group Policy Editor is only available in the Windows 8/10 Pro, Enterprise, and Education editions.

All editions can use Option Two below.
1. Open the Local Group Policy Editor.

2. In the left pane of Local Group Policy Editor, navigate to the location below. (see screenshot below)
*Arrow Computer Configuration\Administrative Templates\System\Early Launch Antimalware




3. In the right pane of Early Launch Antimalware in Local Group Policy Editor, double click/tap on the Boot-Start Driver Initialization Policy policy to edit it. (see screenshot above)

4. Do step 5 (enable) or step 6 (disable) below for what you would like to do.


5. To Enable and Configure Boot-Start Driver Initialization Policy
A) Select (dot) Enabled at the top. (see screenshot below)

B) Under Options, choose the boot-start drivers that can be initialized for what you want.

• Good only
• Good and unknown
• Good, unknown and bad but critical
• All

C) Click/tap on OK, and go to step 7 below.

6. To Not Configure Boot-Start Driver Initialization Policy
A) Select (dot) Not Configured or Disabled, click/tap on OK, and go to step 7 below. (see screenshot below)

*note Not Configured is the default setting.




7. When finished, you can close the Local Group Policy Editor.

8. Restart the computer to apply.





OPTION TWO [/i] To Configure Boot-Start Driver Initialization Policy using a REG file
*note The downloadable .reg files below will add and modify the DWORD value in the registry key below.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch

DriverLoadPolicy DWORD

(delete) = Default setting
8 = Good only
1 = Good and unknown
3 = Good, unknown and bad but critical
7 = All


1. Do step 2 (Default), step 3 (Good only), step 4 (Good and unknown), step 5 (Good, unknown and bad but critical), or step 6 (All) below for what you would like to do.


2. To Set Boot-Start Driver Initialization Policy to Not Configured
*note This is the default setting.
A) Click/tap on the Download button below to download the file below, and go to step 7 below.

Default_Early_Launch_DriverLoadPolicy.reg

Download

3. To Set Boot-Start Driver Initialization Policy to "Good only"
A) Click/tap on the Download button below to download the file below, and go to step 7 below.

Good-only_Early_Launch_DriverLoadPolicy.reg

Download

4. To Set Boot-Start Driver Initialization Policy to "Good and unknown"
A) Click/tap on the Download button below to download the file below, and go to step 7 below.

Good-and_unknown_Early_Launch_DriverLoadPolicy.reg

Download

5. To Set Boot-Start Driver Initialization Policy to "Good, unknown and bad but critical"
A) Click/tap on the Download button below to download the file below, and go to step 7 below.

Good_unknown,bad,but_critical_Early_Launch_DriverLoadPolicy.reg

Download

6. To Set Boot-Start Driver Initialization Policy to "All"
A) Click/tap on the Download button below to download the file below, and go to step 7 below.

All_Early_Launch_DriverLoadPolicy.reg

Download
7. Save the .reg file to your desktop.

8. Double click/tap on the downloaded .reg file to merge it.

9. If prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

10. If you like, you can now delete the downloaded .reg file.

11. Restart the computer to apply.

That's it,
Shawn


Related Tutorials

• How to Disable Early Launch Anti-Malware Protection in Windows 8 and Windows 10
• How to Enable or Disable Secure Boot in UEFI
• How to Enable and Disable Driver Verifier in Windows 10
• How to Block or Unblock Legacy File System Filter Drivers in Windows 10
• How to Enable or Disable Secure Boot on Windows 10 PC

:)

 

Group Policy on home machine?!?!?!?!?


Hi,

Had the same issue on a number of occasions. This is what solved it for me:


Steps to fix 'Some settings are managed by your organization' message in Windows 10
Make sure you have administrator rights and follow the steps below:

Step 1: Launch Run prompt by right clicking the Windows Start menu icon. Type in gpedit.msc and click OK or Enter.
Step 2: In Group Policy Editor (gpedit.msc), go to Computer Configuration/Administrative Templates/Windows Components/Data Collection and Preview Builds.
Step 3: Find the Allow Telemetry item and double-click it to edit the policies.
Step 4: Change the setting to Enabled. Change the drop-down menu entry to 3-Full and click Apply.
Step 5: Now open the item again and change its Setting to Not configured and hit the Save button.
The message should no longer stop you from accessing various system settings in Windows 10.

Cheers, *Wink

 

is there any demand for a system configurator?

Processor(V) <--drop down arrow
-AMD(V)
--Socket(V)
---AM2(V)
----List of cpu's
---939(V)
----List of CPU's
-Intel(V)
--Socket(V)
---775(V)
----List of cpu's
---771(V)
----List of CPU's


etc etc.

 

Antimalware service excutable consuming ram and cpu

Hello,

We would like to know more about this concern, please provide the following information:

• Is this your first time to encounter this issue?
• Did you make any changes to your computer's configuration prior to the issue?
• What are the troubleshooting steps have you tried so far?

Antimalware Service Executable is the name of the process MsMpEng (MsMpEng.exe) used by the Windows Defender program. The service associated with this program is the Windows Defender Service. For possible troubleshooting steps, you can check GreginMich's
post through this link.

Looking forward to your response.

 

laptop doesnt boot automatically

This is what happened.

1. Did a repair install and later disabled hibertnate in CMD.
2. Enabled legacy option ROM in BIOS.
3. After a few times startup ( i used the system in such mode for 5 days), changed boot option back to default.
4. Vola!! It boots automatically to win10 without any keypress. Tested it with many starts to confirm the same.
5. Re-enabled hibernate option using CMD and later selected Fast Startup.
6. System booted normally, without the need for any keypress.

I do not know exactly whether such steps resolved the problem or what else happened, hence cannot suggest above steps.

Many thanks to all members who helped to troubleshoot problems.

 

Windows 10 error: "Windows couldn't connect to the Group Policy Client service. Please consult your system administrator"

Hi Rico,

Thank you for posting in Microsoft Community, we appreciate your interest in Windows 10.

I understand the inconvenience you are facing with accessing the operating system.

Do let us know the following to assist you better:

• Which edition of Windows Operating System are you using?
• What all the troubleshooting steps have you performed?
• Have you installed all the pending updates on your Operating System?
• Have you installed any third-party anti-virus software on your system?

I suggest you to try few of the below troubleshooting steps and check if it helps.

I suggest you to Stop the Group Policy service, restart and set it to Automatic.

Group Policy Client service, this service is responsible for applying settings configured by administrators for the computers and users through the Group Policy component. If the service
is disabled the settings will be applied and applications and components will not be manageable through Group Policy.

Step 1: Stop the Group Policy Client service.

• Press Windows Key + R on the keyboard and type
  services.msc, Services window gets opened.
• Search for Group Policy Client service, right click on it and click on
  Stop.
• Restart the computer.

Step 2: Start the service and set it to automatic:

• Press Windows Key + R on the keyboard and type
  services.msc, Services window gets opened.
• Search for Group Policy Client service, right click on it and click on
  Properties.
• Start the service, set
  Startup type to Automatic.

Hope it helps. Reply to the post with an updated status of this issue for further assistance.