Configure Early Launch AntiMalware Boot-Start Driver Policy  

Page 1 of 3 123 LastLast
    Configure Early Launch AntiMalware Boot-Start Driver Policy

    Configure Early Launch AntiMalware Boot-Start Driver Policy

    How to Configure Early Launch AntiMalware Boot-Start Driver Initialization Policy in Windows 8 and 10
    Published by Category: Security System
    22 Jan 2019
    Designer Media Ltd
     

    How to Configure Early Launch AntiMalware Boot-Start Driver Initialization Policy in Windows 8 and 10


    As antimalware (AM) software has become better and better at detecting runtime malware, attackers are also becoming better at creating rootkits that can hide from detection. Detecting malware that starts early in the boot cycle is a challenge that most AM vendors address diligently. Typically, they create system hacks that are not supported by the host operating system and can actually result in placing the computer in an unstable state. Up to this point, Windows has not provided a good way for AM to detect and resolve these early boot threats.

    Windows 8 and Windows 10 include a feature called Secure Boot, which protects the Windows boot configuration and components, and loads an Early Launch Anti-malware (ELAM) driver. This driver starts before other boot-start drivers and enables the evaluation of those drivers and helps the Windows kernel decide whether they should be initialized.

    For more details about Early Launch Anti-malware, see:

    The Boot-Start Driver Initialization Policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver:
    • Good -The driver has been signed and has not been tampered with.
    • Bad - The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.
    • Bad, but required for boot - The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.
    • Unknown - This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver.

    If you enable this policy setting you will be able to choose which boot-start drivers to initialize the next time the computer is started.

    If you disable or do not configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped.

    If your malware detection application does not include an Early Launch Antimalware boot-start driver or if your Early Launch Antimalware boot-start driver has been disabled, this setting has no effect and all boot-start drivers are initialized.

    This tutorial will show you how to configure the Early Launch AntiMalware Boot-Start Driver Initialization Policy in Windows 8 and Windows 10.

    You must be signed in as an administrator to be able to configure the Boot-Start Driver Initialization Policy.


     CONTENTS:

    • Option One: To Configure Boot-Start Driver Initialization Policy using Group Policy
    • Option Two: To Configure Boot-Start Driver Initialization Policy using a REG file





    OPTION ONE

    To Configure Boot-Start Driver Initialization Policy using Group Policy


    The Local Group Policy Editor is only available in the Windows 8/10 Pro, Enterprise, and Education editions.

    All editions can use Option Two below.

    1. Open the Local Group Policy Editor.

    2. In the left pane of Local Group Policy Editor, navigate to the location below. (see screenshot below)

    Computer Configuration\Administrative Templates\System\Early Launch Antimalware

    Configure Early Launch AntiMalware Boot-Start Driver Policy-early_launch_antimalware_boot-start_driver_policy-1.jpg

    3. In the right pane of Early Launch Antimalware in Local Group Policy Editor, double click/tap on the Boot-Start Driver Initialization Policy policy to edit it. (see screenshot above)

    4. Do step 5 (enable) or step 6 (disable) below for what you would like to do.


     5. To Enable and Configure Boot-Start Driver Initialization Policy

    A) Select (dot) Enabled at the top. (see screenshot below)

    B) Under Options, choose the boot-start drivers that can be initialized for what you want.
    • Good only
    • Good and unknown
    • Good, unknown and bad but critical
    • All

    C) Click/tap on OK, and go to step 7 below.


     6. To Not Configure Boot-Start Driver Initialization Policy

    A) Select (dot) Not Configured or Disabled, click/tap on OK, and go to step 7 below. (see screenshot below)

    Not Configured is the default setting.

    Configure Early Launch AntiMalware Boot-Start Driver Policy-early_launch_antimalware_boot-start_driver_policy-2.png

    7. When finished, you can close the Local Group Policy Editor.

    8. Restart the computer to apply.






    OPTION TWO

    To Configure Boot-Start Driver Initialization Policy using a REG file


    The downloadable .reg files below will add and modify the DWORD value in the registry key below.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Policies\EarlyLaunch

    DriverLoadPolicy DWORD

    (delete) = Default setting
    8 = Good only
    1 = Good and unknown
    3 = Good, unknown and bad but critical
    7 = All



    1. Do step 2 (Default), step 3 (Good only), step 4 (Good and unknown), step 5 (Good, unknown and bad but critical), or step 6 (All) below for what you would like to do.


     2. To Set Boot-Start Driver Initialization Policy to Not Configured

    This is the default setting.

    A) Click/tap on the Download button below to download the file below, and go to step 7 below.

    Default_Early_Launch_DriverLoadPolicy.reg

    Download


     3. To Set Boot-Start Driver Initialization Policy to "Good only"

    A) Click/tap on the Download button below to download the file below, and go to step 7 below.

    Good-only_Early_Launch_DriverLoadPolicy.reg

    Download


     4. To Set Boot-Start Driver Initialization Policy to "Good and unknown"

    A) Click/tap on the Download button below to download the file below, and go to step 7 below.

    Good-and_unknown_Early_Launch_DriverLoadPolicy.reg

    Download


     5. To Set Boot-Start Driver Initialization Policy to "Good, unknown and bad but critical"

    A) Click/tap on the Download button below to download the file below, and go to step 7 below.

    Good_unknown,bad,but_critical_Early_Launch_DriverLoadPolicy.reg

    Download


     6. To Set Boot-Start Driver Initialization Policy to "All"

    A) Click/tap on the Download button below to download the file below, and go to step 7 below.

    All_Early_Launch_DriverLoadPolicy.reg

    Download

    7. Save the .reg file to your desktop.

    8. Double click/tap on the downloaded .reg file to merge it.

    9. If prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

    10. If you like, you can now delete the downloaded .reg file.

    11. Restart the computer to apply.


    That's it,
    Shawn



  1. bjm's Avatar
    bjm
    Posts : 115
    W10 Home 1903
       #1

    Good day,
    Regarding:
    - HKLM\System\CurrentControlSet\Control\EarlyLaunch\DriverLoadPolicy
    - HKLM\ELAM\<VendorName>\

    My registry does not have \DriverLoadPolicy nor \ELAM\<VendorName>

    Might that mean that my W10 Home (OEM 8.1) machine does not have ELAM driver.

    Configure Early Launch AntiMalware Boot-Start Driver Policy-4372.png
    Configure Early Launch AntiMalware Boot-Start Driver Policy-4373.png
    Configure Early Launch AntiMalware Boot-Start Driver Policy-4374.png

    WebrootSA claims "ELAM Support" and their Logs on my machine report: ELAM applicable: no, driver present no, driver registered no, PPL: no, PPL configured: no

    WebrootSA support advises that I contact Microsoft. That maybe W10 Upgrade did something re ELAM. That I'm still protected by Webroot regardless of ELAM status.

    Secure Boot State is On by msinfo32.

    Laptop is ~ 4 years old HP home use, daily rider.
    Do you think I should be concerned re ELAM driver?

    Any thoughts?
    Thanks
      My Computer

  2. Brink's Avatar
    Posts : 58,382
    64-bit Windows 11 Pro for Workstations
    Thread Starter
       #2

    Hello @bjm,

    The registry keys and values are not there by default. They only get added when the policy has been configured.
      My Computers

  3. bjm's Avatar
    bjm
    Posts : 115
    W10 Home 1903
       #3

    So, I may have ELAM driver installed ... just not setup?

    Webroot Support wrote:
    ELAM is a driver that looks into the computer OS kernel upon start up to ensure that there is no malicious drivers contained in the kernal at run time. Normal anit-virus software cannot perform this check as its in a specific area of the OS that is primarily controlled by Microsoft. PPL is a configuation type that the ELAM driver uses.

    When Webroot scans it looks for malware but also gathers system information to help keep your system secure and that is why you are seeing it in the logs however this is just information gathered and the ELAM driver does not need to work hand in hand with Webroot.

    Unfortunately if this driver is missing you will need to contact Microsoft support, as something may have gone wrong when your machine was upgraded to Windows 10 and only they will be able to verify.
    So, should I leave as is or run Initialization using Reg? (which Policy DWORD)
    So, I do have ELAM driver installed.... just not setup?
      My Computer

  4. Brink's Avatar
    Posts : 58,382
    64-bit Windows 11 Pro for Workstations
    Thread Starter
       #4

    It should be enabled once setup how you like.
      My Computers

  5. bjm's Avatar
    bjm
    Posts : 115
    W10 Home 1903
       #5

    Well, "Good only" sounds like logical setup?
    And admitting have no idea why I'd opt 2), 3) or 4) ?
    Um, can I break machine by configuring any Policy?

    1) Good only
    2) Good and unknown
    3) Good, unknown and bad but critical
    4) All

    And admitting have no idea what to do as I've been unaware re ELAM driver status, until now.

    Edit: so my Policy now is (delete) = Default setting
      My Computer

  6. Brink's Avatar
    Posts : 58,382
    64-bit Windows 11 Pro for Workstations
    Thread Starter
       #6

    Using "Good only" would be the most secure option.

    You should be fine enabling this, but you can create a restore point before doing so. This way if you should have an issue afterwards, you could do a system restore using the restore point to undo it.
      My Computers

  7. bjm's Avatar
    bjm
    Posts : 115
    W10 Home 1903
       #7

    Okay.
    Well, after re-re-re-reading Tutorial. I think I'm having lite-bulb moment(s).
    This driver starts before other boot-start drivers and enables the evaluation of those drivers and helps the Windows kernel decide whether they should be initialized.
    So, ELAM Policy serves as gatekeeper for which boot-start drivers initialize.
    Since, my setup is not configured.
    If you disable or do not configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped.
    I'll have to ask Webroot support whether my Webroot does boot-start drivers gate-keeping akin to ELAM Policy and or does Webroot scan boot-start drivers. Does Webroot include an Early Launch Antimalware boot-start driver.

    I'll post back progress.

    Thanks for holding my hand.

    Edit: seems like
    5. To Set Boot-Start Driver Initialization Policy to "Good, unknown and bad but critical"
    is what I have now with my not configured.
    and
    2. To Set Boot-Start Driver Initialization Policy to Not Configured
    would be the same as 5 and what I have now with my not configured.
    If you disable or do not configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped.
    ?
    Last edited by bjm; 22 Jan 2019 at 12:17.
      My Computer

  8. Brink's Avatar
    Posts : 58,382
    64-bit Windows 11 Pro for Workstations
    Thread Starter
       #8

    Correct, "Not Configured" is the same as having "Good, unknown and bad but critical" set.
      My Computers

  9. bjm's Avatar
    bjm
    Posts : 115
    W10 Home 1903
       #9

    Hi
    So, I ran
    5. To Set Boot-Start Driver Initialization Policy to "Good, unknown and bad but critical"
    + machine restart.
    registry remains same as #1

    So, I ran
    4. To Set Boot-Start Driver Initialization Policy to "Good and unknown"
    + machine restart
    registry remains same as #1
      My Computer


 
Page 1 of 3 123 LastLast

Tutorial Categories

Configure Early Launch AntiMalware Boot-Start Driver Policy Tutorial Index Network & Sharing Instalation and Upgrade Browsers and Email General Tips Gaming Customization Apps and Features Virtualization BSOD System Security User Accounts Hardware and Drivers Updates and Activation Backup and Restore Performance and Maintenance Mixed Reality Phone


  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 03:26.
Find Us




Windows 10 Forums