W10 Enterprise 22H2 - Driver signature enforcment needs disabling to boot since 2024-02 Cumulative

Discussion in 'Windows 10' started by xrononautis, Feb 28, 2024.

  1. xrononautis

    xrononautis MDL Senior Member

    Mar 30, 2021
    358
    187
    10
    W10 Enterprise 22H2:
    As said in the title. I have a windows 10 enterprise partition which is at 22H2 feature update. Since the last cumulative update on 2024 February I need to disable the digital driver enforcement in order to boot. Otherwise it hangs at windows logo forever.
    No unsigned drivers are present in device manager and it was working fine up until the previous cumulative update (January 2024).

    W10 Enterprise LTSB2016:
    I get the exact same problem on a different partition where I have LTSB2016 but there the problem happens if I install any cumulative update after 2018-05 (I tried 2024-2 and 2019-05 and I get the same problem).
    versign.exe reports everything signed. And again no driver problems in device manager.

    Laptop: Asus N752VX

    Any ideas?
    Thank you!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  2. shhnedo

    shhnedo MDL Expert

    Mar 20, 2011
    1,829
    2,432
    60
    I've clean installed quite a few 22H2s with Feb 2024 update and I haven't done anything to... "make it boot". All installs finished normally, I install the drivers with SDI and even then all the machines turn on and restart perfectly fine. Issue must be somewhere else...
     
  3. acer-5100

    acer-5100 MDL Guru

    Dec 8, 2018
    4,003
    2,923
    150
  4. pm67310

    pm67310 MDL Guru

    Sep 6, 2011
    3,357
    2,532
    120
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. xrononautis

    xrononautis MDL Senior Member

    Mar 30, 2021
    358
    187
    10
    So I reinstalled the latest cumulative update on Win10 LTSB 2016 for the time being and the exact message from the even viewer -> Applications and Services Logs -> Microsoft -> Windows -> CodeIntegrity -> Operational is:

    Code Integrity determined that a process (\Device\HarddiskVolume4\ProgramData\Microsoft\Windows Defender\platform\4.18.24010.12-0\MsMpEng.exe) attempted to load \Device\HarddiskVolume4\Windows\System32\DriverStore\FileRepository\nvami.inf_amd64_73e51741db08994c\nvdlistx.dll that did not meet the Custom 3 / Antimalware signing level requirements.

    The last line is quite illuminating!!
    nvami.inf is related to nvidia drivers which are provided by nvidia but signed by m$ Windows hardware compatibility publisher.

    Do you think that I could solve the problem by purging MRT? (Do I mix two different things up?)
    When I disabled the early antimalware launch at boot didn't let me boot. Only disabling the signature enforcement lets me boot.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. acer-5100

    acer-5100 MDL Guru

    Dec 8, 2018
    4,003
    2,923
    150
    Why not start setting the registry I linked above?

    Hopefully is the only thing you need to do.

    That said only masochists keep defender enabled, but that's a different discussion.
     
  7. xrononautis

    xrononautis MDL Senior Member

    Mar 30, 2021
    358
    187
    10
    So I went into HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CI\Config\ and created a dword32 named VulnerableDriverBlocklistEnable and set it to 0. Is that right?
    As of MRT it suddenly went on the top of my list $%$#@

    Thank you!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. acer-5100

    acer-5100 MDL Guru

    Dec 8, 2018
    4,003
    2,923
    150
    Hopefully, yes.



    No idea, disabling MRT from downloading and installing is among the fresh things I do when I install a fresh Windows

    upload_2024-3-2_12-46-32.png
     
  9. acer-5100

    acer-5100 MDL Guru

    Dec 8, 2018
    4,003
    2,923
    150
    Did you test both in 1607 and 22H2?

    Maybe that reg line isn't effective on 1607, AFAIR I fuond that key because it was already there, I just flipped the value from 1 to 0.

    OR

    It's a completely unrelated problem, albeit looks very similar.

    Onr thing you can do is to disable the mentioned nvidia driver and see what happens.
     
  10. xrononautis

    xrononautis MDL Senior Member

    Mar 30, 2021
    358
    187
    10
    The 22H2 is not present at the moment. It was the partition holding the boot loader so I purged it for something more stable (windows 7 xD). I will reinstall 22H2 on a logical partition at some point this weekend and test it.
    I will try disabling the nvdia.

    Side note: the option in winaero disables only the install of the mrt. In my case though is already installed and remains in place after ticking this option. Is there any other way to send mrt down the toilet? Do I need to use DISM?
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. xrononautis

    xrononautis MDL Senior Member

    Mar 30, 2021
    358
    187
    10
    This is becoming ridiculous...
    When I disabled the nvidia driver still couldn't boot so I just uninstalled it all together. In the next boot I still had to disable the signature enforcement even with the driver absent. Then checked the event viewer and there were no errors other than the info that the driver enforcement is off.

    On the next boot, nvidia drivers v388 were installed automatically (previously I had v472). after I restarted again the error was back in the event viewer and ofc I had to disable driver enforcement. I am going to get a break for now and install 22H2 later on a logical partition and try again the whole process.

    Thank you for your help man!!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  12. acer-5100

    acer-5100 MDL Guru

    Dec 8, 2018
    4,003
    2,923
    150
    Yes start to be ridiculous

    I guess they don't both provide a driver from WU and then block it because it's vulnerable.

    Likely some other driver is the culprit or you just tripped in a nasty bug.