Driver signature enforcement can be re‑enabled by restarting your PC (if you temporarily disabled it) or by running a specific bcdedit command to reverse the permanent change.
How to enable driver signature enforcement depends entirely on how you disabled it in the first place. The good news is that Windows is built to run with enforcement active by default, so the “undo” is almost always straightforward. Whether you used Startup Settings, an administrator command, or Group Policy, the fix takes less than a minute once you know which switch to flip.
How Did You Disable Driver Signature Enforcement?
Before you can re‑enable it, you need to identify the method you used to turn it off. Each disable method has a specific reversal. Here are the four most common ways users disable signature enforcement:
- Startup Settings (press 7 or F7) — a session‑only toggle that resets automatically after a restart.
- Command Prompt (
bcdedit /set nointegritychecks on) — a permanent setting until the command is reversed. - Test Mode (
bcdedit /set testsigning on) — allows unsigned drivers while a “Test Mode” watermark is visible. - Group Policy (Local Group Policy Editor) — sets the “Code signing for driver packages” policy to “Ignore” or “Warn”.
If you aren’t sure, open an elevated Command Prompt and run bcdedit /enum to see current boot‑loader settings. Look for nointegritychecks or testsigning entries. If neither appears, you may have used Startup Settings or Group Policy.
Enabling Driver Signature Enforcement: Which Method Applies?
Method 1: Session‑Only Disable (Startup Settings) – Just Restart
If you pressed 7 or F7 at the Startup Settings screen, the change lasts only until the next standard restart. Simply reboot your PC normally. Driver signature enforcement will be active again without any further steps. No command or setting change is needed.
Method 2: Permanent Disable via bcdedit /set nointegritychecks
If you ran bcdedit /set nointegritychecks on, reverse it with the opposite command from an elevated Command Prompt:
- Open Search, type
cmd. - Right‑click Command Prompt and choose Run as administrator.
- Execute:
bcdedit /set nointegritychecks off - Restart your PC. The setting will be applied on boot.
After restarting, unsigned drivers will be blocked again, and the “Test Mode” or “Secure Boot” warning (if present) may disappear.
Method 3: Exiting Test Mode (bcdedit /set testsigning)
Test Mode is a separate boot‑loader setting that tells Windows to accept test‑signed drivers. To exit it:
- Open an elevated Command Prompt (as above).
- Run:
bcdedit /set testsigning off - Restart your PC. The “Test Mode” watermark in the bottom‑right corner will vanish, and signature enforcement will be restored.
Note: If you used both Test Mode and nointegritychecks, you need to run both off commands.
Method 4: Reverting Group Policy Changes
If you disabled enforcement through the Local Group Policy Editor, reset the policy to its default:
- Press Win + R, type
gpedit.msc, and press Enter. - Navigate to User Configuration > Administrative Templates > System > Driver Installation.
- Right‑click Code signing for driver packages and select Edit.
- Set the policy to Not Configured (or Disabled if it was set to “Ignore” or “Warn”).
- Click OK and restart your PC.
Scenarios for Re‑enabling Driver Signature Enforcement
| Disable Method | Re‑enable Steps | Notes |
|---|---|---|
| Startup Settings (7/F7) | Restart the PC normally | Session‑only; reverts automatically |
bcdedit /set nointegritychecks on |
Run bcdedit /set nointegritychecks off |
Requires Admin Command Prompt |
bcdedit /set testsigning on |
Run bcdedit /set testsigning off |
Also exits Test Mode |
| Group Policy | Set policy to Not Configured | Located under Driver Installation |
| Secure Boot blocking the change | Disable Secure Boot in UEFI, re‑run command, re‑enable Secure Boot | Workaround for “protected by Secure Boot policy” error |
| Memory Integrity (Core Isolation) disabled | Enable Memory Integrity in Windows Security | Needed for full enforcement on Windows 11 22H2+ |
| Unknown / multiple methods | Run both nointegritychecks off and testsigning off |
Also check Group Policy state |
Common Mistakes and How to Avoid Them
Confusing session‑only and permanent. The Startup Settings toggle resets after one restart; bcdedit changes persist until reversed. If you’ve already rebooted and enforcement is still off, you likely used a permanent method.
Secure Boot interference. On some systems, Secure Boot prevents bcdedit from changing integrity‑check settings. If you see “The value is protected by Secure Boot policy,” enter your UEFI firmware settings, temporarily disable Secure Boot, run the command, then re‑enable Secure Boot.
Typo in command. The command is bcdedit, not bdcdet or bcdedit /set nointegritychecks off missing a space. Copy the exact text above to avoid errors.
Memory Integrity overriding your setting. Windows 11 22H2 and later enable Memory Integrity (Core Isolation) by default. This feature enforces signature validation regardless of bcdedit settings. If you want to fully enforce signatures, ensure Memory Integrity is turned on: go to Windows Security > Device Security > Core Isolation details and toggle it On.
Quick Command Reference for Enabling Signature Enforcement
| Action | Command (Admin CMD) | Result |
|---|---|---|
Enable enforcement (undo nointegritychecks) |
bcdedit /set nointegritychecks off |
Re‑enables driver signature checking |
| Exit Test Mode | bcdedit /set testsigning off |
Stops accepting test‑signed drivers |
| View current boot‑loader settings | bcdedit /enum |
Shows all active entries |
| Remove a specific setting | bcdedit /deletevalue nointegritychecks |
Alternative way to clear the flag |
Confirming Driver Signature Enforcement Is Active
After following the appropriate method, you can verify that enforcement is back on by attempting to install an unsigned driver. A signed driver will install without warning; an unsigned driver should be blocked with a “Windows cannot verify the publisher” error. You can also check the boot‑loader settings: bcdedit /enum should show no nointegritychecks or testsigning flags set to on. If everything looks clean and Secure Boot is enabled, driver signature enforcement is fully active.
References & Sources
- TenForums. “How to Enable or Disable Driver Signature Enforcement in Windows 10” Detailed guide covering the
bcdeditand Startup Settings methods. - Microsoft Learn. “Permanently Disable Driver Signature Enforcement – Microsoft Q&A” Official discussion on re‑enabling and Secure Boot interactions.