This post aims to see and learn about the Boot Start Driver Initialization Policy. We will enable the Boot Start Driver Initialization Policy using Intune. To enable this Policy, we will use the Configuration Profiles from Intune.
The next time your computer starts, you can select which boot-start drivers to initialize if you enable this policy setting. If you disable or do not configure this policy setting, only drivers determined to be Good, Unknown, or Bad, but Boot Critical are initialized, and drivers determined to be Bad are skipped.
A malware detection application that does not install an Early Launch Antimalware boot-start driver or that has disabled its Early Launch Antimalware boot-start driver will not affect this setting. By enabling this policy setting, you can reduce the impact of malware that has already infected your computer. Enable this policy setting lets you choose which boot-start drivers to initialize.
By using this policy setting, you can specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. For each boot-start driver, the Early Launch Antimalware boot-start driver can return the following categories:
- Good: The driver is signed and has not been tampered with.
- Bad: The driver has been identified as malware. You should not allow known bad drivers to be initialized.
- Bad, but required for boot: Even though the driver is considered malware, it must be loaded to ensure the computer can boot successfully.
- Unknown: The driver has not been attested to by your malware detection application or classified by the Early Launch Antimalware boot-start driver.
- Scan all downloaded files and attachments Policy Using Intune
- Do not Delete Temp Folders upon Exit Security Policy using Intune
Windows CSP Details BootStartDriverInitialization
Let’s discuss Windows CSP Details for this Policy setting BootStartDriverInitialization. The policy setting allows you to specify which boot-start drivers are initialized based on the classification determined by an Early Launch Antimalware driver. In the absence of an Early Launch Antimalware boot-start driver or if the Early Launch Antimalware boot-start driver is disabled, this setting has no effect, and all boot-start drivers are initialized.
CSP URI – ./Device/Vendor/MSFT/Policy/Config/System/BootStartDriverInitialization
Boot Start Driver Initialization Policy Using Intune
Follow the steps stated below to Enable the Boot Start Driver Initialization Policy Using Intune:
- Sign in to the Intune Admin Center portal https://intune.microsoft.com/.
- Select Devices > Windows > Configuration profiles > Create a profile.
In Create Profile, Select Windows 10 and later in Platform, and Select Profile Type as Settings catalog. Click on Create button.
| Platform | Profile Type |
|---|---|
| Windows 10 and later | Settings Catalog |
In the Basics tab pane, enter a name for the Policy as Boot Start Driver Initialization Policy. If you like, you can enter the Description for the Policy, then select Next.
Now in Configuration settings, click Add Settings to browse or search the catalog for the settings you want to configure.
On the Settings Picker windows, if you search by the keyword Boot-Start, you will see Administrative Templates\System\Early Launch Antimalware, as shown below in the image, select this.
On selecting the option shown below in the image, you will see one setting name, Boot-Start Driver Initialization Policy. After adding your setting, click the cross mark at the right-hand corner, as shown below.
After this, in the Administrative Templates, set the Boot-Start Driver Initialization Policy to Enabled, as shown below in the image. Also, choose the boot-start drivers that can be initialized as Good, unknown, and bad but critical.
In Scope tags, you can assign a tag to filter the profile to specific IT groups. Add scope tags (if required) and click Next. Under Assignments, In Included Groups, click Add Groups, and then choose Select Groups to include one or more groups. Click Next to continue.
Now in Review + Create, review your settings. When you click on Create, your changes are saved, and the profile is assigned.
A notification will appear automatically in the top right-hand corner with a message. You can see that the Policy “Boot Start Driver Initialization Policy” was created successfully. If you check, the Policy is available in the Configuration profiles list.
Your groups will receive your profile settings when the devices check in with the Intune service. The Policy applies to the device.
Intune Reporting
From Intune Portal, you can view the Intune settings catalog profile report, which provides an overview of device configuration policies and deployment status.
To monitor the policy assignment, select the Policy from the list of Configuration Profiles, and here you can check the device and user check-in status. If you click View Report, additional details are displayed.
Intune MDM Event Log
Intune event ID 813 or 814 indicates that a string policy has been applied to Windows 10 or 11 devices. In addition, you can view the exact value of the Policy that is being applied to those devices.
You can check the Event log path to confirm this – Applications and Services Logs – Microsoft – Windows – Devicemanagement-Enterprise-Diagnostics-Provider – Admin.
The log states the following – MDM PolicyManager: Set policy string, Policy: (BootStartDriverInitialization),
Area: (System), EnrollmentID requesting merge: (4009A089-4FBA-482B-9D17-9E5A8428CB98), Current User: (Device), String: ( <enabled /><data id=”SelectDriverLoadPolicy” value=”3″ />), Enrollment Type: (0xD), Scope: (0x0).
If you look in the event viewer log above, you will get some important information like Area and Enrollment ID that will help you detect the registry path. Please refer to the below for this information:
| Area | Policy | String Value | Scoped | Event ID |
|---|---|---|---|---|
| System | BootStartDriverInitialization | Enabled | Device | 814 |
You can use information from the above table to REGEDIT.exe on a target computer to view the registry settings that store group policy settings. These settings are located in the registry path.
- Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\providers\4009A089-4FBA-482B-9D17-9E5A8428CB98\default\Device\System
After navigating the above path in the Registry Editor, you will find the registry with the name BootStartDriverInitialization. Refer to the table and image below.
| Registry Name | Data |
|---|---|
| BootStartDriverInitialization | Enabled |
Author
Abhinav Rana is working as an SCCM Admin. He loves to help the community by sharing his knowledge. He is a B.Tech graduate in Information Technology.