Key Takeawys:
- Boot-Start Driver Initialization Helps reduce the risk of malware
- It ensures only trusted drivers are loaded, strengthening endpoint security
- Prevents malicious or unauthorized drivers from loading at boot time.
- Improves resilience against rootkits
Let’s discuss Enable Boot-Start Driver Initialization Policy to Reduce Impact of malware in Systems using Intune. This policy controls which drivers are allowed to load during the Windows boot process. This security feature that allows an antimalware driver (like Microsoft Defender’s WdBoot.sys) to start before any other third-party drivers.
Table of Contents
Table of Contents
Enable Boot-Start Driver Initialization Policy to Reduce Impact of malware in Systems using Intune
By enabling this and setting organizations ensure that drivers are blocked before they can even touch the kernel. Threat actors use malicious drivers to maintain access to a PC even after a reboot. This policy breaks that persistence by refusing to load the driver on the next boot.
- Require Password when Computer Wakes on Battery using Intune
- How to Remove Assigned Group from Energy Saver Battery Threshold Policy in Intune Settings Catalog
- Improve Windows PC Performance by using New Efficiency Mode
How to Start Policy Creation
As an Admin, you can quickly configure this policy on your organisation. To start the Policy Creation, open the Microsoft Intune Admin center. Then go to Devices > Configuration >+ Create > +New Policy.
Profile Creation
Profile creation is the necessary step that helps you to assign the policy to appropriate platform and Profile. Here I would like to configure the policy to Windows 10 and later platform and settings catalog profile. Then click on the Create button.
Filling the Basic Tab
Naming the policy is the primary step that help admins to identify the policy later. This is important and necessary step that allows you to know the purpose of the policy. Here is Name is mandatory and description is optional. After adding this click on the Next button.
Configure Boot-Start Driver Initialization
With Settings Picker, you can use the Configuration Settings Tab. On this tab, you can click on the +Add Settings hyperlink to get the Settings Picker. The settings picker shows huge number of settings. Here, I would like to select the settings by browsing by Category. I choose Administrative Templates> System > Early Launch Antimalware> Choose the boot-start drivers that can be initialized>Boot-Start Driver Initialization Policy settings.
Disable Boot-Start Driver Initialization Policy
If you disable or don’t configure this policy setting, the boot start drivers determined to be Good, Unknown or Bad but Boot Critical are initialized and the initialization of drivers determined to be Bad is skipped.
Enable Boot-Start Driver Initialization Policy
If you enable this policy setting you’ll be able to choose which boot-start drivers to initialize the next time the computer is started. There are Good, Bad, Good, but required for boot and Unknown. You can select any of this option then click on the Next button to continue.
| Value | Description |
|---|---|
| Good | The driver has been signed and hasn’t been tampered with. |
| Bad | The driver has been identified as malware. It’s recommended that you don’t allow known bad drivers to be initialized. |
| Bad, but required for boot | The driver has been identified as malware, but the computer can’t successfully boot without loading this driver. |
| Unknown | This driver hasn’t been attested to by your malware detection application and hasn’t been classified by the Early Launch Antimalware boot-start driver. |
Scope Tags
With scope tags, you create a restriction to the visibility of the Boot-Start Driver Initialization. It helps to organise resources as well. Here, I would like to skip this section, because it is not mandatory. Click on the Next button
Assignments Tab for Selecting Group
To assign the policy to specific groups, you can use the Assignment Tab. Here I click, +Add groups option under Included groups. I choose a group from the list of groups and click on the Select button. Again, I click on the Select button to continue.
Review + Create Tab
Before completing the policy creation, you can review each tab to avoid misconfiguration or policy failure. After verifying all the details, click on the Create Button. After creating the policy, you will get a success message.
Monitoring Status
The Monitoring Status page shows whether the policy has succeeded or not. To quickly configure the policy and take advantage of the policy sync the assigned device on Company Portal. Open the Intune Portal. Go to Devices > Configuration > Search for the Policy. Here, the policy shows as successful.
Removing the Assigned Group from Boot-Start Driver Initialization Settings
If you want to remove the Assigned group from the policy, it is possible from the Intune Portal. To do this, open the Policy on Intune Portal and edit the Assignments tab and the Remove Policy.
To get more detailed information, you can refer to our previous post – Learn How to Delete or Remove App Assignment from Intune using by Step-by-Step Guide.
How to Delete Boot-Start Driver Initialization
You can easily delete the Policy from the Intune Portal. From the Configuration section, you can delete the policy. It will completely remove it from the client devices.
For detailed information, you can refer to our previous post – How to Delete Allow Clipboard History Policy in Intune Step by Step Guide.
Windows CSP Details
This policy setting allows you to specify which boot-start drivers are initialized based on a classification determined by an Early Launch Antimalware boot-start driver. The Early Launch Antimalware boot-start driver can return the following classifications for each boot-start driver.
Need Further Assistance or Have Technical Questions?
Join the LinkedIn Page and Telegram group to get the step-by-step guides and news updates. Join our Meetup Page to participate in User group meetings. Also, Join the WhatsApp Community and WhatsApp Channel to get the latest news on Microsoft Technologies. We are there on Reddit as well.
Author
Anoop C Nair has been Microsoft MVP for 10 consecutive years from 2015 onwards. He is a Workplace Solution Architect with more than 22+ years of experience in Workplace technologies. He is a Blogger, Speaker, and Local User Group Community leader. His primary focus is on Device Management technologies like SCCM and Intune. He writes about technologies like Intune, SCCM, Windows, Cloud PC, Windows, Entra, Microsoft Security, Career, etc.