Almost working

[InanimateCrbnRod]

Hello Valinet,

so I get pretty much to the end of the process before I run into trouble. I created the certificates and changed my motherboard's PK no problem, but towards the end when I run SSDE_Enable, the computer reboots and runs the cmd stuff, then it reboots again and the registry key has a value of 1, and ssde_query confirms this. So I create the service that I'm supposed to in the final step, 2.6, and it says service created successfully. But now when I reboot the regedit value is back to 0 which implies its not working anymore. Also on one of my reboots windows would no longer start no matter what I did so I had to restore from an image I took before I tried this. I have not been able to recreate that issue though srttrail.tx said the issue was with sipolicy.p7b I'm not sure if there's a relation between the two issues though. Any ideas or input would be great, thanks again

UPDATE: regedit still shows a clear 0, but ssde_query says "1" .

[valinet]

Hi

First off, usually when the computer does not boot, it is because the licensing status for the feature is still 0 and you have enabled the 'service', aka you installed the self signed ssde driver. Of course Windows won't load it without having the feature licensed. As it cannot load the driver at the boot stage, it just blue screens. To have it load successfully in that state, open a Command Prompt and delete the driver file from the system. That will have it boot again successfully, but you will have to repeat the steps.

ssde_query queries the status from the ProductOptions registry value, while what you check in the registry is the Licensed=0 value from Control\CI\Protected. Those two are different things (one is checked by kernel, the other bu the bootloader, respectively). If you boot to preinstallation environment once and set Licensed to 1, then for the next time you start Windows it should be licensed and you should be able to load the driver. Then, reboot, set Licensed to 1 again from PE, and then reboot once more. And it should work. But it sometimes does not, at least for me, it did not work from the first try, but I eventually got it to load. Once the driver gets loaded and does it job, you won't have to get through this trouble anymore, it will stay "licensed" forever. So, as I said, try the procedure I mentioned a few times: boot to PE, set Licensed to 1, reboot to Windows, load ssde driver, reboot to PE, set Licensed to 1, reboot to Windows and reboot to Windows once more. At some point, it should work. I don't know very well what causes weird behavior on some installs an so on, I had some similar problem and had to retry a few times on my Ryzen 5900x machine as well, why on my Intel-based laptop it worked from the get-go. I don't really know why it does that, but I know it eventually works.

The policy mentioned in the README works just fine I think, I mean, that's what I use on my system as well. It shouldn't be from that, I don't know. Anyway, whoever says something, should justify their saying on some actual facts, no simply state things, in my opinion.

Anyway, good luck. Also, we could have talked on the old issue, I receive notifications for that as well.

Thank you.

[InanimateCrbnRod]

Sorry I didn't realize I could comment on closed issues. So I've tried the sequence, and different combinations of the sequence a couple dozen times by now. What happens now is that windows doesn't blue screen or fail to start, and ssde.sys is in windows/system32/drivers, the service exists, and sipolicy.p7b is in the uefi partition in efi/microsoft/boot. I get a boot where the registry value is indeed at 1, then on next reboot it is at 0. every subsequent reboot it remains at 0 but windows boots just fine. Does this mean its just not loading ssde? Like its ignoring it? I can keep trying to change the policy in PE mode but it doesn't seem to leave a lasting effect. I'm sure this little script is the least of your concerns but This is the only resource on the internet I've found to get around this driver certificate issue without using test mode. If you have any free time to ponder what's happening, or any ideas at all it would be greatly appreciated. Thank you!

[InanimateCrbnRod]

SUCCESS!!!!!! The fault was my own. When the windows log file "srttrail.txt" told me the fault was with sipolicy.p7b I decided to use the policy from article 2 instead (using a virtual machine with enterprise) This SIpolicy stopped the blue screen errors but also stopped ssde.sys from doing its job and changing the registry value at every boot. I switched back to the article 1 policy, and re-signed the bin with my PK certificate again. then I started the whole process over. ssde_enable>reboot and copy signed ssde.sys to drivers folder then create the ssde service > reboot to normal windows with "0" value > reboot blue screen/recovery environment, open cmd and manually change registry value> reboot and it works every time now.

Thanks again! sorry for the trouble

[valinet]

Great, I am very glad that it worked. Indeed, policy 2 is not desirable, I have used it as well and it meant Windows would not load any third party driver. The policy from article 1 is basically like a test mode without being in test mode. As I said, I don’t know what it makes it fail sometimes, but retrying the whole process once more usually yields success and it stays like that reliably.

Now, for how long, I don’t know, I presume this will remain a Windows feature for the foreseeable future. Personally, I use this to load a custom driver for only the internal keyboard of my XPS15 7590 laptop, in order to fix its atrocious keyboard layout.

If you feel like the instructions should be updated or want to make any mentions now that you went though the experience yourself, be my guest. I tried my best to write these notes, I am also not deeply familiar with the process, I only know the idea behind it and that it eventually works indeed. There are not many articles around about this as probably few people know about this. The technique is pretty involved. And a lot of people simply do not care, I guess…

Anyway, I am very happy that you eventually got it to work, that is indeed incredibly great news.

[InanimateCrbnRod]

I might write a simpler how-to guide at some point, though once I understood it there were only a couple of parts that I got stuck on. I'm using this to run an audio driver that will allow me to customize audio routing better in windows so my asio devices won't crash software whenever another program wants access to the driver.

I do however have a new issue, which is that since installing ssde I can no longer get windows to boot into the advanced startup menu which I need to disable driver signature enforcement in order to get the .MSI installer for my unsigned driver to work. (from there I would self-sign the .sys and .dll files manually). Everytime I go to the RE and choose statup options>restart it just boots to regular windows. Same thing if I use bcdedit to force windows to always load advanced startup options. Windows just boots normal each time. Is this because of the ssde driver/service, or because of the SIPolicy? any ideas on how to re-enable this windows feature or should I uninstall ssde and the policy and hope it works when I try again?

Update: all good, I can still get into the advanced startup menu by interrupting the power cycle 3 times. odd.

[valinet]

I might write a simpler how-to guide at some point, though once I understood it there were only a couple of parts that I got stuck on. I'm using this to run an audio driver that will allow me to customize audio routing better in windows so my asio devices won't crash software whenever another program wants access to the driver.

I do however have a new issue, which is that since installing ssde I can no longer get windows to boot into the advanced startup menu which I need to disable driver signature enforcement in order to get the .MSI installer for my unsigned driver to work. (from there I would self-sign the .sys and .dll files manually). Everytime I go to the RE and choose statup options>restart it just boots to regular windows. Same thing if I use bcdedit to force windows to always load advanced startup options. Windows just boots normal each time. Is this because of the ssde driver/service, or because of the SIPolicy? any ideas on how to re-enable this windows feature or should I uninstall ssde and the policy and hope it works when I try again?

Update: all good, I can still get into the advanced startup menu by interrupting the power cycle 3 times. odd.

Odd indeed, this ssde thing should not interfere with that. Maybe it was something else, I don’t know…