Windows 8, RT & Server 2012 has this specific group policy setting which allows to secure the OS at boot level by checking if any of the driver can be initialized when the system boots up. This is specifically very useful for System Admins to secure corporate PC and keep it off getting tampered.
Its called as Boot-Start Driver Initialization Policy which comes with four classifications.
- Good: The driver has been signed and has not been tampered with.
- Bad: The driver has been identified as malware. It is recommended that you do not allow known bad drivers to be initialized.
- Bad, but required for boot: The driver has been identified as malware, but the computer cannot successfully boot without loading this driver.
- Unknown: This driver has not been attested to by your malware detection application and has not been classified by the Early Launch Antimalware boot-start driver.
Location : Computer Configuration > Administrative Templates > System > Early Launch Malware > Boot-Start Driver Initialization Policy
So if you look at the choices available, Choosing the third option keeps you off from the Bad drivers for sure. Rest it will up to you to identify using any external tool possible.
Next when I rebooted, I did not see the OS giving me a choice for driver selection even though it says “Once you enable this, you will be able to choose which boot start drivers will be initialized the next time the computer is started”. I would be interested if you any of you actually tried and see how it worked for you.