How to Disable Early Launch Anti-Malware Protection in Windows 8 and 10

,
  • Last updated
How to Disable Early Launch Anti-Malware Protection in Windows 8 and 10
,
  • Last updated

With the release of Windows 8, Microsoft introduced Early Launch Anti-Malware (ELAM) as a cybersecurity measure to protect against early boot threats. However, you may need to disable it for troubleshooting, software compatibility, or performance reasons. In this article, you will learn how to disable Early Launch Anti-Malware Protection and enhance the benefits of overall security for your IT infrastructures.

About ELAM cybersecurity

Microsoft’s ELAM cybersecurity protects the operating system fully as it boots up. By prioritizing ELAM drivers, Windows can effectively block potentially harmful third-party boot drivers, guarding against rootkits and advanced malware while integrating seamlessly with Windows Defender and other major antivirus software to offer robust early-boot protection.

This security feature, integral to Windows 8, 10 and later versions, plays a crucial role in the early detection and prevention of malware, especially rootkits that can hide from conventional antivirus solutions once the system is fully booted. ELAM offers protection during the critical early stages of your computer’s startup process by being the first system kernel driver to start in Windows operating mode before any third-party software or drivers load.

What does disabling Early Launch Anti-Malware protection do?

Disabling Early Launch Anti-Malware protection leaves your system vulnerable to malware attacks. This is particularly risky in an enterprise environment, where one infected system could jeopardize network security and expose confidential data.

However, temporarily disabling ELAM cybersecurity can be a strategic troubleshooting step to resolve specific issues. Once ELAM is disabled, Windows will start with early-launch anti-malware protection turned off. This means that all drivers, regardless of their classification by ELAM, will be allowed to load, including potentially malicious ones.

You must log in as an administrator to disable ELAM, and it will automatically re-enable when you restart your system. This auto-enable feature ensures that your system isn’t vulnerable beyond the troubleshooting period.

Understanding these outcomes helps you weigh the benefits against the risks of disabling ELAM. While it can be a useful step for troubleshooting, the potential exposure to malware underscores the importance of re-enabling ELAM protection promptly after resolving any issues.

Reasons to disable Early Launch Anti-Malware protection

Disabling Early Launch Anti-Malware protection, while not a routine measure, can become necessary under certain circumstances. Here are the primary reasons you might need to temporarily turn off this feature:

Driver issues:  ELAM can mistakenly classify a legitimate driver as malware (false positive), preventing it from loading and hindering essential software or hardware from functioning correctly. In cases where ELAM cybersecurity prevents a critical driver from loading, Windows may fail to start properly.

Boot loop resolution: Occasionally, ELAM might cause a boot loop, particularly in Windows 10, where the system continuously restarts without reaching the desktop. This situation necessitates temporarily disabling the ELAM module to get access to the desktop.

Disabling ELAM is a temporary measure for troubleshooting specific issues. Once the problem is resolved, ELAM should be re-enabled to ensure continued protection against malware, especially during the critical early boot phase.

Steps to disable ELAM in Windows 8 and 10

To temporarily disable Early Launch Anti-Malware protection in Windows 8 and 10, follow these steps:

  1. Restart your PC. As it begins to boot, press the Shift key while selecting “Restart” from the power menu options. Doing this will take you to the Advanced Startup Options menu.
  2. Click or tap on “Troubleshoot,” select “Startup Settings” then click on “Restart.”
  3. Once your PC restarts and displays the Startup Settings screen, press the “8” or “F8” key to disable early-launch anti-malware protection.

You can also use the graphical user interface (GUI) for a one-time disablement:

  1. Through Settings and Recovery, press the Start button and select “Settings.”
  2. Navigate to “Update and Security,” then “Recovery.”
  3. Click on “Restart Now” under Advanced startup.
  4. After the system restarts, go to “Troubleshoot,” then “Advanced Options,” “Startup Settings” and click “Restart.”
  5. Upon restart, click the F8 key to disable Early Launch Anti-Malware Protection.

If you need to permanently disable the ELAM driver, use the Command Prompt and follow these steps:

  1. Open Command Prompt as an administrator by pressing the Windows key, type “cmd,” right-click on “Command Prompt” and select “Run as administrator.”
  2. Modify boot configuration by typing “bcdedit /set {current} disableelamdrivers yes” and press Enter.
  3. Restart your device to apply the changes.

Another way to disable Early Launch Anti-Malware protection is to edit group policies or the Windows Registry. Follow these instructions to use the Group Policy Editor:

  1. Press the Windows key, type “gpedit.msc” and click Enter.
  2. Navigate to “Computer Configuration,” “Administrative Templates,” “System” and “Early Launch Antimalware.”
  3. Double-click on “Boot-Start Driver Initialization Policy” and select “Enabled.”
  4. Restart the computer for the changes to take effect.

Here’s how to use the Registry Editor:

  1. Press the Windows key and type “regedit.”
  2. Navigate to “HKEY_LOCAL_MACHINE,” then “SYSTEM,” “CurrentControlSet” and “Control.”
  3. Create a new key named “EarlyLaunchAntimalware.”
  4. Inside this key, create a new “DWORD (32-bit) Value” named “DisableELAM” and set its value to “1.”
  5. Restart your computer to apply the changes.

Disabling ELAM, even temporarily, can expose your system to malware threats. Remember to re-enable ELAM once you finish troubleshooting.

Re-enabling ELAM driver protection

After successfully booting into Windows and resolving any issues, follow these steps to re-enable ELAM in your Windows environment:

  1. Prepare by uninstalling any third-party antivirus software that might conflict with Windows Defender, to ensure there’s no interference with ELAM’s operation.
  2. Verify that Windows Defender is active and updated with the latest definitions.
  3. Perform a full system scan with Windows Defender to ensure no malware has compromised your system while ELAM was disabled.
  4. Re-enable ELAM protection through a simple system reboot.

Troubleshooting ELAM

If you encounter issues with ELAM, use these steps to troubleshoot common ELAM problems:

  1. Verify that your device meets the necessary minimum specifications for ELAM services. If the onboarding process fails, focus on troubleshooting the onboarding tools first, then move to address any device-specific issues. This dual approach helps isolate the problem source more effectively.
  2. You must sign in as an administrator to disable or adjust ELAM settings. This ensures that only authorized users can change critical security settings.
  3. If network security settings block your access, consider logging in to your Reddit account or using your developer token as a workaround.

These troubleshooting steps let you address most ELAM-related issues without compromising your system’s security. Always remember to re-enable ELAM protections once the troubleshooting process is complete to ensure ongoing protection against malware threats.

Managing your endpoints

ELAM provides protection against early-stage malware threats, particularly rootkits, that threaten your system before your operating system loads. Understanding how and when to disable Early Launch Anti-Malware temporarily lets you troubleshoot and fine-tune your system’s performance without undermining security.

For further assistance in managing endpoint security across your IT infrastructure, NinjaOne’s endpoint management makes it easy on your IT staff by automating the most time-consuming tasks. NinjaOne lets you monitor, support and control Windows, Mac and Linux devices, as well as servers and virtual machines, from a single interface. Whether on-premises or remote, NinjaOne lets you monitor devices in real time, set up alerts and automate patching and app installations. Learn how NinjaOne endpoint management can free up your IT team for priority projects.

Next Steps

The fundamentals of device security are critical to your overall security posture. NinjaOne makes it easy to patch, harden, secure, and backup all their devices centrally, remotely, and at scale.
Learn more about NinjaOne Protect, check out a live tour, or start your free trial of the NinjaOne platform.
Start your Free Trial

You might also like

How to Open the Local Group Policy Editor in Windows 10 and Windows 11 blog banner image

How to Open the Local Group Policy Editor in Windows 10 and Windows 11

How to Enable and Disable Google Chrome Background Tab Throttling in Windows blog banner image

How to Enable and Disable Google Chrome Background Tab Throttling in Windows

How to Enable, Disable, or Remove Shutdown Event Tracker in Windows 11 blog banner image

How to Enable, Disable, or Remove Shutdown Event Tracker in Windows 11

How to Remotely Access and Control iPads & iPhones blog banner image

How to Remotely Access and Control iPads & iPhones

How to View Google Chrome Download History in Windows blog banner image

How to View Google Chrome Download History in Windows

Enable or Disable Sign in with Picture Password in Windows 10 blog banner image

Enable or Disable Sign in with Picture Password in Windows 10

Ready to become an IT Ninja?

Learn how NinjaOne can help you simplify IT operations.

Start a Free Trial
Get a demo
×

See NinjaOne in action!

By submitting this form, I accept NinjaOne's privacy policy.

NinjaOne Terms & Conditions

By clicking the “I Accept” button below, you indicate your acceptance of the following legal terms as well as our Terms of Use:

  • Ownership Rights: NinjaOne owns and will continue to own all right, title, and interest in and to the script (including the copyright). NinjaOne is giving you a limited license to use the script in accordance with these legal terms.
  • Use Limitation: You may only use the script for your legitimate personal or internal business purposes, and you may not share the script with another party.
  • Republication Prohibition: Under no circumstances are you permitted to re-publish the script in any script library belonging to or under the control of any other software provider.
  • Warranty Disclaimer: The script is provided “as is” and “as available”, without warranty of any kind. NinjaOne makes no promise or guarantee that the script will be free from defects or that it will meet your specific needs or expectations.
  • Assumption of Risk: Your use of the script is at your own risk. You acknowledge that there are certain inherent risks in using the script, and you understand and assume each of those risks.
  • Waiver and Release: You will not hold NinjaOne responsible for any adverse or unintended consequences resulting from your use of the script, and you waive any legal or equitable rights or remedies you may have against NinjaOne relating to your use of the script.
  • EULA: If you are a NinjaOne customer, your use of the script is subject to the End User License Agreement applicable to you (EULA).
I Accept