The default behavior is for Early Launch Antimalware - Boot-Start Driver Initialization policy is to enforce "Good, unknown and bad but critical" (preventing "bad").If the registry value name below does not exist, this a finding.If it exists and is configured with a value of "7", this is a finding.Registry Hive: HKEY_LOCAL_MACHINERegistry Path: \SYSTEM\CurrentControlSet\Policies\EarlyLaunch\Value Name: DriverLoadPolicyValue Type: REG_DWORDValue: 1, 3, or 8 Possible values for this setting are:8 - Good only1 - Good and unknown3 - Good, unknown and bad but critical7 - All (which includes "Bad" and would be a finding)

Ensure that Early Launch Antimalware - Boot-Start Driver Initialization policy is set to enforce "Good, unknown and bad but critical" (preventing "bad").If this needs to be corrected configure the policy value for Computer Configuration >> Administrative Templates >> System >> Early Launch Antimalware >> "Boot-Start Driver Initialization Policy" to "Enabled” with "Good, unknown and bad but critical" selected.