0X800F0240

Fix SPAPI_E_AUTHENTICODE_DISALLOWED (0X800F0240) Driver Install Error

Windows Errors Intermediate 👁 1 views 📅 May 31, 2026

Quick answer: set the INF to allow unsigned or signed-by-test-cert drivers via Group Policy or registry. This error blocks driver installs when Authenticode signing isn't supported for the INF.

Quick Answer (For Advanced Users)

Enable test signing mode with bcdedit /set testsigning on and reboot, OR disable driver signature enforcement at boot by pressing F8 and selecting "Disable Driver Signature Enforcement." Then install the driver. If you need a permanent fix for a specific INF, set HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DriverSigning\Policy to 1 (warn but allow).

Why This Happens

I've seen this error pop up mostly with legacy hardware or custom drivers—like old USB-to-serial adapters or lab equipment—where the vendor didn't submit the INF for Authenticode signing, or the certificate chain is broken. Windows 10/11 build 1909 and later tightened Authenticode verification for kernel-mode drivers, so if the INF's digital signature doesn't match the Authenticode trust store, you get 0X800F0240. The system isn't being picky for fun; it's actually blocking a driver that could be tampered with or malicious. But if you know the driver is safe (e.g., from a trusted internal developer), you can work around it.

Step-by-Step Fix: Enable Test Signing Mode

This is the cleanest approach—it tells Windows to accept any signed-by-test-cert INF without blocking. You'll lose some security, but for a specific driver it's fine.

  1. Open Command Prompt as Administrator (right-click Start > Command Prompt Admin or PowerShell Admin).
  2. Type: 
    bcdedit /set testsigning on
  3. Press Enter. You should see "The operation completed successfully."
  4. Reboot. A watermark "Test Mode" will appear in the bottom-right corner—that's normal.
  5. Install the driver again. The 0X800F0240 error should be gone.

If you later want to revert: bcdedit /set testsigning off and reboot.

Alternative Fix: Disable Driver Signature Enforcement at Boot

Use this when you can't mess with boot settings (e.g., on a locked-down corporate machine). It's temporary—lasts only one boot session.

  1. Restart your PC.
  2. As soon as the manufacturer logo appears, press F8 repeatedly until the Advanced Boot Options menu shows.
  3. Select "Disable Driver Signature Enforcement" (it's usually the last option).
  4. Windows boots normally, but with enforcement off. Install the driver immediately.

Note: Windows 10/11 with fast startup may skip F8. If that fails, try holding Shift while clicking Restart, then go to Troubleshoot > Advanced Options > Startup Settings > Restart, then press F7.

Alternative Fix: Group Policy Registry Hack

For Windows Pro, Enterprise, or Education editions, you can set a permanent policy to warn instead of block unsigned drivers.

  1. Press Win+R, type regedit, press Enter.
  2. Navigate to: 
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DriverSigning
    If the DriverSigning key doesn't exist, create it: right-click Windows > New > Key, name it DriverSigning.
  3. Inside that key, create a new DWORD (32-bit) named Policy.
  4. Set its value to 1 (decimal). That means "warn but allow." 0 means block, 2 means block with no override.
  5. Close regedit, reboot. Now install the driver—you'll see a warning but it should proceed.

I don't recommend using 1 on production machines—it weakens security. Only do this if you fully trust the INF.

Alternative Fix: Sign the INF Yourself with a Self-Signed Certificate

If you're a developer or power user, you can sign the INF using a self-signed cert. This works permanently and doesn't need test mode.

  1. Create a self-signed certificate: 
    New-SelfSignedCertificate -Type CodeSigning -Subject "CN=MyCompany" -CertStoreLocation Cert:\CurrentUser\My
    (Requires PowerShell as Admin).
  2. Sign the INF file: 
    signtool sign /fd SHA256 /a /s MY /n "MyCompany" C:\path\to\driver.inf
    You need the Windows SDK's signtool.exe for this.
  3. Then install the INF normally: right-click > Install.

This adds your certificate to the trusted store, so Authenticode verification passes. It's overkill for most users, but it's the real fix if you control the driver.

Prevention Tips

  • Always download drivers from the manufacturer's official site—never from random shareware sites. The error often triggers on modified or repackaged INFs.
  • If you're deploying custom drivers internally, get them Authenticode-signed by a trusted CA (like DigiCert or Sectigo) before pushing to users.
  • Keep Windows updated. Microsoft occasionally adds new trusted root certificates in cumulative updates, which can suddenly allow a previously blocked INF.
  • Check the INF file's digital signature in File Explorer: right-click the INF, go to Digital Signatures tab, and verify the signer is in the Trusted Publishers store. If the signer is unknown, that's your trigger.

This error tripped me up the first time I tried installing a 2008-era printer driver on Windows 10. A quick test mode toggle saved me an hour of digging. Hope it does the same for you.

Was this solution helpful?

SPAPI_E_AUTHENTICODE_DISALLOWED 0X800F0240 driver install error Authenticode signature verification not supported INF signing Windows driver signing error driver installation failed code 0x800f0240 SPAPI error Windows 10 driver signing Windows 11 driver signing test signing mode driver signature enforcement disable INF trust error