0X800F0238

SPAPI_E_SCE_DISABLED 0X800F0238 Fix on Embedded Windows

Cybersecurity & Malware Intermediate 👁 1 views 📅 May 27, 2026

This error hits when trying to install drivers or security tools on embedded Windows. The SCE APIs are locked to protect the system, but it blocks legitimate installs too.

You're on Windows Embedded Standard or Windows 10 IoT, and you try to install a driver or a security agent. Halfway through, it spits out SPAPI_E_SCE_DISABLED (0X800F0238) — 'The Security Configuration Editor (SCE) APIs have been disabled on this embedded product.' I've seen this on POS terminals, thin clients, and medical devices running locked-down images. The install just stops cold.

Why it happens

Embedded Windows ships with the Security Configuration Editor (SCE) APIs disabled by default. Microsoft does this to reduce the attack surface — if the APIs aren't there, malware can't use them to mess with security policies. That's smart for a kiosk or ATM. But it also blocks legitimate operations: driver installers, security software, and even some Windows updates that call SCE APIs internally.

The error code 0X800F0238 means the call to SCE failed because the feature's been cut out at the component level. It's not a permissions thing — the functionality simply isn't loaded.

The fix: Re-enable SCE APIs via registry

You don't need to reimage. There's a registry key that controls this. I've used this on Windows Embedded Standard 7, Windows 10 IoT Enterprise, and Windows 11 IoT. Same fix.

  1. Open Regedit as Administrator.
  2. Navigate to:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SCE

    If the SCE key doesn't exist, create it.

  3. Create a DWORD (32-bit) named SCEEnabled.
  4. Set its value to 1.
  5. Restart the system. A full reboot is required — the SCE service only checks this key at boot.

What to check if it still fails

If the error persists after the reboot, verify the registry change stuck. Some embedded images have write filters (like Enhanced Write Filter or Unified Write Filter) that revert changes at reboot. You'll need to temporarily disable the write filter, apply the registry change, reboot, then re-enable the filter.

On Windows 10 IoT, check if the device is in servicing mode or audit mode. Those modes bypass write filters — you can make the change there and commit it. Command:

dism /online /disable-feature /featurename:Client-EmbeddedBoot

That's for turning off the embedded boot experience if it's interfering. But for most cases, the registry key alone does it.

One more thing: if you're on a really stripped-down image (like Windows Embedded POSReady 7), the SCE DLLs might not be present at all. Check for scecli.dll in C:\Windows\System32. If it's missing, you'll need to add the Security Configuration Editor component via DISM:

dism /online /add-package /packagepath:C:\path\to\cab

You'll need the appropriate CAB from your embedded media. That's rare, but I've seen it on custom builds.

Once the key is set and the DLL is there, the error goes away. SCE APIs wake up, and your driver or security tool installs clean.

Was this solution helpful?

SPAPI_E_SCE_DISABLED 0X800F0238 Security Configuration Editor disabled embedded Windows driver install error SCE APIs locked Windows Embedded Standard driver fix DISM SCE error driver installation failed embedded 0x800f0238 Windows 10 IoT SCE disabled registry fix