From b04ccdc2cd8ec5565ef2c6f3e7b5460290d34e60 Mon Sep 17 00:00:00 2001
From: Ryan Bahm <rd.bahm@gmail.com>
Date: Wed, 17 Mar 2021 13:46:57 -0700
Subject: [PATCH] Make verifier run on next boot only

In its current state, the verifier does not spcify a /bootmode, which causes it to use the default behavior, "persistent." As a result, on an incompatible hardware configuration, the system may get stuck in a boot loop. (Ask me how I know!)

This change specifies that the verifier should only run on the next boot, preventing a user from getting their computer stuck in a situation that Windows cannot resolve on its own.
---
 .../identity-protection/credential-guard/dg-readiness-tool.md   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
index b1dbf1f33c..803d27b000 100644
--- a/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
+++ b/windows/security/identity-protection/credential-guard/dg-readiness-tool.md
@@ -678,7 +678,7 @@ function CheckDriverCompat
     if($verifier_state.ToString().Contains("No drivers are currently verified."))
     {
         LogAndConsole "Enabling Driver verifier"
-        verifier.exe /flags 0x02000000 /all /log.code_integrity
+        verifier.exe /flags 0x02000000 /all /bootmode oneboot /log.code_integrity
 
         LogAndConsole "Enabling Driver Verifier and Rebooting system"
         Log $verifier_state