bcdedit — Boot Configuration Data Editor

What it is

bcdedit (Boot Configuration Data Editor) is a built-in Windows tool that reads and writes the Boot Configuration Data (BCD) store — the structured database that the Windows Boot Manager uses to find, enumerate, and launch operating system boot loaders. Use it to add or remove boot entries, set the default OS on a multi-boot system, change the boot timeout, enable kernel debugging, or disable driver signature enforcement (test-signing mode). Requires Administrator privileges. Incorrect edits can make a system unbootable; always export a backup before making changes.

Availability

bcdedit ships as C:\Windows\System32\bcdedit.exe on Windows Vista and later. Must be run as Administrator.

bcdedit /?

Output:

BCDEDIT - Boot Configuration Data Store Editor

The command-line tool controls the boot configuration data store.
...

Commands that operate on a store:
/store          Used to specify a BCD store other than the current system default.

Commands that operate on entries in a store:
/copy           Makes a copy of an entry in the specified store.
/create         Creates a new entry in the store.
/delete         Deletes an entry from the store.
/mirror         Creates a mirror of an entry in the store.
...

Syntax

bcdedit [/store file] /option [arguments]

Output: (varies by option)

Essential options

Viewing the BCD store

/enum all lists every object in the BCD store — Windows Boot Manager, boot loaders, and any firmware entries.

bcdedit /enum all

Output:

Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=\Device\HarddiskVolume1
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {current}
resumeobject            {a1b2c3d4-...}
displayorder            {current}
toolsdisplayorder       {memdiag}
timeout                 30

Windows Boot Loader
-------------------
identifier              {current}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Windows 11
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {e5f6g7h8-...}
displaymessageoverride  Recovery
recoveryenabled         Yes
isolatedcontext         Yes
allowedinmemorysettings 0x15000075
osdevice                partition=C:
systemroot              \Windows
resumeobject            {a1b2c3d4-...}
nx                      OptIn
bootmenupolicy          Standard

Setting the boot timeout

The boot menu countdown in seconds. 0 boots immediately with no user interaction; -1 waits indefinitely.

bcdedit /timeout 10

Output:

The operation completed successfully.

Changing the default boot entry

On multi-boot systems, /default sets which entry boots automatically when the timeout expires.

rem List entries to get their GUIDs first
bcdedit /enum

Output:

Windows Boot Loader
-------------------
identifier              {current}
description             Windows 11

Windows Boot Loader
-------------------
identifier              {a1b2c3d4-e5f6-7890-abcd-ef1234567890}
description             Windows 10

bcdedit /default {a1b2c3d4-e5f6-7890-abcd-ef1234567890}

Output:

The operation completed successfully.

Modifying boot entry properties (/set)

/set changes any property of a boot entry. Common keys: description, path, systemroot, nx, nointegritychecks, testsigning, safeboot, bootmenupolicy.

rem Rename the current boot entry
bcdedit /set {current} description "Windows 11 Pro (Production)"

Output:

The operation completed successfully.

rem Disable Secure Boot check for a test entry
bcdedit /set {current} nointegritychecks yes

Output:

The operation completed successfully.

Enabling test-signing mode

Test-signing allows loading drivers not signed by a trusted authority — used in driver development. Enabling it adds a watermark to the desktop and lowers system security; never leave it on in production.

bcdedit /set testsigning on

Output:

The operation completed successfully.

rem Disable when development is done
bcdedit /set testsigning off

Output:

The operation completed successfully.

Booting into Safe Mode

Setting the safeboot value on the current entry forces Safe Mode on the next reboot. Remove the value to return to normal boot.

bcdedit /set {current} safeboot minimal

Output:

The operation completed successfully.

rem Reboot into Safe Mode now
shutdown /r /t 0

Output:

(system reboots)

rem Remove safeboot flag after recovery (run from Safe Mode)
bcdedit /deletevalue {current} safeboot

Output:

The operation completed successfully.

Enabling kernel debugging

Kernel debugging connects a host debugger to the target machine over serial, network, USB, or 1394. /dbgsettings configures the transport; /debug on enables it for a specific entry.

rem Configure network debugging (kdnet)
bcdedit /dbgsettings net hostip:192.168.1.200 port:50000

Output:

Key=1a2b3c4d5e6f7890.1a2b3c4d5e6f7890.1a2b3c4d5e6f7890.1a2b3c4d5e6f7890
The operation completed successfully.

bcdedit /debug {current} on

Output:

The operation completed successfully.

Exporting and importing the BCD store

Always export the BCD store before making changes. The export is a binary file that can be restored with /import if a change breaks boot.

bcdedit /export C:\Backup\bcd_backup_%DATE:~10,4%%DATE:~4,2%%DATE:~7,2%.bcd

Output:

The operation completed successfully.

rem Restore from backup (run from Windows Recovery Environment)
bcdedit /import C:\Backup\bcd_backup_20260428.bcd

Output:

The operation completed successfully.

Common pitfalls

1. A bad edit can make the system unbootable — always run /export before any change; the Windows Recovery Environment (winre) has bcdedit available for repair.
2. {current} refers to the running OS entry — it is an alias, not a literal GUID; using it in a script is safer than hardcoding the GUID.
3. Test-signing lowers security — loading test-signed drivers bypasses signature enforcement; revert with bcdedit /set testsigning off when done and reboot.
4. /timeout 0 gives no time to choose — on a multi-boot system, setting timeout to 0 means the default entry always boots with no chance to interrupt; use at least 5 seconds.
5. safeboot persists across reboots — if you set safeboot minimal and reboot into Safe Mode, remember to remove the value before rebooting again or you'll always boot into Safe Mode.
6. Secure Boot may block changes — on UEFI systems with Secure Boot enabled, some bcdedit changes (e.g. nointegritychecks) are ignored; disable Secure Boot in firmware if needed for driver development.

Real-world recipes

Before any change — export the BCD store

md C:\BCDBackup 2>NUL
bcdedit /export "C:\BCDBackup\bcd_%COMPUTERNAME%_%DATE:~10,4%%DATE:~4,2%%DATE:~7,2%.bcd"
echo BCD exported.

Output:

The operation completed successfully.
BCD exported.

Set boot timeout for a kiosk machine

bcdedit /timeout 5
bcdedit /default {current}
echo Boot configured: 5-second timeout, defaults to current OS.

Output:

The operation completed successfully.
The operation completed successfully.
Boot configured: 5-second timeout, defaults to current OS.

Force Safe Mode for next reboot then auto-remove

@echo off
bcdedit /set {current} safeboot minimal
echo Safe Mode set. Rebooting in 10 seconds...
shutdown /r /t 10

Output:

The operation completed successfully.
Safe Mode set. Rebooting in 10 seconds...

Anatomy of the BCD store

The BCD (Boot Configuration Data) store is a hive — the same registry-style binary format used by HKLM keys. On a normal install it lives at \EFI\Microsoft\Boot\BCD on the EFI System Partition for UEFI systems, or \Boot\BCD on the system-reserved partition for legacy BIOS installs. Each entry inside is identified by a GUID and described by a fixed set of element keys. Understanding this structure makes bcdedit /enum output legible: a "Windows Boot Manager" object plus one or more "Windows Boot Loader" objects, each tied together by displayorder and default references.

rem Show the BCD file path on a UEFI machine
mountvol S: /S
dir S:\EFI\Microsoft\Boot\BCD

Output:

 Directory of S:\EFI\Microsoft\Boot

03/14/2026  09:14         24,576 BCD

GUID aliases — the well-known identifiers

bcdedit accepts both raw GUIDs and a set of named aliases. Using aliases in scripts is portable across machines because the underlying GUIDs differ per install.

rem List just the boot manager
bcdedit /enum {bootmgr}

Output:

Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=\Device\HarddiskVolume1
description             Windows Boot Manager
locale                  en-US
inherit                 {globalsettings}
default                 {current}
displayorder            {current}
toolsdisplayorder       {memdiag}
timeout                 30

/enum filter types

/enum takes an optional category filter that scopes the output.

bcdedit /enum OSLOADER

Output:

Windows Boot Loader
-------------------
identifier              {current}
description             Windows 11
...

Windows Boot Loader
-------------------
identifier              {a1b2c3d4-...}
description             Windows 10

bcdedit /enum FIRMWARE

Output:

Firmware Boot Manager
---------------------
identifier              {fwbootmgr}
displayorder            {bootmgr}
                        {a1b2c3d4-...}
timeout                 1

Complete switch reference

rem Verbose mode — full GUIDs instead of {current}
bcdedit /enum /v

Output:

Windows Boot Loader
-------------------
identifier              {12345678-1234-1234-1234-123456789abc}
device                  partition=C:
description             Windows 11
...

Boot entry elements (settable with /set)

Each Windows Boot Loader entry has a fixed schema of typed elements. The most useful ones for day-to-day tweaking:

rem Show every element for {current}
bcdedit /enum {current} /v

Output:

Windows Boot Loader
-------------------
identifier              {12345678-...}
device                  partition=C:
path                    \Windows\system32\winload.exe
description             Windows 11
locale                  en-US
inherit                 {bootloadersettings}
recoverysequence        {abcdef01-...}
displaymessageoverride  Recovery
recoveryenabled         Yes
isolatedcontext         Yes
allowedinmemorysettings 0x15000075
osdevice                partition=C:
systemroot              \Windows
resumeobject            {fedcba98-...}
nx                      OptIn
bootmenupolicy          Standard

Diagnostic boot modes via /set

A range of one-off diagnostic flags can be flipped via /set on the {current} entry. They persist until you /deletevalue them.

rem Verbose driver list at boot
bcdedit /set {current} sos yes

rem Boot log written to %WINDIR%\ntbtlog.txt
bcdedit /set {current} bootlog yes

rem Limit to 2 logical processors for debugging multi-CPU issues
bcdedit /set {current} numproc 2

rem Cap RAM at 4 GB for memory-limit testing
bcdedit /set {current} truncatememory 0x100000000

rem Force HPET timer (Hyper-V troubleshooting)
bcdedit /set {current} useplatformclock true

rem Disable hypervisor (turns off Hyper-V at boot)
bcdedit /set hypervisorlaunchtype off

Output (each):

The operation completed successfully.

Remove with /deletevalue:

bcdedit /deletevalue {current} sos
bcdedit /deletevalue {current} bootlog
bcdedit /deletevalue {current} numproc
bcdedit /deletevalue {current} truncatememory
bcdedit /deletevalue {current} useplatformclock
bcdedit /set hypervisorlaunchtype auto

Output (each):

The operation completed successfully.

Working with offline BCD stores (/store)

/store <file> operates on a BCD file other than the active system store. This is the primary way to repair an unbootable Windows from inside the Windows Recovery Environment (WinRE), or to edit a virtual machine's BCD from the host without booting the VM.

rem In WinRE — locate the system partition
diskpart
DISKPART> list volume
DISKPART> exit

rem Edit the BCD on the recovered partition
bcdedit /store S:\EFI\Microsoft\Boot\BCD /enum

Output:

Windows Boot Manager
--------------------
identifier              {bootmgr}
device                  partition=\Device\HarddiskVolume1
...

rem Set the default boot entry in an offline store
bcdedit /store S:\EFI\Microsoft\Boot\BCD /default {current}

Output:

The operation completed successfully.

For editing a VHD's BCD on the host without booting it, Mount-DiskImage makes the VHD's partitions available as drive letters, after which /store <drive>:\Boot\BCD works on the offline image.

# PowerShell — mount a VHDX read-write
$mounted = Mount-DiskImage -ImagePath "C:\VMs\client.vhdx" -PassThru
$drive = ($mounted | Get-Disk | Get-Partition | Get-Volume | Where-Object DriveLetter).DriveLetter
Write-Host "VHD mounted on $drive`:"

Output:

VHD mounted on G:

rem Now edit its BCD from the host
bcdedit /store G:\Boot\BCD /enum
bcdedit /store G:\Boot\BCD /timeout 5

Output:

The operation completed successfully.

# Dismount when done
Dismount-DiskImage -ImagePath "C:\VMs\client.vhdx"

Output:

Attached          : False
DevicePath        :
...

Creating boot entries — VHD boot

bcdedit can configure a Windows install inside a VHD/VHDX file to boot natively (no hypervisor). This is occasionally useful for testing OS images or running a sandboxed Windows installation.

rem Copy the running OS entry as a starting template
for /F "tokens=2 delims={}" %%G in ('bcdedit /copy {current} /d "Windows 11 VHD" ^| findstr "successfully copied"') do set NEWID={%%G}

rem Tell the new entry that its OS files live inside a VHD
bcdedit /set %NEWID% device vhd=[C:]\VHDs\test.vhdx
bcdedit /set %NEWID% osdevice vhd=[C:]\VHDs\test.vhdx
bcdedit /set %NEWID% description "Windows 11 (VHD)"

rem Add to the menu
bcdedit /displayorder %NEWID% /addlast
bcdedit /timeout 10

Output (each successful command):

The operation completed successfully.

After reboot, the boot menu offers both the host OS and the VHD-resident OS.

Virtual Secure Mode and Credential Guard (vsmlaunchtype)

Virtual Secure Mode (VSM) is the hypervisor-isolated execution environment that hosts Credential Guard, Hypervisor-protected Code Integrity (HVCI / Memory Integrity), and other VBS (Virtualization-Based Security) features. On Windows 11 22H2 and later, VSM is on by default on hardware that supports it. bcdedit /set vsmlaunchtype toggles the boot-time launch — pair with hypervisorlaunchtype since VSM rides on top of the hypervisor.

rem Disable Virtual Secure Mode at next boot (e.g. to use a third-party hypervisor)
bcdedit /set vsmlaunchtype off

rem Re-enable
bcdedit /set vsmlaunchtype auto

Output (each):

The operation completed successfully.

# Check current VBS / Credential Guard status (msinfo32 also surfaces this)
Get-CimInstance -ClassName Win32_DeviceGuard -Namespace root\Microsoft\Windows\DeviceGuard |
    Select-Object SecurityServicesRunning, VirtualizationBasedSecurityStatus, RequiredSecurityProperties

Output:

SecurityServicesRunning : {1, 2}
VirtualizationBasedSecurityStatus : 2
RequiredSecurityProperties        : {1, 2, 3}

A VirtualizationBasedSecurityStatus of 2 means VBS is enabled and running. Note: disabling Credential Guard properly also requires the WDAG/Credential-Guard removal tool — toggling vsmlaunchtype alone leaves an inconsistent state on machines provisioned via Intune/MDM policy.

Boot status policy (bootstatuspolicy)

bootstatuspolicy controls whether a failed boot, failed shutdown, or failed checkpoint forces the machine into the Windows Recovery Environment on the next reboot. The default on Windows 8 and later is IgnoreShutdownFailures — boot/checkpoint failures still trigger WinRE, but a hard power-off does not. On unattended servers in a remote data centre, IgnoreAllFailures prevents a single bad boot from stranding the machine in WinRE with no console operator to dismiss the recovery prompt.

rem Suppress all WinRE auto-recovery prompts (use only on monitored servers)
bcdedit /set {default} bootstatuspolicy IgnoreAllFailures

Output:

The operation completed successfully.

rem Restore the default (boot/checkpoint failures still trigger WinRE)
bcdedit /set {default} bootstatuspolicy IgnoreShutdownFailures

Output:

The operation completed successfully.

One-shot F8 menu (onetimeadvancedoptions)

On a Windows 8 / 10 / 11 system with bootmenupolicy Standard, the legacy F8 menu is permanently disabled. onetimeadvancedoptions on re-enables the F8 menu for the next boot only — handy when you need Safe Mode access on a remote machine without permanently switching the boot menu policy.

bcdedit /set {current} onetimeadvancedoptions on
shutdown /r /t 0

Output:

The operation completed successfully.

After the reboot, the F8 advanced options menu is available; subsequent boots return to the touch-friendly Standard menu automatically.

bcdedit and Secure Boot

UEFI Secure Boot prevents loading boot loaders that aren't signed by trusted certificates. Some bcdedit changes (testsigning on, nointegritychecks yes) require Secure Boot to be off — when Secure Boot is on, Windows ignores the flag and continues to enforce signatures. The fix is to disable Secure Boot in the UEFI firmware setup before setting the flag, then re-enable it once development is done.

rem Check current Secure Boot status (PowerShell helper)
powershell -NoProfile -Command "Confirm-SecureBootUEFI"

Output:

True

(True means Secure Boot is enabled and testsigning will be silently ignored.)

rem After turning Secure Boot off in firmware:
bcdedit /set testsigning on
bcdedit /set {current} nointegritychecks yes

Output:

The operation completed successfully.

A "Test Mode" watermark appears in the bottom-right of the desktop while these flags are active.

Hyper-V and hypervisorlaunchtype

The hypervisorlaunchtype element on the boot manager controls whether the Hyper-V hypervisor is loaded before Windows. Setting it to off is required before installing certain other hypervisors (VMware Workstation pre-15, VirtualBox pre-6) and to use Intel VT-d / AMD-Vi directly from the host OS.

rem Disable Hyper-V at next boot
bcdedit /set hypervisorlaunchtype off

rem Re-enable
bcdedit /set hypervisorlaunchtype auto

Output (each):

The operation completed successfully.

Reboot is required for the change to take effect. Note that Windows 10/11 with Virtualization-Based Security (Memory Integrity, Credential Guard) enabled may re-enable Hyper-V automatically; check via msinfo32 after reboot.

bcdedit and bcdboot

bcdedit modifies entries that already exist; it does not create the BCD itself or copy boot files. The companion tool bcdboot does both — it copies boot files to the EFI System Partition and seeds a fresh BCD with an entry for the specified OS. Use bcdboot when:

• Repairing a wiped EFI System Partition.
• Adding a freshly applied WIM to the boot menu.
• Creating a USB-bootable rescue stick.

rem Re-create boot files for the Windows install on C:\
bcdboot C:\Windows /s S: /f UEFI

Output:

Boot files successfully created.

PowerShell — no native equivalent

Unlike most Windows CLI tools, bcdedit has no first-party PowerShell module. The reason is that the underlying BCD WMI provider (root\WMI\BcdObject) is awkward enough that Microsoft never wrapped it in cmdlets. Real PowerShell automation either shells out to bcdedit and parses output, or talks to WMI directly.

# Shell out to bcdedit and capture
$out = bcdedit /enum
$out -split "`r`n" | Where-Object { $_ -match "^description" }

Output:

description             Windows Boot Manager
description             Windows 11
description             Windows 10

# Talk to WMI directly — read the active OS loader
Get-WmiObject -Namespace root\wmi -Class BcdObject |
    Where-Object { $_.Type -eq 0x10200003 }

Output:

__GENUS                : 2
__CLASS                : BcdObject
Id                     : {12345678-...}
StoreFilePath          : \Device\HarddiskVolume1\EFI\Microsoft\Boot\BCD
Type                   : 271646723

The community module BCDModule and similar projects wrap parts of this — but for one-off changes, bcdedit remains the simplest path. For image editing where you also need partition manipulation, pair bcdedit /store with Mount-DiskImage (PowerShell, see dism for related image-servicing flows).

Recovery scenarios

Unbootable Windows after a bad bcdedit change

If a bcdedit change leaves the system unbootable:

1. Boot from a Windows installation USB (any version matching the build, give or take).
2. Choose "Repair your computer" → Troubleshoot → Advanced options → Command Prompt.
3. Find the system partition with diskpart (usually a small FAT32 partition labelled "System").
4. Re-run bcdedit /store <SystemDrive>:\EFI\Microsoft\Boot\BCD /import <BackupFile> or fix the offending element with /set / /deletevalue on the offline store.

rem Find the right partition in WinRE
diskpart
DISKPART> list disk
DISKPART> select disk 0
DISKPART> list partition
DISKPART> select partition 1
DISKPART> assign letter=S
DISKPART> exit

rem Restore from backup
bcdedit /store S:\EFI\Microsoft\Boot\BCD /import C:\BCDBackup\bcd_MYHOST_20260524.bcd

Output:

The operation completed successfully.

Missing boot menu — only the default OS boots

Caused by a timeout of 0 or a corrupted displayorder. Reset both:

bcdedit /timeout 10
bcdedit /displayorder {default} /addfirst

Output:

The operation completed successfully.
The operation completed successfully.

Rebuild the BCD store from scratch

If the BCD is so corrupt that bcdedit /enum won't even list entries, blow it away and let bcdboot rebuild from the Windows install on disk.

rem In WinRE
attrib -s -h S:\EFI\Microsoft\Boot\BCD
ren S:\EFI\Microsoft\Boot\BCD BCD.old
bcdboot C:\Windows /s S: /f UEFI

Output:

Boot files successfully created.

Switch from legacy BIOS to UEFI boot post-install

mbr2gpt.exe (Windows 10 1703+) converts the disk in place; then bcdboot writes UEFI boot files.

rem Convert MBR → GPT on disk 0
mbr2gpt /convert /disk:0 /allowFullOS
bcdboot C:\Windows /f UEFI

Output:

MBR2GPT: Validating layout, disk sector size: 512 bytes
MBR2GPT: Disk layout validation successful.
MBR2GPT: Creating the EFI system partition
MBR2GPT: Installing the new boot files
MBR2GPT: Performing the layout conversion
MBR2GPT: Migrating GPT entries
MBR2GPT: Conversion completed successfully
Boot files successfully created.

(Change firmware setting from CSM/Legacy to UEFI on next boot.)

Boot menu policy: legacy F8 vs Standard

Pre-Windows 8 systems used the "Legacy" boot menu — the text-mode menu you got by tapping F8 during POST. Windows 8 and later default to "Standard" (touch-friendly, graphical). To restore the F8 menu for easier Safe Mode access:

bcdedit /set {current} bootmenupolicy Legacy

Output:

The operation completed successfully.

(Press F8 at startup to reach the classic menu.)

rem Revert to Standard
bcdedit /set {current} bootmenupolicy Standard

Output:

The operation completed successfully.

Memory testing — {memdiag}

The Windows Memory Diagnostic entry is a separate boot application (MdSched.exe) referenced by {memdiag}. It is shown in the tools menu and can be invoked on the next reboot.

rem Show the entry
bcdedit /enum {memdiag}

Output:

Windows Memory Tester
---------------------
identifier              {memdiag}
device                  partition=\Device\HarddiskVolume1
path                    \boot\memtest.exe
description             Windows Memory Diagnostic
locale                  en-US
inherit                 {globalsettings}
badmemoryaccess         Yes

rem Schedule a one-time memory test at next boot
bcdedit /bootsequence {memdiag}

Output:

The operation completed successfully.

Re-running the command after reboot is not needed — /bootsequence is a one-time override that clears itself after use.

Logging bcdedit operations

bcdedit does not produce its own log file. To audit who changed what, wrap calls in a logging cmd or PowerShell function that timestamps stdout and stderr.

@echo off
set LOG=C:\Logs\bcd_%COMPUTERNAME%_%DATE:~-4,4%%DATE:~-10,2%%DATE:~-7,2%.log
echo [%DATE% %TIME%] %~n0 invoked by %USERNAME% >> %LOG%
echo Command: bcdedit %* >> %LOG%
bcdedit %* >> %LOG% 2>&1
echo. >> %LOG%

Output (in log):

[Mon 05/25/2026 14:22:05.31] mybcd invoked by alicedev
Command: bcdedit /timeout 10
The operation completed successfully.

# PowerShell version with transcript
Start-Transcript -Path "C:\Logs\bcd_$(Get-Date -f yyyyMMdd).log" -Append
bcdedit /timeout 10
Stop-Transcript

Output: (no direct output; everything captured in transcript)

Cross-references with dism and image editing

When customising an offline Windows image, bcdedit and dism are often paired: dism modifies the OS image (features, drivers, packages) and bcdedit adjusts its boot entries. See dism — Deployment Image Servicing and Management for the full image-servicing workflow. The typical sequence for preparing a deployable image:

1. Mount-DiskImage on a VHDX containing a sysprepped Windows install.
2. dism /Image:<MountDir> to enable features / inject drivers.
3. bcdedit /store <MountDir>\Boot\BCD to set the default and timeout.
4. Dismount-DiskImage to release the VHDX.
5. Deploy.

$vhd = Mount-DiskImage -ImagePath "D:\images\gold.vhdx" -PassThru
$os = ($vhd | Get-Disk | Get-Partition | Where-Object Type -eq 'Basic' | Get-Volume).DriveLetter

# Service the OS partition
dism /Image:"$os`:\" /Add-Driver /Driver:C:\Drivers\fleet /Recurse

# Adjust the boot store inside the image
bcdedit /store "$os`:\Boot\BCD" /timeout 5
bcdedit /store "$os`:\Boot\BCD" /default '{default}'

Dismount-DiskImage -ImagePath "D:\images\gold.vhdx"

Output: (each step prints success messages; final image ready for deployment)

Common pitfalls (continued)

7. bcdedit requires elevation even to read — /enum works for read-only, but PowerShell remoting often loses elevation; use Start-Process powershell -Verb RunAs to relaunch.
8. /set hypervisorlaunchtype off does not uninstall Hyper-V — it only disables the hypervisor at boot; uninstall the Windows feature with dism /Disable-Feature for permanent removal.
9. testsigning on requires Secure Boot off — the flag is set but silently ignored when Secure Boot is enabled; check with Confirm-SecureBootUEFI first.
10. {current} ≠ {default} after F8 menu pick — if the user picked a non-default OS, {current} refers to the booted one, not the default. Scripts should pick explicitly.
11. bcdedit /timeout 0 plus single entry hides the menu — even with multiple entries, timeout 0 boots the default immediately; set ≥ 1 to keep the menu visible.
12. No PowerShell cmdlet wrapper exists — automation requires either text-parsing bcdedit output or WMI; there is no Get-BcdEntry cmdlet in stock Windows.
13. BCD on dual-boot systems with non-Windows OSes — Linux GRUB and macOS rEFInd do not modify the Windows BCD; if Windows is the boot manager, those OSes need a BCD entry pointing to their loader (bootsector element with device=...).
14. VHD-boot child BCDs are independent — the BCD inside the VHD is separate from the host's BCD; both must be coherent for the inner OS to boot.

Real-world recipes (continued)

Pre-flight backup wrapper

A reusable wrapper that exports the BCD before any change.

@echo off
setlocal
set BACKUP_DIR=C:\BCDBackup
md %BACKUP_DIR% 2>nul
set STAMP=%DATE:~-4,4%%DATE:~-10,2%%DATE:~-7,2%_%TIME:~0,2%%TIME:~3,2%%TIME:~6,2%
set STAMP=%STAMP: =0%
set BACKUP=%BACKUP_DIR%\bcd_%COMPUTERNAME%_%STAMP%.bcd
bcdedit /export "%BACKUP%"
echo Backup: %BACKUP%
echo Now running: bcdedit %*
bcdedit %*
endlocal

Output:

The operation completed successfully.
Backup: C:\BCDBackup\bcd_MYHOST_20260525_142205.bcd
Now running: bcdedit /timeout 10
The operation completed successfully.

Multi-host BCD timeout audit

Use psexec or Invoke-Command to collect boot timeouts from every host on the network.

$hosts = "host1","host2","host3"
$hosts | ForEach-Object {
    $h = $_
    Invoke-Command -ComputerName $h -ScriptBlock {
        $out = bcdedit /enum '{bootmgr}' 2>&1
        ($out | Select-String -Pattern "^timeout\s+(\d+)").Matches.Groups[1].Value
    } | Select-Object @{N='Host';E={$h}}, @{N='Timeout';E={$_}}
}

Output:

Host    Timeout
----    -------
host1   30
host2   30
host3   5

Schedule a one-time Safe Mode + auto-revert via Task Scheduler

A common admin pattern: boot once into Safe Mode to run a cleanup, then automatically revert and reboot back to normal.

rem Step 1: schedule the revert task to run after next boot
schtasks /Create /TN "RevertSafeBoot" /SC ONSTART /TR "cmd /c bcdedit /deletevalue {current} safeboot & shutdown /r /t 30 & schtasks /Delete /TN RevertSafeBoot /F" /RL HIGHEST /F

rem Step 2: flip safeboot and reboot
bcdedit /set {current} safeboot minimal
shutdown /r /t 5

Output:

SUCCESS: The scheduled task "RevertSafeBoot" has successfully been created.
The operation completed successfully.

After the next boot completes the cleanup and reboots once more, the scheduled task removes the safeboot flag and reboots into normal mode.

Add a Windows-to-Go entry

bcdedit can create an entry that boots from a removable USB device.

for /F "tokens=2 delims={}" %%G in ('bcdedit /copy {current} /d "Windows To Go (USB)" ^| findstr "successfully copied"') do set NEWID={%%G}
bcdedit /set %NEWID% device partition=E:
bcdedit /set %NEWID% osdevice partition=E:
bcdedit /set %NEWID% description "Windows To Go (USB drive)"
bcdedit /displayorder %NEWID% /addlast

Output (each):

The operation completed successfully.

Sources

Microsoft Learn — bcdedit command — Overview of BCDEdit and the store/entry/element/output/boot-manager/EMS/debug parameter groups.

Microsoft Learn — BCDEdit /set (driver dev test) — Authoritative catalog of bcdedit /set data types covering boot settings, HAL/kernel overrides, verification (testsigning, nointegritychecks), processor/memory tuning, debugger and hypervisor settings, and Virtual Secure Mode (vsmlaunchtype).

See also

• dism — Deployment Image Servicing and Management — the companion image-servicing tool; paired with bcdedit for full image preparation workflows.
• PowerShell Essentials — Mount-DiskImage, Confirm-SecureBootUEFI, and remoting helpers.
• diskpart — Disk and Partition Management — pairs with bcdedit /store for partition-level recovery.
• shutdown — Restart, Power Off, and Hibernate — the standard follow-up after a bcdedit change.
• systeminfo — System Information — confirms firmware mode (UEFI vs BIOS) and OS install context.
• sc — Service Controller — boot-time drivers and services interact with the BCD's boot mode flags.