Privacy and Security Enable or Disable System Guard Secure Launch for Firmware Protection in Windows 11


Windows_Security_banner.png

This tutorial will show you how to enable or disable Microsoft Defender System Guard Secure Launch for firmware protection in Windows 10 and Windows 11 Secured-core PCs.

Microsoft has worked with OEM partners to offer a special category of devices called Secured-core PCs. The devices ship with additional security measures enabled at the firmware layer, or device core, that underpins Windows. Secured-core PCs help prevent malware attacks and minimize firmware vulnerabilities by launching into a clean and trusted state at startup with a hardware-enforced root of trust. Virtualization-based security comes enabled by default. And with built-in hypervisor protected code integrity (HVCI) shielding system memory, Secured-core PCs ensure that all executables are signed by known and approved authorities only. Secured-core PCs also protect against physical threats such as drive-by Direct Memory Access (DMA) attacks.

In Secured-core PCs, Microsoft Defender System Guard Secure Launch protects bootup with a technology known as the Dynamic Root of Trust for Measurement (DRTM). With DRTM, the system initially follows the normal UEFI Secure Boot process. However, before launching, the system enters a hardware-controlled trusted state that forces the CPU(s) down a hardware-secured code path. If a malware rootkit/bootkit has bypassed UEFI Secure Boot and resides in memory, DRTM will prevent it from accessing secrets and critical code protected by the virtualization-based security environment. Firmware Attack Surface Reduction technology can be used instead of DRTM on supporting devices such as Microsoft Surface.

References:
learn.microsoft.com

Windows 11 security book - Hardware security

Hardware security chapter.
learn.microsoft.com
learn.microsoft.com

How System Guard helps protect Windows

Learn how System Guard reorganizes the existing Windows system integrity features under one roof.
learn.microsoft.com
learn.microsoft.com

System Guard Secure Launch and SMM protection

Explains how to configure System Guard Secure Launch and System Management Mode (SMM protection) to improve the startup security of Windows devices.
learn.microsoft.com

Device Security in the Windows Security App - Microsoft Support

Learn how to access Windows device security settings in Windows Security to help protect your device from malicious software.
support.microsoft.com support.microsoft.com

You must be signed as an administrator to enable or disable System Guard Secure Launch for firmware protection.




Contents

  • Option One: Enable or Disable System Guard Secure Launch for Firmware Protection in Windows Security
  • Option Two: Enable or Disable System Guard Secure Launch for Firmware Protection using REG file




Option One

Enable or Disable System Guard Secure Launch for Firmware Protection in Windows Security


1 Open Windows Security.

2 Click/tap on Device security. (see screenshot below)

System_Guard_Secure_Launch_for_firmware_protection-1.png

3 Click/tap on the Core isolation details link under Core isolation. (see screenshot below)

System_Guard_Secure_Launch_for_firmware_protection-2.png

4 Turn on (default) or off Firmware protection for what you want. (see screenshot below)

If the Firmware protection setting is grayed out with a This setting is managed by your administrator message, change the Managed DWORD value to 0 instead of 1 in the registry key below, then close and reopen Windows Security.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard


System_Guard_Secure_Launch_for_firmware_protection-3.png

5 If prompted by UAC, click/tap on Yes to approve.

6 Restart the computer to apply. (see screenshots below)

System_Guard_Secure_Launch_for_firmware_protection-4.png
System_Guard_Secure_Launch_for_firmware_protection-5.png




Option Two

Enable or Disable System Guard Secure Launch for Firmware Protection using REG file


1 Do step 2 (enable) or step 3 (disable) below for what you would like to do.

2 Enable System Guard Secure Launch for Firmware Protection

This is the default setting.


A) Click/tap on the Download button below to download the REG file below, and go to step 4 below.​

Enable_System_Guard_Secure_Launch_for_firmware_protection.reg


(Contents of REG file for reference)
Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard]
"Enabled"=dword:00000001

3 Disable System Guard Secure Launch for Firmware Protection

A) Click/tap on the Download button below to download the file below, and go to step 4 below.​

Disable_System_Guard_Secure_Launch_for_firmware_protection.reg


(Contents of REG file for reference)
Code: 
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard]
"Enabled"=dword:00000000

4 Save the .reg file to your desktop.

5 Double click/tap on the downloaded .reg file to merge it.

6 When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

7 Restart the computer to apply.

8 You can now delete the downloaded .reg file if you like.


That's it,
Shawn Brink
 

Attachments

Last edited:
Click to expand...
Thanks.:-)
 

My Computer

System One

  • OS
    win 11
    Computer type
    PC/Desktop
    CPU
    AMD Ryzen3200G
    Motherboard
    ASRock A320M
    Memory
    16
    Graphics Card(s)
    VegaRadeon 8

My Computers

System One System Two

  • OS
    Windows 11 Pro for Workstations
    Computer type
    PC/Desktop
    Manufacturer/Model
    Custom self build
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    64 GB (4x16GB) G.SKILL TridentZ RGB DDR4 3600 MHz (F4-3600C18D-32GTZR)
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING (11GB GDDR5X)
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    2 x Samsung Odyssey G75 27"
    Screen Resolution
    2560x1440
    Hard Drives
    1TB Samsung 990 PRO M.2,
    4TB Samsung 990 PRO M.2,
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3 wall mounted
    Cooling
    Corsair Hydro H115i
    Keyboard
    Logitech wireless K800
    Mouse
    Logitech MX Master 3
    Internet Speed
    1 Gbps Download and 35 Mbps Upload
    Browser
    Google Chrome
    Antivirus
    Microsoft Defender and Malwarebytes Premium
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    CyberPower CP1500PFCLCD
    Galaxy S23 Plus phone
  • Operating System
    Windows 11 Pro
    Computer type
    Laptop
    Manufacturer/Model
    Surface Laptop 7 Copilot+ PC
    CPU
    Snapdragon X Elite (12 core) 3.42 GHz
    Memory
    16 GB LPDDR5x-7467 MHz
    Monitor(s) Displays
    15" HDR
    Screen Resolution
    2496 x 1664
    Hard Drives
    1 TB SSD
    Internet Speed
    Wi-Fi 7 and Bluetooth 5.4
    Browser
    Chrome and Edge
    Antivirus
    Windows Defender
You must log in or register to reply here.

Similar Windows 11 Tutorials

  • Article Article
Browsers and Mail Enable or Disable Microsoft Edge Surf Game in Windows 11
Replies
0
Views
1K
Brink
Brink
  • Article Article
Personalization Enable or Disable Widgets on Lock Screen in Windows 11
Replies
4
Views
2K
Brink
Brink
  • Article Article
Browsers and Mail Enable or Disable Scareware Blocker in Microsoft Edge in Windows 11
Replies
1
Views
2K
Brink
Brink
  • Article Article
Devices Enable or Disable Bluetooth LE Audio in Windows 11
Replies
4
Views
2K
cereberus
cereberus
  • Article Article
Browsers and Mail Enable or Disable Automatic Sign in on Microsoft Edge in Windows 11
Replies
0
Views
2K
Brink
Brink
  • Article Article
Accounts Enable or Disable Windows Hello PIN Expiration in Windows 11
Replies
0
Views
1K
Brink
Brink
  • Article Article
Browsers and Mail Enable or Disable Collections in Microsoft Edge in Windows 11
Replies
0
Views
2K
Brink
Brink

Latest Support Threads

Latest Tutorials

Back
Top Bottom