Enable System Guard Secure Launch for Firmware Protection

Microsoft Secured-core PCs have deeply integrated hardware, firmware, and software to ensure enhanced security for devices, identities, and data. In order to get started with it, you need to enable System Guard Secure Launch for Firmware Protection. In this post, we will see how it’s done.

System Guard Secure Launch for Firmware Protection

Microsoft has collaborated with OEM partners to create Secured-core PCs, a special category of devices with enhanced security measures at the firmware layer. These devices prevent malware attacks and minimize firmware vulnerabilities by starting up in a clean and trusted state using the hardware-enforced root of trust. They also protect against physical and virtual threats, ensuring all executables are signed by authorized authorities and preventing unauthorized access to critical code.

In order to enable Firmware Protection, you can follow either of the two methods.

1. Enable Firmware Protection from Windows Security
2. Enable Firmware Protection from Registry Editor

Let us talk about them in detail.

1] Enable Firmware Protection from Windows Security

First, let’s use the Windows Security application to enable Firmware Protection. To do so, follow the steps mentioned below.

1. Open the Windows Security app by searching it out from the Start Menu.
2. Then, from the left side of the screen, click on Device Security.
3. Go to the Core isolation section, and click on the Core isolation details hyperlink.
4. This will redirect you to the Core isolation screen, where you can enable or disable the toggle for Firmware protection.
5. You might see a UAC prompt, click Yes, or enter the admin credentials if you have set it up.
6. Finally, reboot your computer.

Once your computer starts back up, Firmware protection will be enabled. If you see the Firmware Protection toggle greyed out, you might have to ask your IT admin to either give you the control to alter the registry or enable the settings from their end.

2] Enable Firmware Protection from the Registry Editor

Before making any changes to the Registry, we recommend you take a backup of your registries. To do so, in Registry Editor, click on File > Export, go to a secured location, and then save the file. Once done, open Notepad, and paste the following lines of code.

To enable System Guard Secure Launch for Firmware Protection

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard]
"Enabled"=dword:00000001

To disable System Guard Secure Launch for Firmware Protection

Windows Registry Editor Version 5.0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard]
"Enabled"=dword:00000000

Make sure to create two separate files with different names, but save them with the .reg extension. In order to enable or disable it, right-click on the file, and then select Open. The script will run and make the required changes to your registry.

How do I enable Secure Boot in system firmware?

Secure Boot is usually enable by default, but if it’s not, you can enable it from the BIOS. However, before that, you should check if your system has Secure Boot or not. To do so, open Windows Security and click on Device Security. If you see the Secure Boot option there, your system has the feature, you can then enable it.

Read: Windows computer won’t boot after enabling Secure Boot

How do I enable Firmware protection?

You can enable Firmware protection from Windows Security. Just open the app and go to Device Security > Core isolation and then look for Firmware portection. Finally, turn on the toggle to enable Firmware protection. We recommend you follow the steps mentioned earlier to enable Firmware protection.

Also Read: Enable or Disable Core Isolation and Memory Integrity in Windows 11.