I need some help in my question to enable Windows System Guard in my environment. If you want to know what it is see:
Hardening the system and maintaining integrity with Windows Defender System Guard
and the Microsoft article is here:
Windows Defender System Guard: How a hardware-based root of trust helps protect Windows 10
and in summary Windows System Guard is:
Windows Defender System Guard reorganizes the existing Windows 10 system integrity features under one roof and sets up the next set of investments in Windows security. It’s designed to make these security guarantees:
– Protect and maintain the integrity of the system as it starts up
– Validate that system integrity has truly been maintained through local and remote attestation
I enabled it using the techniques in this article:
System Guard Secure Launch and SMM protection
To verify it is enabled 9according to the article) you check MSInfor32 and you should see:
i.e. Secure Launch appear in both:
1. Virtualization based Security Configured
2. Virtualization based security Services Running
However, in my case I don’t see it appear under Virtualization based security Services Running as you see above?
Now, the Microsoft article does say:
Credential Guard is definitely running per my MSInfo32
To check Virtualization Based Security I can run the command:
Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard
and I see the following:
According to the documentation,
if VirtualizationBasedSecurityStatus = 2 then:
VBS is enabled and running
Now, if I look at the SecurityServicesRunning field I see:
only Credential Guard and HVCI running per:
i.e no System Guard Secure launch. This confirms what I see in MSInfo32.
Verifying Device Guard is where things get challenging, because this:
Why we no longer use the Device Guard brand
seems to indicated the device Guard is now Windows Defender Application Control (WDAC)??
However, there is this article:
Windows 10 Device Guard and Credential Guard Demystified
from early 2021 talking about Device Guard?? Here, Device Guard is:
Now that we have an understanding of Virtual Secure Mode, we can begin to discuss Device Guard. The most important thing to realize is that Device Guard is not a feature; rather it is a set of features designed to work together to prevent and eliminate untrusted code from running on a Windows 10 system
Device Guard consists of three primary components:
- Configurable Code Integrity (CCI) – Ensures that only trusted code runs from the boot loader onwards.
- VSM Protected Code Integrity – Moves Kernel Mode Code Integrity (KMCI) and Hypervisor Code Integrity (HVCI) components into VSM, hardening them from attack.
- Platform and UEFI Secure Boot – Ensuring the boot binaries and UEFI firmware are signed and have not been tampered with.
According to that article the CCI is located at:
Computer Configuration \ Administrative Templates \ System \ Device Guard \ Deploy Code Integrity Policy
But I can’t see that on my machine as shown above??
I can’t see how to specifically enabled VSM Protected Code Integrity, I can only find:
Finally, my machine does have UEFI and secure boot enabled:
The last piece of the puzzle is a service called Secure Launch:
which I have running and seems to be linked to System Guard but I can find no confirmation of what this service actually does??
In summary, I am at a loss to understand why my machine seems to not have System Guard enabled even though it is capable it seems. I feel confident that I do have all the requirements in place but the Configurable Code Integrity (CCI) may be the issue but I can’t find anything on how to configure that.
My ask then, is if you have any information on helping me get System Guard working on my machine or help me understand why it isn’t working I’d appreciate it as I have drawn a blank with all my other sources.
7 thoughts on “I need help with Windows Defender System Guard”
I have the same issue.
In short, it comes down to hardware. If it is not recognised as supported, you can’t enable it.
I am currently experiencing this issue on hardware that should be 100% recognized as supported (Dell Precision 3460 with an i7-2700). Specifically, I cannot get System Guard to activate. In fact, under the default settings, “firmware protection” is not even presented as an option under Core Protection. If I jigger the group policy or registry settings, I can get the firmware protection setting to appear as an option (along with the yellow notification about the setting being set by the administrator) but it is greyed out and in the off setting.
I have done a ridiculous number of fresh installs along with methodically going through combinations of settings hoping to discover a magical combination that makes everything work, but I have given up hope. I am convinced there is something fundamentally amiss with this system’s hardware. Luckily for me, Dell has agreed to exchange my system with another one, but I do not have high hopes.
It appears there are many, many people experiencing the same issue base upon all of the forum posts out there on this issue, with the primary problems being the confusion between available features under Windows 11 Pro and and Windows 11 Pro Enterprise and Microsoft stating that satisfying the conditions for certain functionalities that are only available on Windows 11 Pro Enterprise (e.g., Credential Guard) is a condition to enabling System Guard. Note: I also have a laptop with Windows 11 Home that currently has System Guard enabled.
Of course, everything I just mentioned more or less would be of no consequence if Microsoft provided some sort of reporting mechanism explaining the current state of these options, but to be fair to Microsoft, I suppose that information would be a boon to purveyors of malware.
I agree that all the Hardware protection stuff is vague, especially when you add in third party devices. Unfortunately, I experience the same challenges and frustrations as well. All you can do is try and eliminate things one at a time. That I know from first hand experience is very time consuming and frustrating. I expect things to improve as MS places more focuses and resources on this hardware protection but for now you just gotta find your own way on your own hardware if it doesn’t work right out of the box.
Where you able to figure this out? Having the same issue
See – https://blog.ciaops.com/2021/08/16/all-the-guards-part-4/