This article explains how to set up System Guard Secure Launch and System Management Mode (SMM) protection to improve the startup security of Windows 11 devices.
Microsoft has worked with OEM partners to offer a special category of devices called Secured-core PCs. These devices are shipped with extra security measures enabled at the firmware layer, or device core, that help prevent malware attacks and reduce firmware vulnerabilities by launching into a clean and trusted state at startup with a hardware-enforced root of trust.
Enabling firmware protection in Windows provides several critical benefits for the security and integrity of your system:
- Enhanced Security Against Malware: Firmware protection helps defend against sophisticated malware attacks that target the firmware layer, where traditional antivirus solutions do not work effectively.
- Root of Trust: It establishes a hardware-enforced root of trust during the boot process, making it more difficult for unauthorized code to run at startup.
- Integrity Validation: Firmware protection ensures that the integrity of the firmware is verified before the operating system loads, preventing unauthorized modifications.
- Secured-core PCs: For devices classified as Secured-core PCs, firmware protection is a critical part that combines hardware and software protections, providing a fortified environment for sensitive operations.
Implementing firmware protection is crucial for maintaining a secure computing environment, especially in enterprise and sensitive use cases, where the cost of a security breach can be significant.
Enable Firmware Security on Windows
As mentioned, users with compatible systems can enable the new Windows “Firmware Security” to enhance Windows security.
Here’s how to do it.
First, open the Windows Security app.
Alternatively, select Start > Settings > Update & Security > Windows Security > Open Windows Security.
In the Windows Security app, select “Device security.”
Next, click on the “Core isolation details” link.
Then, toggle the “Firmware protection” button to the On or Off position to enable or disable it.
If the Firmware protection setting is grayed out and you can’t change it, change the Managed DWORD value to 0 instead of 1 in the registry key below:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard
Restart your computer to apply the changes.
Turn on Firmware protection in Windows using Windows Registry
Another way to enable or disable the “Firmware protection” feature in Windows is to use the Windows Registry editor.
First, open the Windows Registry and navigate to the folder key path below.
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard
Right-click SystemGuard > New > DWORD (32-bit) Value and name the new DWORD Enabled.
Double-click Enabled and change the value 1 to turn on a system guard secure launch for firmware protection.
Enter 0 to turn it off.
Then, enter 1 or 0 to turn it on or off.
Save your changes and restart your computer.
That should do it!
Reference:
Conclusion:
In summary, implementing firmware protection on Windows 11 devices enhances system security. The steps outlined above help safeguard against malware and ensure the integrity of the firmware during the boot process.
- Improved Security: Firmware protection significantly enhances resistance against complex malware threats targeting firmware.
- Hardware-Enabled Trust: Establishing a hardware-enforced root of trust makes unauthorized code execution more challenging.
- Integrity Assurance: Verifies firmware integrity before the operating system initiates, preventing potential vulnerabilities.
- Vital for Sensitive Environments: This is especially important for enterprises where data breaches can have severe financial and reputational impacts.
By following the steps to enable firmware protection, users can better secure their Windows 11 experience and enjoy peace of mind regarding their system’s integrity.
Leave a Reply Cancel reply