Enable System Guard Secure Boot to protect the firmware

Microsoft Secured-core PCs have deeply integrated hardware, embedded software, and software to provide enhanced security for devices, identity, and data. To start with it, you need enable System Guard safe startup to protect the firmware. In this post, we’ll see how it’s done.

System Guard Secure Launch for firmware protection

Microsoft has worked with OEM partners to create PCs with Secure Cores, a special category of devices with enhanced security measures at the firmware level. These devices prevent malware attacks and minimize firmware vulnerabilities by booting in a clean and trusted state using a hardware-enforced root of trust. They also protect against physical and virtual threats by ensuring that all executable files are signed by authorized authorities and prevent unauthorized access to critical code.

To enable Firmware protection, you can use either of the two methods.

Enable firmware protection from Windows Security
Enable firmware protection from Registry Editor

Let’s talk about them in more detail.

1) Enable firmware protection from Windows Security

First, let’s use Windows security program to enable firmware protection. To do this, follow the steps below.

Open it Windows security by searching in the Start menu.
Then on the left side of the screen, click Device security.
Go to Core insulation and click on Wire insulation details hyperlink
This will redirect you to the Kernel Isolation screen where you can enable or disable the switch for Firmware protection.
You may see a UAC prompt, click Yes or enter your administrator credentials if you have configured them.
Finally restart your computer.

When your computer starts the backup, firmware protection will be enabled. If you see Firmware protection The switch is inactive, you may need to ask your IT administrator to either give you the ability to modify the registry or enable the setting on their end.

2) Enable firmware protection in the registry editor

Before making any changes to the registry, we recommend that you do a backup your registries. To do this, click in the registry editor File > Export, go to a safe location and save the file. When finished, open Notebook, and paste the following lines of code.

To enable System Guard Secure Boot to protect the firmware

Windows Registry Editor Version 5.00

(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard)
"Enabled"=dword:00000001

To disable System Guard safe startup for firmware protection

Windows Registry Editor Version 5.0

(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard)
"Enabled"=dword:00000000

Be sure to create two separate files with different names, but save them with .reg expansion. To enable or disable it, right-click on the file and select OPEN. The script will run and make the necessary changes to your registry.

How to enable Secure Boot in system firmware?

Secure Boot is usually enabled by default, but if it’s not, you can enable it from BIOS. However, before that you should check whether your system has Secure Boot or not. To do this, open Windows security and click Device Security. If you see Secure download option is there, your system has this feature, you can enable it.

read: A Windows computer does not boot after enabling Secure Boot

How to enable firmware protection?

You can enable built-in software protection from Windows Security. Just open the app and go to Device Security > Kernel Isolation and then search for the software port. Finally, toggle the switch to enable firmware protection. We recommend following the steps mentioned earlier to enable firmware protection.