This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(227.2, 31%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3E20%3C/text%3E%3C/svg%3E)
I noticed that my Windows 11 Professional system in the Windows Security / Device Security / Core Isolation settings has "Kernel-Mode Hardware-enforced Stack Protection" disabled and grayed out, and above that it says that "This setting is managed by your administrator." I manage my computer as the only user (and thus have admin authority) and didn't directly do anything to turn that setting off or make it unchangeable. My system has at least an 11th generation Intel processor and I am using virtualization. Memory integrity is on and editable. Everything I've described in this post was true when I was using W11 Pro 22H2 (build 22621.3155) and is still true now that I am on W11 Pro 23H2 (build 22631.3447).
Does your computer "Kernel-Mode Hardware-enforced Stack Protection" have disabled and grayed out with the verbiage about it being managed by the administrator? I'm wondering if:
I don't think I made any group policy changes. In the registry for HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\KernelShadowStacks, Enabled is set to 0 and WasEnabledBy is set to 0x00000004 (4). Why/how do you think that those two keys got set that way?
If I want to turn on this stack protection, what do you think I should do? For example, would it be safe to use RegEdit to set Enabled=1 and WasEnabledBy=2 for KernelShadowStacks, and would Windows then tell me about any problematic drivers that I could then update or delete, or is there a better approach? I don't want to break something, cause security issues or other problems, etc.
Thank you for your help!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 9%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWL%3C/text%3E%3C/svg%3E)
Hello
It seems there are some prerequirements for this feature.
Hi, Wesley. Thank you for your reply. I meet those prereqs (e.g., those settings are turned on, and the bottom of the device security page says, "Your device meets the requirements for enhanced hardware security."), so I am not sure why I can't enable the stack protection control to turn it on.
Thanks to you and anyone else for any other ideas.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 98%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPA%3C/text%3E%3C/svg%3E)
Hello Wesley Li, please don't play the wise guy with the wrong arguments. I have a 13th-gen Intel CPU i7-13700k on an Asus TUF GAMING motherboard B660M-E D4 so you can bet your ass that it has TPM 2.0, DEP, and UEFI MAT and Secure Boot is enabled, but still Kernel-mode Hardware-enforced Stack Protection is off and cannot be turned off because it's greyed out. And I'm the administrator, I build my PC, and I'm the only user!