Share via

cannot turn on Kernel-Mode Hardware-enforced Stack Protection

Anonymous
2024-04-29T18:10:02+00:00

I noticed that my W11 Pro system in the Windows Security / Core Isolation settings has "Kernel-Mode Hardware-enforced Stack Protection" disabled and grayed out, and above that it says that "This setting is managed by your administrator." I manage my computer as the only user (and thus have admin authority) and didn't directly do anything to turn that setting off or make it unchangeable. My system has at least an 11th generation Intel processor and I am using virtualization. Memory integrity is on and editable. Everything I've described in this post was true when I was using 22H2 (build 22621.3155) and is still true now that I am on 23H2 (build 22631.3447).

Does your computer "Kernel-Mode Hardware-enforced Stack Protection" disabled and grayed out with the verbiage about it being managed by the administrator? I'm wondering if:

  • Windows no longer supports "Kernel-Mode Hardware-enforced Stack Protection" (e.g., because it has been replaced by something else) but the setting is still visible,
  • if Windows automatically disabled the setting (e.g., because of an incompatible driver),
  • if an application or driver disabled the setting (e.g., during installation),
  • or...?

I don't think I made any group policy changes. In the registry for HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\KernelShadowStacks, Enabled is set to 0 and WasEnabledBy is set to 0x00000004 (4). Why/how do you think that those two keys got set that way? What is the meaning of the various values for WasEnabledBy?

If I want to turn on this setting, what do you think I should do? For example, would it be safe to use RegEdit to set Enabled=1 and WasEnabledBy=2 for KernelShadowStacks, and would Windows then tell me about any problematic drivers that I could then update or delete, or is there a better approach? I don't want to break something, cause security issues or other problems, etc.

Thank you for your help!

Windows for home | Windows 11 | Security and privacy

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2024-04-30T08:26:33+00:00

    Hello 2k1KellyB

    Welcome to Microsoft Community.

    Regarding to your information I assume that you cannot turn on Kernel-Mode Hardware-enforced Stack Protection.

    Based on the information you provided, it appears that your device supports the relevant functionality.

    This prompt is usually caused by a problem with Group Policy that prevents the feature from being enabled normally.

    If you are the only administrator account, this may be caused by changes made by third-party software

    (such as security software or optimization software).

    I wish I could handle your problem, however, the issues on Group Policy  is out of reach of the response support community.

    It is more suitable for publishing on Microsoft Learn, you can click on "Ask a question", there are experts who can provide more professional

    solutions in that place.   Here is a link to the forum where you can raise specific scenarios and share your idea to help solve the problem.

    Windows 11 - Microsoft Q&A

    Sincerely hope that your question will be dealt with appropriately after contact the correct department. Thank you for your understanding!

    Best Regards,

    Tommy-MSFT | Microsoft Community Support Specialist

    2 people found this answer helpful.
    0 comments
  2. Anonymous
    2024-04-30T15:01:46+00:00

    Hi, Tommy. Thanks for the info. You're right - I can't turn on stack protection, and I want to do so (assuming it's supposed to be possible).

    Before I post to Microsoft Learn, I hope that someone can please clarify some of the "Kernel-Mode Hardware-enforced Stack Protection" functionality. For example, is it supposed to work in Windows 11 23H2, or has it been replaced? The reason I ask is that when I click the "Learn more" link under "Kernel-Mode Hardware-enforced Stack Protection" in Windows Security/Device Security/Core Isolation, it opens https://support.microsoft.com/en-us/windows/core-isolation-e30ed737-17d8-42f3-a2a9-87521df09b78, which references (among other things) "Memory access protection" (which it says is also known as "Kernel DMA protection"), but not anything about stack protection. Did memory access protection (aka kernel DMA protection) replace stack protection, or are those different sets of functionality?

    Thank you for your help!

    1 person found this answer helpful.
    0 comments