cannot turn on Kernel-Mode Hardware-enforced Stack Protection

2k1KellyB-0731 0 Reputation points
2024-05-03T14:01:25.2466667+00:00

I noticed that my Windows 11 Professional system in the Windows Security / Device Security / Core Isolation settings has "Kernel-Mode Hardware-enforced Stack Protection" disabled and grayed out, and above that it says that "This setting is managed by your administrator." I manage my computer as the only user (and thus have admin authority) and didn't directly do anything to turn that setting off or make it unchangeable. My system has at least an 11th generation Intel processor and I am using virtualization. Memory integrity is on and editable. Everything I've described in this post was true when I was using W11 Pro 22H2 (build 22621.3155) and is still true now that I am on W11 Pro 23H2 (build 22631.3447).

Does your computer "Kernel-Mode Hardware-enforced Stack Protection" have disabled and grayed out with the verbiage about it being managed by the administrator? I'm wondering if:

  • Windows no longer supports "Kernel-Mode Hardware-enforced Stack Protection" (e.g., because it has been replaced by something else) but the setting is still visible, or
  • Windows automatically disabled the setting (e.g., because of an incompatible driver), or
  • an application or driver disabled the setting (e.g., during installation), or
  • something else likely happened.

I don't think I made any group policy changes. In the registry for HKLM\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\KernelShadowStacks, Enabled is set to 0 and WasEnabledBy is set to 0x00000004 (4). Why/how do you think that those two keys got set that way?

If I want to turn on this stack protection, what do you think I should do? For example, would it be safe to use RegEdit to set Enabled=1 and WasEnabledBy=2 for KernelShadowStacks, and would Windows then tell me about any problematic drivers that I could then update or delete, or is there a better approach? I don't want to break something, cause security issues or other problems, etc.

Thank you for your help!

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,780 questions
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
8,419 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Wesley Li 5,325 Reputation points
    2024-05-08T13:15:33.1+00:00

    Hello

    It seems there are some prerequirements for this feature.

    • TPM 2.0 (also referred to as your security processor)
    • Secure boot enabled
    • DEP
    • UEFI MAT

    Device protection in Windows Security - Microsoft Support