3,085 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 99%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EW%3C/text%3E%3C/svg%3E)
I also can't enable firmware protection, and can't find a solution.
Core isolation firmware protection
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 50%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG%3C/text%3E%3C/svg%3E)
Goncatin
16
Reputation points
I have Windows 10 Pro, version 21H1 build 19043.1052. I have AMD-V enabled in BIOS, Secure boot and TPM 2.0
I am the only user of the computer, and in the security part, device security, core isolation, there are two settings that I cannot edit: Integrity of memory and firmware protection. In both of them I get a message in red that says "This configuration is managed by the administrator". However, as I said previously, I am the only user and administrator of the PC. Memory integrity appears enabled but grayed out, and firmware protection appears disabled.
I have managed to touch the "memory integrity" setting by changing Enabled from a 1 to a 0 within HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ DeviceGuard \ Scenarios \ HypervisorEnforcedCodeIntegrity in the registry. However, that change is undone every time I reboot the system. In group policies, gpedit.msc, under System - Device Guard - Virtualization-based security, I have set to Enabled, Security Level set to Secure Boot and DMA protection, Virtualization based protection for code integrity enabled with UEFI lock, Credential Guard enabled with UEFI lock, and secure boot enabled.
I have not found where to enable firmware protection and it does not show me the message "This configuration is managed by the administrator".
How can I prevent the "This setting is managed by the administrator" message from being displayed on every reboot for Memory Integrity, and how can I enable
firmware protection?
Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(89.60000000000001, 81%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERA%3C/text%3E%3C/svg%3E)
Reza-Ameri 17,341 Reputation points Volunteer Moderator2021-06-26T15:19:15.603+00:00 Just confirm your PC is not part of a domain?
Since when this problem started? -
Goncatin 16 Reputation points
2021-06-27T16:04:31.64+00:00 II confirm my PC is not part of a domain, and until today I have not looked at those options
Sign in to comment
2 answers
Sort by: Most helpful
-
-
Percival Yang 731 Reputation points2021-06-28T06:51:43.817+00:00 Hi
@Goncatin
From my own experience, I take it that you have enabled AMD-V, Secure boot and TMP/PTT in the BIOS setting/secure (this may vary with different AIC/OEM), if not, open them manually. And I suggest you check the bios to see whether there are others settings that raise this issue. Try disable one a time to test.
BIOS can be reset by on motherboard button CMOS or unplugged the button battery.
Some options are disabled in bios by default. And some variables maybe incompatible with HVCI as blow link which has something similar to what you have written.
https://learn.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrityTo help you better, you should contact your PC/Motherboard provider, do simple consultation for confirmation, advice and bios usage. For instance, ask if it is a common phenomenon and has solution.
Hope this can help you
If your need further help, be free reply to me at your convenience.==============================================================================
If the Answer is helpful, please click "Accept Answer" and upvote it
-
Goncatin 16 Reputation points
2021-06-30T17:03:06.667+00:00 If that were the case and it was not supported by the hardware, this option would not appear. That is what happens to me for example on my laptop.
-
Percival Yang 731 Reputation points
2021-07-01T02:25:05.787+00:00 Hi
@Goncatin
Found another docs including another methods to activate by registry change, thougha also includes the way you had tried editing the gpo setting, sadly failed. The docs also has the System requirements for System Guard. To check if meet the requirement,
Note that it only shows support intel cpu so far. So I suggest you contact the laptop OEM after-sale service staff for counseling.
Sign in to comment -