System Guard Secure Launch and SMM protection
This topic explains how to configure System Guard Secure Launch and System Management Mode (SMM) protection to improve the startup security of Windows 10 and Windows 11 devices. The information below is presented from a client perspective.
System Guard Secure Launch feature requires a supported processor. For more information, see System requirements for System Guard.
How to enable System Guard Secure Launch
You can enable System Guard Secure Launch by using any of these options:
Mobile Device Management
System Guard Secure Launch can be configured for Mobile Device Management (MDM) by using DeviceGuard policies in the Policy CSP, DeviceGuard/ConfigureSystemGuardLaunch.
Click Start > type and then click Edit group policy.
Click Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security > Secure Launch Configuration.
Click Start > Settings > Update & Security > Windows Security > Open Windows Security > Device security > Core isolation > Firmware protection.
Open Registry editor.
Click HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > DeviceGuard > Scenarios.
Right-click Scenarios > New > Key and name the new key SystemGuard.
Right-click SystemGuard > New > DWORD (32-bit) Value and name the new DWORD Enabled.
Double-click Enabled, change the value to 1, and click OK.
How to verify System Guard Secure Launch is configured and running
To verify that Secure Launch is running, use System Information (MSInfo32). Click Start, search for System Information, and look under Virtualization-based Security Services Running and Virtualization-based Security Services Configured.
For more information around AMD processors, see Microsoft Security Blog: Force firmware code to be measured and attested by Secure Launch on Windows 10.