System Guard Secure Launch and SMM protection

This article explains how to configure System Guard Secure Launch and System Management Mode (SMM) protection to improve the startup security of Windows 10 and Windows 11 devices. The information below is presented from a client perspective.

Note

System Guard Secure Launch feature requires a supported processor. For more information, see System requirements for System Guard.

How to enable System Guard Secure Launch

You can enable System Guard Secure Launch by using any of these options:

Mobile Device Management

System Guard Secure Launch can be configured for Mobile Device Management (MDM) by using DeviceGuard policies in the Policy CSP, DeviceGuard/ConfigureSystemGuardLaunch.

Group Policy

  1. Select Start > type and then select Edit group policy.

  2. Select Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security > Secure Launch Configuration.

    Secure Launch Configuration.

Windows Security

Select Start > Settings > Update & Security > Windows Security > Open Windows Security > Device security > Core isolation > Firmware protection.

Windows Security settings.

Registry

  1. Open Registry editor.

  2. Select HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > DeviceGuard > Scenarios.

  3. Right-click Scenarios > New > Key and name the new key SystemGuard.

  4. Right-click SystemGuard > New > DWORD (32-bit) Value and name the new DWORD Enabled.

  5. Double-click Enabled, change the value to 1, and click OK.

    Secure Launch Registry.

How to verify System Guard Secure Launch is configured and running

To verify that Secure Launch is running, use System Information (MSInfo32). Select Start, search for System Information, and look under Virtualization-based Security Services Running and Virtualization-based Security Services Configured.

Verifying Secure Launch is running in the Windows Security settings.

Note

To enable System Guard Secure launch, the platform must meet all the baseline requirements for System Guard, Device Guard, Credential Guard, and Virtualization Based Security.