System Guard Secure Launch and SMM protection

Applies to:

  • Windows 11
  • Windows 10

This topic explains how to configure System Guard Secure Launch and System Management Mode (SMM) protection to improve the startup security of Windows 10 and Windows 11 devices. The information below is presented from a client perspective.

How to enable System Guard Secure Launch

You can enable System Guard Secure Launch by using any of these options:

Mobile Device Management

System Guard Secure Launch can be configured for Mobile Device Management (MDM) by using DeviceGuard policies in the Policy CSP, DeviceGuard/ConfigureSystemGuardLaunch.

Group Policy

  1. Click Start > type and then click Edit group policy.

  2. Click Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security > Secure Launch Configuration.

    Secure Launch Configuration.

Windows Security app

Click Start > Settings > Update & Security > Windows Security > Open Windows Security > Device security > Core isolation > Firmware protection.

Windows Security app.

Registry

  1. Open Registry editor.

  2. Click HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > DeviceGuard > Scenarios.

  3. Right-click Scenarios > New > Key and name the new key SystemGuard.

  4. Right-click SystemGuard > New > DWORD (32-bit) Value and name the new DWORD Enabled.

  5. Double-click Enabled, change the value to 1, and click OK.

    Secure Launch Registry.

How to verify System Guard Secure Launch is configured and running

To verify that Secure Launch is running, use System Information (MSInfo32). Click Start, search for System Information, and look under Virtualization-based Security Services Running and Virtualization-based Security Services Configured.

Verifying Secure Launch is running in the Windows Security app.

Note

To enable System Guard Secure launch, the platform must meet all the baseline requirements for System Guard, Device Guard, Credential Guard, and Virtualization Based Security.