Microsoft Secured-core PCs have deeply integrated hardware, firmware, and software to ensure strong device, identity, and data security. To begin, you must enable System Guard Secure Launch for firmware protection. In this article we will see how this is done.

Secure launch of System Guard for firmware protection

Microsoft has worked with OEM partners to create secure core PCs, a special category of devices with enhanced security measures at the firmware layer. These devices prevent malware attacks and minimize firmware vulnerabilities by booting into a clean, trusted state using hardware-enforced root of trust. They also protect against physical and virtual threats, ensuring that all executables are signed by authorized authorities and preventing unauthorized access to critical code.

In order to allow Firmware protection, you can follow either of the two methods.

1. Enable Firmware Protection from Windows Security
2. Enable Firmware Protection from Registry Editor

Let’s talk about it in detail.

1) Enable Firmware Protection from Windows Security

First, let’s use the Windows Security application to enable firmware protection. To do this, follow the steps mentioned below.

1. Open it Windows Security application by searching for it in the Start menu.
2. Then, from the left side of the screen, click Device security.
3. Go to Core insulation section and click on the Main insulation details hyperlink.
4. This will redirect you to the kernel isolation screen, where you can enable or disable the toggle for Firmware protection.
5. You may see a UAC prompt, click Yes, or enter administrator credentials if you have configured it.
6. Finally, restart your computer.

Once your computer backup restarts, firmware protection will be enabled. If you see the Firmware protection If the toggle is grayed out, you may need to ask your IT administrator to give you control to edit the registry or enable settings on their end.

2) Enable Firmware Protection from Registry Editor

Before making any changes to the registry, we recommend that you take a saving your records. To do this, in Registry Editor, click File > Export, navigate to a secure location, then save the file. When finished, open Notepad, and paste the following lines of code.

To enable System Guard Secure Launch for firmware protection

Windows Registry Editor Version 5.00

(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard)
"Enabled"=dword:00000001

To disable System Guard Secure Launch for firmware protection

Windows Registry Editor Version 5.0

(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard)
"Enabled"=dword:00000000

Make sure to create two separate files with different names, but save them with the .reg extension. To enable or disable it, right-click the file and select Open. The script will run and make the required changes to your registry.

How to enable secure boot in system firmware?

Secure Boot is usually enabled by default, but if it isn’t, you can enable it from BIOS. However, before that, you need to check whether your system has Secure Boot or not. To do this, open Windows Security and click Device Security. If you see the Secure Boot option there, your system has the feature, then you can enable it.

Read: Windows computer won’t start after enabling Secure Boot

How to enable firmware protection?

You can enable firmware protection from Windows Security. Just open the app and go to Device Security > Core Isolation then look for firmware protection. Finally, turn on the toggle to enable firmware protection. We recommend following the previously mentioned steps to enable firmware protection.

Read also: Enable or disable core isolation and memory integrity in Windows 11.