Firmware Protection grayed out and off

leli eee 0 Reputation points
2024-11-15T20:07:46.0066667+00:00

Hello,

I enabled VBS in group policy. In the registry system guard says its on (enabled value set to 1), but in Msinfo32 I don't see secure launch as configured and in defender it says it's off and managed by an administrator.

What can I do to enable secure launch?

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,937 questions
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
10,013 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Hania Lian 17,786 Reputation points Microsoft Vendor
    2024-11-20T08:34:06.1133333+00:00

    Hello,

    Here are some steps you may take to troubleshoot:

    1、Ensure that your CPU supports hardware virtualization (Intel VT-x/AMD-V) and that it is enabled in the BIOS/UEFI settings.

    Check that your computer has a TPM (Trusted Platform Module) version 2.0 and it is enabled in BIOS/UEFI, as VBS relies on TPM.

    Your system firmware must support UEFI and Secure Boot; make sure Secure Boot is enabled.

    2、Open the Group Policy Editor (gpedit.msc) and navigate to:

    Computer Configuration -> Administrative Templates -> System -> Device Guard -> Turn On Virtualization Based Security

    Ensure the settings are not conflicting, and that you’ve selected the appropriate options for Platform Security Level, Virtualization Based Protection of Code Integrity, and Credential Guard Configuration.

    3、Update Windows and chipset and BIOS/UEFI firmware, from the manufacturer’s website to the latest versions that support these security features.

    4、Recheck Registry Settings:

    Open regedit and navigate to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceGuard and also HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa.

    Verify that the settings related to VBS are correctly configured as per Microsoft’s documentation.

    5、Open PowerShell as an administrator and run the following command to check the status of Device Guard, including VBS:

    Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard

    Best Regards,

    Hania Lian

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.