System Guard Secure Launch and SMM protection

This article explains how to configure System Guard Secure Launch and System Management Mode (SMM) protection to improve the startup security of Windows 10 and Windows 11 devices. The information below is presented from a client perspective.

How to enable System Guard Secure Launch

You can enable System Guard Secure Launch by using any of these options:

• Mobile Device Management (MDM)
• Group Policy
• Windows Security settings
• Registry

Mobile Device Management

System Guard Secure Launch can be configured for Mobile Device Management (MDM) by using DeviceGuard policies in the Policy CSP, DeviceGuard/ConfigureSystemGuardLaunch.

Group Policy

1. Select Start > type and then select Edit group policy.

2. Select Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security > Secure Launch Configuration.

   

Windows Security

Select Start > Settings > Update & Security > Windows Security > Open Windows Security > Device security > Core isolation > Firmware protection.

Registry

1. Open Registry editor.

2. Select HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > DeviceGuard > Scenarios.

3. Right-click Scenarios > New > Key and name the new key SystemGuard.

4. Right-click SystemGuard > New > DWORD (32-bit) Value and name the new DWORD Enabled.

5. Double-click Enabled, change the value to 1, and click OK.

   

How to verify System Guard Secure Launch is configured and running

To verify that Secure Launch is running, use System Information (MSInfo32). Select Start, search for System Information, and look under Virtualization-based Security Services Running and Virtualization-based Security Services Configured.