This post will show you what you can do if System Guard is enabled but not running in your Windows Server system. You may have enabled System Guard Secure Launch for Firmware Protection, but find that it is not working. If so, read on to see how to troubleshoot the issue.
Windows Defender System Guard is like a security guard for your computer. It makes sure that your system stays safe from the moment you turn it on until you shut it down. It ensures that only authorized firmware, drivers, and third-party applications can run during the boot process, preventing boot-level malware like bootkits and rootkits.
System Guard Enabled but not running on Windows Server
If System Guard is enabled but not running in Windows Server, the following check-list will help you address the issue:
- Check Hardware Requirements and Configuration
- Check Virtualization-Based Security
- Check Registry setting
- Check Group Policy setting
- Enable Hypervisor.
Before you begin, ensure that you have enabled Secure Launch or Kernel DMA Protection. In Dell, it appears under BIOS Processor settings, whereas in HP systems, it may appear under Security > Advanced.
1] Check Hardware Requirements and Configuration
For System Guard to run, your computer must support CPU virtualization (Intel VT-x/AMD-V), IOMMU, TPM 2.0 and Secure Boot.
In a nutshell:
| Requirement | Where to Enable | Notes |
|---|---|---|
| Secure Boot | BIOS/UEFI | Must be ON |
| TPM 2.0 | BIOS/UEFI | Required for VBS |
| Virtualization (VT-x/AMD-V) | BIOS/UEFI | Enable CPU virtualization |
| IOMMU | BIOS/UEFI | Needed for DMA protection |
| Kernel DMA Protection | BIOS/UEFI | Maybe under “Processor Security” |
| VBS Policy | Group Policy | Enable with UEFI lock |
| Hypervisor | Command Prompt | bcdedit /set hypervisorlaunchtype auto |
2] Check Virtualization-based Security
To check if Virtualization-based Security (VBS) is enabled and running on your Windows system, the quickest way is to open System Information (msinfo32) and look under the “Virtualization-based security” field. If it says “Running,” VBS is active; if it says “Not enabled,” you’ll need to configure BIOS and Group Policy settings.
3] Check Registry setting
Open regedit and navigate to the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios
Here, ensure that SystemGuard is enabled by setting its value to 1.
4] Check Group Policy setting
There could be a Group Policy misconfiguration. Check if VBS or Credential Guard is set correctly.
Run gpedit.msc and navigate to the following setting:
Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security.
Set this to Enabled with the following parameters:
- Platform Security Level = Secure Boot
- Credential Guard Configuration = Enabled with UEFI lock.
Click Apply and restart your computer and see.
5] Enable Hypervisor
Execute the following command in Command Prompt (admin):
bcdedit /set hypervisorlaunchtype auto
See if this helps.
Read: Virtualization-based Security not enabled
Run this command to check the status of System Guard
Once done, check if System Guard Secure Launch and SMM protection are running by executing the following command in PowerShell (admin):
Get-CimInstance –ClassName Win32_DeviceGuard –Namespace root\Microsoft\Windows\DeviceGuard
All the best.
Read: Credential Guard Service not running but Enabled.
