Firmware Protection Windows 1809 - How to turn it on?

V

Vasudev

Level 33
Verified
Nov 8, 2014
2,250
overdivine said:
I have installed windows 1809 update and i have a setting under core isolation that i can't seem to find how to turn it on nor I can find any information about it.
Google wasn't my friend for this one so if anyone can help much appreciated.
View attachment 199228
Click to expand...
I think its a Pro only feature that uses TPM 2 and above to protect BIOS along w/ Boot guard technology. So overall its the end of user adjustable BIOS.
shmu26 said:
I have 1809 pro with updates, and I don't see that option at all. I have only Memory integrity, and that's it.
Maybe it is hardware-dependent.
Click to expand...
Yeah it is. Need hardware support like TPM2 and above. Even Fingerprint or Touch Id will serve as a measure.
 
  • Like
Reactions: DeepWeb, oldschool, upnorth and 3 others
F

ForgottenSeer 69673

I have not updated my VM OS to 1809 yet. My core isolation only shows a memory protection slider as of now. I will update it later and see what shows then.
 
  • Like
Reactions: Vasudev and oldschool
overdivine

overdivine

Level 2
Thread author
Verified
Aug 21, 2013
90
Hardware: Virtualization extensions - Intel VT-x, AMD-V is needed for device guard
hyper-v hypervisor must be installed. i can't run for exampla android emulator software that require hyper-v under device guard
i don't know if you can turn on device guard under vm
 
  • Like
Reactions: Sunshine-boy and oldschool
F

ForgottenSeer 69673

overdivine said:
Hardware: Virtualization extensions - Intel VT-x, AMD-V is needed for device guard
hyper-v hypervisor must be installed. i can't run for exampla android emulator software that require hyper-v under device guard
i don't know if you can turn on device guard under vm
Click to expand...
Not sure if this is true but I was reading that if you use Hypervisor (ESXi) 6.5, you can run device guard in a VM but I don't think you can run hyper V and a VM at same time without Hypervisor (ESXi) 6.5
https://my.vmware.com/web/vmware/details?downloadGroup=ESXI650&productId=614#product_downloads
 
  • Like
Reactions: Vasudev, oldschool and DeepWeb
DeepWeb

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
ticklemefeet said:
Not sure if this is true but I was reading that if you use Hypervisor (ESXi) 6.5, you can run device guard in a VM but I don't think you can run hyper V and a VM at same time without Hypervisor (ESXi) 6.5
Download VMware vSphere
Click to expand...
Microsoft promised to make it compatible with 3rd party hypervisors two years ago...... cricket sounds.
Microsoft is not helping renaming features with every build!! It's so confusing. That being said either it is TPM2. In that case if you have compatible hardware it will turn on by itself and it will be disabled if you don't.

If it's HVCI (Hyper-V Code Integrity) related, you need to enable Hyper-V virtualization in your BIOS and enable Hypervisor in Windows Features and be aware it adds massive CPU overhead to everything and your AV might break.
 
  • Like
Reactions: Vasudev and oldschool
eonline

eonline

Level 21
Verified
Well-known
Nov 15, 2017
1,083
Hello, is there any way to activate Firmware Protection on windows 10 pro? Thank you very much. Best regards.
 
E

Eddie Morra

DeepWeb said:
If anything it will break OSArmor. These virtualized security measures from Microsoft kick anything out of the kernel that is not signed and approved by Microsoft.
Click to expand...
NVT OSArmor's kernel-mode software is co-signed by Microsoft IIRC. I do not know whether it will still be disliked by Microsoft's virtualisation technology regardless though.
 
  • Like
Reactions: DeepWeb and upnorth
DeepWeb

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
I think it's interesting that it says that we disabled it in Group policy. There's still no documentation about System Guard and what Group policy item govern it. Apparently it only works on clean installs anyway... I'm doing some experiments to see if I can enable it.

I managed to enable Firmware protection. It cancels boot up when one of your drivers is unknown so I wasn't able to boot even after turning virtualization off in BIOS. It reminds me of the Early Launch Antimalware policy that broke Kaspersky for me. Unfortunately I have to stop here because it is too time consuming to restore backup again. But I know you have to go into system32\CodeIntegrity check when your SIPolicy.p7b was created. It might be incompatible with the newer version of Windows 10. Mine was from 2017. After I updated it, things started to work. There's a Powershell script to create a new policy I will link it here in a moment.

More complicated actually. You have to create your own policy if you want to make sure it boots up. The first thing you have to do is run Device Guard Hardware Readiness Tool:
Download Device Guard and Credential Guard hardware readiness tool from Official Microsoft Download Center

And lo and behold a few interesting drivers showed up:
ambakdrv.sys - AOMEI Backupper (yes I have had issues with this when Hyper-V was on)
rtsper.sys - Realtek PCIe Card Driver
isctd64.sys - Intel Smart Connect (wtf even Intel is not compatible with Microsoft's new experiment)
stwrt64.sys - IDT Audio Driver
cpumcupdate64.sys - CPU Microcode Update Driver (vasudev and I have talked about this for a while)

So what I will try to do is create a SIpolicy that includes these drivers and then check if it works again following the instructions here:
Getting Started with Windows 10 Device Guard – Part 1 of 2

Here are all the things you will lose when you enable hypervisor enforced code integrity and Windows Defender System Guard in Kaspersky:
Compatibility of Kaspersky Total Security 19 with Windows 10

Other AVs have similar issues. You are giving up your AV's security in favor of Microsoft's security. Depending on which you trust more I would go with that.

OK I think I figured out why Firmware protection was set to disabled. Did you download your SIPolicy.p7b from the Internet? It might be set to Audit instead of Enforced. I managed to set it to Enforced but even after whitelisting many drivers I still had issues making it work. The most convenient way to enable all of these features is to do a clean install. :/
 
Last edited:
  • Like
Reactions: harlan4096
DeepWeb

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
I can't get it to work on 1809... This is frustrating because it's impossible to tell if I configured it wrong or if Windows 10 is just buggy. The settings in Device security don't match the settings in Group policy even though a check in Powershell confirms that Firmware protection and HVCI are on. But msinfo32 and Windows Security say it's off. This is a mess!
 
DeepWeb

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
"As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device’s Trusted Platform Module 2.0 (TPM). This process and data are hardware isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device’s firmware, hardware configuration state, and Windows boot-related components, just to name a few. After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM, and, upon request a management system, like Intune or System Center Configuration Manager, can acquire them for remote analysis. From here the management system can take a series of actions, such as denying the device access to resources, if Windows Defender System Guard indicates that the device lacks integrity."
Hardening the system and maintaining integrity with Windows Defender System Guard - Microsoft Secure

So I think you need to have hardware with a TPM 2.0 chip in order to enable it. But I'm not sure. Another place I've read that your AV disables firmware protection if it's not compatible which might explain why it is grayed out for me.
 
  • Like
Reactions: upnorth and Vasudev
DeepWeb

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
Found a Microsoft slideshow saying Firmware Protection = System Guard with requirements and instructions to enable it.
https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2IIVu
It looks like it is strongly tied to security features in newer Intel CPUs (2018 8th gen, 9th gen or later vPro) which might be why it's greyed out for my Haswell CPU (4th gen). I will try to enable it in the registry to see what happens tomorrow.
 

Attachments

  • Screenshot_2018-12-28-00-18-32-01.jpeg
    Screenshot_2018-12-28-00-18-32-01.jpeg
    390.2 KB · Views: 998
Last edited:
  • Like
Reactions: SHvFl, Vasudev, upnorth and 1 other person
DeepWeb

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
Update: I tried enabling it through the registry and rebooted and it won't turn on as predicted. So now we know.
Firmware Protection is designed for Intel 8th and 9th generation CPUs with vPro. It protects your BIOS, UEFI and hardware firmware from being tampered with by verifying and signing the code and if there is tampering, your system will not boot and notify you. That's quite impressive and I can see why enterprises would want that. Some parts of System Guard are enabled already however. I see the process booting every time I reboot and it runs some kind of verification of the drivers that are installed.
 
Last edited:
  • Like
Reactions: Vasudev and harlan4096
V

Vasudev

Level 33
Verified
Nov 8, 2014
2,250
DeepWeb said:
Update: I tried enabling it through the registry and rebooted and it won't turn on as predicted. So now we know.
Firmware Protection is designed for Intel 8th and 9th generation CPUs with vPro. It protects your BIOS, UEFI and hardware firmware from being tampered with by verifying and signing the code and if there is tampering, your system will not boot and notify you. That's quite impressive and I can see why enterprises would want that. Some parts of System Guard are enabled already however. I see the process booting every time I reboot and it runs some kind of verification of the drivers that are installed.
Click to expand...
If you have TPM2.x and SMBIOS 2.6 or greater I think you can enable it.
 
  • Like
Reactions: DeepWeb

Similar threads

W
    • Like
Serious Discussion Chromstera Browser bug on Windows 10; Installed Arch Linux; Am I good now?
Replies
3
Views
414
General Security Discussions
WhatCanYouBelieve
W
Gandalf_The_Grey
    • Like
    • +Reputation
    • Hundred Points
Windows 11 taskbar has a hidden "End Task" feature, how to turn it on
Replies
2
Views
542
Windows 11
Aggravatorx
Aggravatorx
lokamoka820
    • Like
Hot Take How to Safeguard Your Windows PC Against Ransomware
Replies
1
Views
196
General Security Discussions
Bot
Bot

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top