Firmware Protection Windows 1809 - How to turn it on?

overdivine

Level 2
Thread author
Verified
Aug 21, 2013
83
I have installed windows 1809 update and i have a setting under core isolation that i can't seem to find how to turn it on nor I can find any information about it.
Google wasn't my friend for this one so if anyone can help much appreciated.
Annotation.png
 
5

509322

I have installed windows 1809 update and i have a setting under core isolation that i can't seem to find how to turn it on nor I can find any information about it.
Google wasn't my friend for this one so if anyone can help much appreciated.
View attachment 199228

Just because the setting is in Windows 10 Home GUI does not automatically mean you can use it.

Microsoft is no one's friend and never explains anything clearly - most of all to Home users.

There are hardware (and probably other) requirements that your system must meet for System Guard functionality to work. I am not spending the time to research what Microsoft should be explaining to Home users, but here are the hardware requirements:

Virtualization-based Security (VBS)

Just a FYI for those that don't know... going forward this will be the scam that Microsoft runs... in order to have the latest and greatest MIcrosoft security, you will have to have the latest and greatest hardware. Another example of Microsoft holding the world hostage.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I have installed windows 1809 update and i have a setting under core isolation that i can't seem to find how to turn it on nor I can find any information about it.
Google wasn't my friend for this one so if anyone can help much appreciated.
View attachment 199228
I have 1809 pro with updates, and I don't see that option at all. I have only Memory integrity, and that's it.
Maybe it is hardware-dependent.
 
5

509322

i am running windows enterprise. device guard is running
View attachment 199234

I mistakenly assumed you were running consumer. My bad.

Then look it up in the Microsoft documentation. Except for, like three people on the forums, no one runs Enterprise. I looked at my 10 Pro 1809 for it, and was like "Wut ?" But knowing how Microsoft is, didn't think anything of it. Now that I see you are running it makes perfect sense why it isn't showing on others' non-E1809 systems.
 

overdivine

Level 2
Thread author
Verified
Aug 21, 2013
83
maybe they need to update the info. the setting wasn't there in 1803. i've searched a lot and didn't find anything about that specific setting. i will try to turn on windows defender later to see if there is any change. And i don't know how i can disable the setting by mistake in group policy because i can't find it anywhere
 
  • Like
Reactions: Al-Faqir
E

Eddie Morra

maybe they need to update the info
Yeah people have been saying that since Windows XP. LOL

It'll never change while people are handing over their credit cards and keeping Microsoft rich with their market share. They won't bother to change until they absolutely must... as they have proven time and time over again. Good luck contacting them and having them address the fact that the documentation is outdated/needs to be updated!

Lack of documentation pretty much ruins their work from being used to its full potential by a majority - and it is no one else's choice except theirs to withhold or not dedicate resources to releasing good documentation. Microsoft aren't kidding anyone - they know how to write documentation when it suits them, they just do not want to for unknown reasons.
 
L

Local Host

Yeah people have been saying that since Windows XP. LOL

It'll never change while people are handing over their credit cards and keeping Microsoft rich with their market share. They won't bother to change until they absolutely must... as they have proven time and time over again.

Lack of documentation pretty much ruins their work from being used to its full potential by a majority - and it is no one else's choice except theirs to withhold or not dedicate resources to releasing good documentation. Microsoft aren't kidding anyone - they know how to write documentation when it suits them, they just do not want to for unknown reasons.
They'll take care of the Documentation when Core Isolation is ready for prime time, like they do with all the other features. Core Isolation is pretty much in BETA.
 
5

509322

Yeah people have been saying that since Windows XP. LOL

It'll never change while people are handing over their credit cards and keeping Microsoft rich with their market share. They won't bother to change until they absolutely must... as they have proven time and time over again. Good luck contacting them and having them address the fact that the documentation is outdated/needs to be updated!

Lack of documentation pretty much ruins their work from being used to its full potential by a majority - and it is no one else's choice except theirs to withhold or not dedicate resources to releasing good documentation. Microsoft aren't kidding anyone - they know how to write documentation when it suits them, they just do not want to for unknown reasons.

Smack-down bro ! Open-palm smack-down ! Proper !

Krammbo OS

I will buy it.
 
E

Eddie Morra

If anyone is on Windows 10 1809 update and would like to give me a hand, then let me know in a PM and I will ask you to send me some files from SystemDrive:\Windows\System32\. I will then check them and may be able to let you know how to enable this firmware feature afterwards.

Note that there is no guarantee and even if I can find out for you how to enable the setting, absolutely all responsibility is yours. There is no official documentation and the feature is likely to be untested... so anything can happen. I do not recommend enabling the feature, even if I can provide undocumented information to it.
 

RejZoR

Level 15
Verified
Top Poster
Well-known
Nov 26, 2016
699
Just because the setting is in Windows 10 Home GUI does not automatically mean you can use it.

Microsoft is no one's friend and never explains anything clearly - most of all to Home users.

There are hardware (and probably other) requirements that your system must meet for System Guard functionality to work. I am not spending the time to research what Microsoft should be explaining to Home users, but here are the hardware requirements:

Virtualization-based Security (VBS)

Just a FYI for those that don't know... going forward this will be the scam that Microsoft runs... in order to have the latest and greatest MIcrosoft security, you will have to have the latest and greatest hardware. Another example of Microsoft holding the world hostage.

Dude, what? That's like saying OMG, if you don't have DX12 capable graphic card, Microsoft is holding the technology back because reasons.

Hardware and software are always connected, saying it's Microsoft's fault because you have old hardware that doesn't have certain features or capabilities, that's not how it works. If system doesn't support specific HW feature, then it doesn't have one. I have Haswell-E class CPU that doesn't support certain security features. Should I blame MS ? Of course not. The other system with newer Atom however does. Or the AMD APU. That's just how it is. Always was and always will be.
 

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,150
I have installed windows 1809 update and i have a setting under core isolation that i can't seem to find how to turn it on nor I can find any information about it.
Google wasn't my friend for this one so if anyone can help much appreciated.
View attachment 199228
Try opening Group Policy and see if you can activate the feature that way.
It is probably over here: Computer Configuration > Administrative Templates > System > Device Guard.
 
E

Eddie Morra

Try opening Group Policy and see if you can activate the feature that way.
It is probably over here: Computer Configuration > Administrative Templates > System > Device Guard.
Apparently there was no option there for it. Do you have one?

If there's an option for the firmware protection then I don't know what I was supposed to try and do later... I thought the issue was that no one knew how to enable it?
 
E

Eddie Morra

Thanks to @shmu26 and @overdivine for sharing some files with me which belong to their Windows 10 1809 environment... it is really appreciated and saved me some time.

I've taken a look and I've found a lead which may be the solution. Remember though, anything that happens by enabling this silently-snuck in feature which is still undocumented by Microsoft is the fault of anyone but me, and there is no guarantee that the feature even works yet, nor that my "solution" will work (it is untested and I do not plan on testing it anytime soon - do it at your own free will if you understand the risks).

There's a Windows Service named "Windows Defender Security Center Service" on Windows 10 and this is for a Win32 process named "SecurityHealthService.exe" (located under the System32 directory). This process is going to check the configurations for features like Device Guard and will do X and X depending on the configuration.

When I took a look at the SecurityHealthService.exe on my Windows 10 1803 environment, I could not find any evidence of the Windows Defender System Guard feature being referenced. However, when I did some investigation into the version of SecurityHealthService.exe from the environment of 1809 users, I did find evidence of the feature being referenced.

Below is a screenshot.

SystemGuard.png


If the key does not already exist, then create the following.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard -> Enabled (DWORD - set to the value of 1).

After creating/modifying the key, reboot your system and then re-check if the feature is enabled from the Windows Defender Settings area.

You should make sure you have a backup before doing this, just in case my solution works and the feature is buggy... the last thing you want is to toast your environment and not have a recovery route because you enabled an undocumented Windows Defender feature.
 
5

509322

Dude, what? That's like saying OMG, if you don't have DX12 capable graphic card, Microsoft is holding the technology back because reasons.

Hardware and software are always connected, saying it's Microsoft's fault because you have old hardware that doesn't have certain features or capabilities, that's not how it works. If system doesn't support specific HW feature, then it doesn't have one. I have Haswell-E class CPU that doesn't support certain security features. Should I blame MS ? Of course not. The other system with newer Atom however does. Or the AMD APU. That's just how it is. Always was and always will be.

You are absolutely correct. However, it is Microsoft that establishes its certification scams. It isn't as if there is some independent, unbiased 3rd-party involved in or overseeing that whole process with the goal being to establish minimum, cost effective and fair standards. No, the "standard" is what Microsoft says it is. In this way Microsoft can lead parties around by the nose and milk them for even more money.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top