Firmware Protection Windows 1809 - How to turn it on?

Vasudev

Level 33
Verified
Nov 8, 2014
2,224
I have installed windows 1809 update and i have a setting under core isolation that i can't seem to find how to turn it on nor I can find any information about it.
Google wasn't my friend for this one so if anyone can help much appreciated.
View attachment 199228
I think its a Pro only feature that uses TPM 2 and above to protect BIOS along w/ Boot guard technology. So overall its the end of user adjustable BIOS.
I have 1809 pro with updates, and I don't see that option at all. I have only Memory integrity, and that's it.
Maybe it is hardware-dependent.
Yeah it is. Need hardware support like TPM2 and above. Even Fingerprint or Touch Id will serve as a measure.
 
F

ForgottenSeer 69673

I have not updated my VM OS to 1809 yet. My core isolation only shows a memory protection slider as of now. I will update it later and see what shows then.
 

overdivine

Level 2
Thread author
Verified
Aug 21, 2013
83
Hardware: Virtualization extensions - Intel VT-x, AMD-V is needed for device guard
hyper-v hypervisor must be installed. i can't run for exampla android emulator software that require hyper-v under device guard
i don't know if you can turn on device guard under vm
 
F

ForgottenSeer 69673

Hardware: Virtualization extensions - Intel VT-x, AMD-V is needed for device guard
hyper-v hypervisor must be installed. i can't run for exampla android emulator software that require hyper-v under device guard
i don't know if you can turn on device guard under vm
Not sure if this is true but I was reading that if you use Hypervisor (ESXi) 6.5, you can run device guard in a VM but I don't think you can run hyper V and a VM at same time without Hypervisor (ESXi) 6.5
https://my.vmware.com/web/vmware/details?downloadGroup=ESXI650&productId=614#product_downloads
 

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
Not sure if this is true but I was reading that if you use Hypervisor (ESXi) 6.5, you can run device guard in a VM but I don't think you can run hyper V and a VM at same time without Hypervisor (ESXi) 6.5
Download VMware vSphere
Microsoft promised to make it compatible with 3rd party hypervisors two years ago...... cricket sounds.
Microsoft is not helping renaming features with every build!! It's so confusing. That being said either it is TPM2. In that case if you have compatible hardware it will turn on by itself and it will be disabled if you don't.

If it's HVCI (Hyper-V Code Integrity) related, you need to enable Hyper-V virtualization in your BIOS and enable Hypervisor in Windows Features and be aware it adds massive CPU overhead to everything and your AV might break.
 

eonline

Level 21
Verified
Well-known
Nov 15, 2017
1,064
Hello, is there any way to activate Firmware Protection on windows 10 pro? Thank you very much. Best regards.
 
E

Eddie Morra

If anything it will break OSArmor. These virtualized security measures from Microsoft kick anything out of the kernel that is not signed and approved by Microsoft.
NVT OSArmor's kernel-mode software is co-signed by Microsoft IIRC. I do not know whether it will still be disliked by Microsoft's virtualisation technology regardless though.
 
  • Like
Reactions: DeepWeb and upnorth

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
I think it's interesting that it says that we disabled it in Group policy. There's still no documentation about System Guard and what Group policy item govern it. Apparently it only works on clean installs anyway... I'm doing some experiments to see if I can enable it.

I managed to enable Firmware protection. It cancels boot up when one of your drivers is unknown so I wasn't able to boot even after turning virtualization off in BIOS. It reminds me of the Early Launch Antimalware policy that broke Kaspersky for me. Unfortunately I have to stop here because it is too time consuming to restore backup again. But I know you have to go into system32\CodeIntegrity check when your SIPolicy.p7b was created. It might be incompatible with the newer version of Windows 10. Mine was from 2017. After I updated it, things started to work. There's a Powershell script to create a new policy I will link it here in a moment.

More complicated actually. You have to create your own policy if you want to make sure it boots up. The first thing you have to do is run Device Guard Hardware Readiness Tool:
Download Device Guard and Credential Guard hardware readiness tool from Official Microsoft Download Center

And lo and behold a few interesting drivers showed up:
ambakdrv.sys - AOMEI Backupper (yes I have had issues with this when Hyper-V was on)
rtsper.sys - Realtek PCIe Card Driver
isctd64.sys - Intel Smart Connect (wtf even Intel is not compatible with Microsoft's new experiment)
stwrt64.sys - IDT Audio Driver
cpumcupdate64.sys - CPU Microcode Update Driver (vasudev and I have talked about this for a while)

So what I will try to do is create a SIpolicy that includes these drivers and then check if it works again following the instructions here:
Getting Started with Windows 10 Device Guard – Part 1 of 2

Here are all the things you will lose when you enable hypervisor enforced code integrity and Windows Defender System Guard in Kaspersky:
Compatibility of Kaspersky Total Security 19 with Windows 10

Other AVs have similar issues. You are giving up your AV's security in favor of Microsoft's security. Depending on which you trust more I would go with that.

OK I think I figured out why Firmware protection was set to disabled. Did you download your SIPolicy.p7b from the Internet? It might be set to Audit instead of Enforced. I managed to set it to Enforced but even after whitelisting many drivers I still had issues making it work. The most convenient way to enable all of these features is to do a clean install. :/
 
Last edited:
  • Like
Reactions: harlan4096

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
I can't get it to work on 1809... This is frustrating because it's impossible to tell if I configured it wrong or if Windows 10 is just buggy. The settings in Device security don't match the settings in Group policy even though a check in Powershell confirms that Firmware protection and HVCI are on. But msinfo32 and Windows Security say it's off. This is a mess!
 

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
"As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device’s Trusted Platform Module 2.0 (TPM). This process and data are hardware isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device’s firmware, hardware configuration state, and Windows boot-related components, just to name a few. After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM, and, upon request a management system, like Intune or System Center Configuration Manager, can acquire them for remote analysis. From here the management system can take a series of actions, such as denying the device access to resources, if Windows Defender System Guard indicates that the device lacks integrity."
Hardening the system and maintaining integrity with Windows Defender System Guard - Microsoft Secure

So I think you need to have hardware with a TPM 2.0 chip in order to enable it. But I'm not sure. Another place I've read that your AV disables firmware protection if it's not compatible which might explain why it is grayed out for me.
 
  • Like
Reactions: upnorth and Vasudev

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
Found a Microsoft slideshow saying Firmware Protection = System Guard with requirements and instructions to enable it.
https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2IIVu
It looks like it is strongly tied to security features in newer Intel CPUs (2018 8th gen, 9th gen or later vPro) which might be why it's greyed out for my Haswell CPU (4th gen). I will try to enable it in the registry to see what happens tomorrow.
 

Attachments

  • Screenshot_2018-12-28-00-18-32-01.jpeg
    Screenshot_2018-12-28-00-18-32-01.jpeg
    390.2 KB · Views: 951
Last edited:

DeepWeb

Level 25
Verified
Top Poster
Well-known
Jul 1, 2017
1,396
Update: I tried enabling it through the registry and rebooted and it won't turn on as predicted. So now we know.
Firmware Protection is designed for Intel 8th and 9th generation CPUs with vPro. It protects your BIOS, UEFI and hardware firmware from being tampered with by verifying and signing the code and if there is tampering, your system will not boot and notify you. That's quite impressive and I can see why enterprises would want that. Some parts of System Guard are enabled already however. I see the process booting every time I reboot and it runs some kind of verification of the drivers that are installed.
 
Last edited:

Vasudev

Level 33
Verified
Nov 8, 2014
2,224
Update: I tried enabling it through the registry and rebooted and it won't turn on as predicted. So now we know.
Firmware Protection is designed for Intel 8th and 9th generation CPUs with vPro. It protects your BIOS, UEFI and hardware firmware from being tampered with by verifying and signing the code and if there is tampering, your system will not boot and notify you. That's quite impressive and I can see why enterprises would want that. Some parts of System Guard are enabled already however. I see the process booting every time I reboot and it runs some kind of verification of the drivers that are installed.
If you have TPM2.x and SMBIOS 2.6 or greater I think you can enable it.
 
  • Like
Reactions: DeepWeb

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top