Question How to enable Firmware Protection in Windows 11 via registry or GPO?

[Kongo]

Hey guys,

been sitting here for hours figuring out how to enable that bs. Every other feature is enabled but I cant seem to get this one working.
Can anybody help please? I am really desperate right now.

Thank you in advance!

 

[Bot]

Hey guys,

been sitting here for hours figuring out how to enable that bs. Every other feature is enabled but I cant seem to get this one working.
Can anybody help please? I am really desperate right now.

Thank you in advance!

View attachment 293016

Hey Kongo,

I can see why you're frustrated, it's definitely annoying when a setting is greyed out like that.

The message "Diese Einstellung wird vom Administrator verwaltet" means "This setting is managed by your administrator". This usually happens when a setting is controlled by a Group Policy or a registry entry, rather than directly in the Windows Security app. This can sometimes be set by other security software or system utilities.

First off, is this your personal computer or is it a device from your work or school? If it's a work/school device, you'll likely need to contact your IT department as they have probably configured this policy intentionally.

If this is your personal PC, you can try checking the Group Policy Editor. Please note that this is not available on Windows Home editions.

• Press the Windows Key + R, type gpedit.msc, and press Enter.
• Navigate to: Computer Configuration > Administrative Templates > System > Device Guard
• Look for a policy named "Turn On Virtualization Based Security".
• If its status is "Enabled" or "Disabled", double-click it and change the setting to "Not Configured".
• Click OK and restart your computer.

If you have a Home edition of Windows, or if the above doesn't work, the change might be in the registry.

Warning: Editing the registry can be risky if you're not careful. Please consider creating a backup of the registry before making any changes.

• Press the Windows Key + R, type regedit, and press Enter.
• Navigate to the following key:
  

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard

• In the right-hand pane, look for a value called "EnableVirtualizationBasedSecurity".
• If this value is present and set to 0, it's likely what is disabling the Firmware Protection. You can try deleting this value.
• Restart your computer for the changes to take effect.

Hope this helps you get it sorted out. Let us know how it goes

 

[Kongo]

Hey Kongo,

I can see why you're frustrated, it's definitely annoying when a setting is greyed out like that.

The message "Diese Einstellung wird vom Administrator verwaltet" means "This setting is managed by your administrator". This usually happens when a setting is controlled by a Group Policy or a registry entry, rather than directly in the Windows Security app. This can sometimes be set by other security software or system utilities.

First off, is this your personal computer or is it a device from your work or school? If it's a work/school device, you'll likely need to contact your IT department as they have probably configured this policy intentionally.

If this is your personal PC, you can try checking the Group Policy Editor. Please note that this is not available on Windows Home editions.

• Press the Windows Key + R, type gpedit.msc, and press Enter.
• Navigate to: Computer Configuration > Administrative Templates > System > Device Guard
• Look for a policy named "Turn On Virtualization Based Security".
• If its status is "Enabled" or "Disabled", double-click it and change the setting to "Not Configured".
• Click OK and restart your computer.

If you have a Home edition of Windows, or if the above doesn't work, the change might be in the registry.

Warning: Editing the registry can be risky if you're not careful. Please consider creating a backup of the registry before making any changes.

• Press the Windows Key + R, type regedit, and press Enter.
• Navigate to the following key:
  

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard

• In the right-hand pane, look for a value called "EnableVirtualizationBasedSecurity".
• If this value is present and set to 0, it's likely what is disabling the Firmware Protection. You can try deleting this value.
• Restart your computer for the changes to take effect.

Hope this helps you get it sorted out. Let us know how it goes

Tried that already sir.

 

[Bot]

Tried that already sir.

Hey Kongo,

Sorry to hear the previous suggestions didn't work. These things can sometimes be a process of elimination. Let's not give up yet!

A common reason for this feature being unavailable is that the necessary hardware virtualization isn't enabled in your computer's BIOS/UEFI. Let's check what Windows itself thinks is happening.

Can you please open the System Information panel?

• Press the Windows Key + R, type msinfo32, and press Enter.
• On the main page (System Summary), scroll down and find the item named "Virtualization-based security".
• Could you tell us what status is listed next to it? It will likely say "Not enabled", "Enabled but not running", or something similar. This is a key piece of information.

Also, while you're in `msinfo32`, check what it says for "Secure Boot State".

Depending on what `msinfo32` reports, the next step is likely to restart your computer and enter the BIOS/UEFI settings. The key to press during startup varies by manufacturer, but it's usually Del, F2, F10, or Esc.

Once in the BIOS, you'll need to look for and Enable settings with names like:

• Intel Virtualization Technology (or VT-x)
• AMD-V (or SVM Mode)

These settings are often found in the "CPU Configuration" or "Advanced" sections of the BIOS.

Let us know what you find in `msinfo32`, and we'll figure out the next steps from there

 

[MWNormanF]

I've Core Isolation enabled.

If the security is enterprise grade like MDB, you ensure you can't sabotage your own security setup because its been rendered tamper proof.

 

[Sampei.Nihira]

@Kongo

Try checking the value of this registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard

Of course, you must open regedit as an Administrator.

P.S.

My wife is German (born in Koblenz) but she's out shopping right now, and I read/speak very little of your language.
So I may have misunderstood your screen.

 

[Kongo]

@Kongo

Try checking the value of this registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\Scenarios\SystemGuard

Of course, you must open regedit as an Administrator.

P.S.

My wife is German (born in Koblenz) but she's out shopping right now, and I read/speak very little of your language.
So I may have misunderstood your screen.

Thanks, but I already have that enabled. Doesn't change anything.

 

[Sampei.Nihira]

Thanks, but I already have that enabled. Doesn't change anything.

Enabled to 1?
You need to disable it to 0 and the message “managed...” should disappear.
Then you can change the switch to enable the feature.

Try it out.

 

[rashmi]

Thanks, but I already have that enabled. Doesn't change anything.

The settings to enable/disable it should be there in the BIOS. I successfully disabled Secure Boot and virtualization-based security in the BIOS.

 

[Kongo]

Enabled to 1?
You need to disable it to 0 and the message “managed...” should disappear.
Then you can change the switch to enable the feature.

Try it out.

I did but now the setting doesn't even appear in Security Center. It only appears when I enforce all DeviceGuard settings via Group Policy but then it's greyed out and disabled as shown in the screenshot... Is it hardware related? Maybe my hardware doesn't support it?

 

[Kongo]

The settings to enable/disable it should be there in the BIOS. I successfully disabled Secure Boot and virtualization-based security in the BIOS.

It's not a BIOS related setting as far as I know.

 

[rashmi]

It's not a BIOS related setting as far as I know.

I suggested looking into the BIOS, as, according to @Bot, the firmware protection and virtualization-based security are the same. I have virtualization-based security, i.e., "Intel Virtualization" in the BIOS, but I don't see firmware protection there or in Windows Security. Are firmware protection and virtualization-based security the same?

According to Windows Security, my system doesn't meet "Standard Security" requirements. Our kids' systems meet "Advanced Security" requirements. I'll see if their systems have firmware protection in the BIOS and in Windows Security when they visit me and update here.

 

[Bot]

I suggested looking into the BIOS, as, according to @Bot, the firmware protection and virtualization-based security are the same. I have virtualization-based security, i.e., "Intel Virtualization" in the BIOS, but I don't see firmware protection there or in Windows Security. Are firmware protection and virtualization-based security the same?

According to Windows Security, my system doesn't meet "Standard Security" requirements. Our kids' systems meet "Advanced Security" requirements. I'll see if their systems have firmware protection in the BIOS and in Windows Security when they visit me and update here.

Hi rashmi,

No, firmware protection and virtualization‑based security (VBS) are not the same thing, but they are closely related.

In short:
• VBS is the platform (Windows hypervisor-based isolation).
• Firmware protection is one of the features that can sit on top of that platform, together with others like Memory integrity (HVCI), Credential Guard, etc.

---

What is virtualization‑based security (VBS)?

Virtualization‑based security is a Windows feature that uses the built‑in hypervisor to create an isolated memory region. That isolation is then used to protect things like:

• Memory integrity (Core isolation / HVCI)
• Credential Guard
• Application Guard and similar features

So when you see options in BIOS like:

• Intel Virtualization Technology / VT‑x
• AMD‑V / SVM
• Sometimes “Virtualization-based security” or similar wording

…those are mainly about enabling the hardware support that VBS needs.

---

What is “firmware protection” in Windows Security?

The “Firmware protection” toggle/section in Windows Security is tied to Microsoft Defender System Guard (especially Secure Launch / DRTM and related protections). It is focused on:

• Protecting the firmware/boot chain (UEFI, early boot components)
• Using Secure Boot, TPM 2.0, and VBS to verify that early boot code hasn’t been tampered with
• Providing attestation that the system booted in a trusted state

It uses the same underlying technologies (Secure Boot, TPM, VBS), but it is a separate protection layer from “just” enabling VBS/HVCI.

That’s why:

• You can have VBS / Core isolation / Memory integrity enabled even if “Firmware protection” is missing or greyed out.
• Whether “Firmware protection” appears and is switchable also depends on hardware/firmware support and policies/registry.

You usually won’t see a BIOS option literally named “Firmware protection”. Instead you see prerequisites like:

• UEFI boot (no Legacy/CSM)
• Secure Boot enabled
• TPM 2.0 enabled
• CPU virtualization enabled (VT‑x / AMD‑V, sometimes other CPU security extensions)

Windows then decides, based on those plus CPU/firmware capabilities, whether it can expose the “Firmware protection” feature.

---

About your “Standard” vs “Advanced” security comment

When Windows Security says a device meets only Standard vs Advanced security, it’s basically checking if all its recommended hardware-based protections are actually available and turned on (Secure Boot, TPM, VBS, Core isolation, sometimes System Guard features, etc.).

So it’s very possible that:

• Your kids’ machines have newer CPUs / firmware that fully support System Guard / Secure Launch, so Windows can enable more features and shows “Advanced”.
• Your system has VBS available (so you see “Intel Virtualization” in BIOS and can use core isolation), but is missing some requirement for the full firmware protection/System Guard stack, so the UI doesn’t show it or can’t enable it.

---

Back to Kongo’s situation

For Kongo:

• Having Core isolation enabled means VBS is working.
• The missing/greyed “Firmware protection” option is not just a BIOS toggle; it depends on a mix of hardware support, firmware, Secure Boot/TPM state, and policies (Device Guard / System Guard keys, Group Policy).
• If registry tweaks make the option vanish or go “managed by your administrator”, that’s Windows reacting to those Device Guard/System Guard policies rather than a pure hardware issue.

If you (or Kongo) want to dig deeper, the safest next step is:

• Open msinfo32 → check:
  • Secure Boot State
  • Device Guard Security Services Running
  • Device Guard Security Services Configured
• Make sure TPM, Secure Boot, and virtualization are all actually enabled in firmware.

If you post those specific lines (with any personal identifiers removed), people in the forum can better see whether it’s a limitation of the hardware/firmware or just a configuration/policy issue.

If anything is unclear, feel free to paste the exact wording from `msinfo32` (in English or German) and we can interpret it together.

 

[rashmi]

Make sure TPM, Secure Boot, and virtualization are all actually enabled in firmware.

I disabled Secure Boot and Intel Virtualization Technology/VT-x in the BIOS. Does disabling Secure Boot and Intel Virtualization remove the firmware protection feature from Windows Security?

 

[Bot]

I disabled Secure Boot and Intel Virtualization Technology/VT-x in the BIOS. Does disabling Secure Boot and Intel Virtualization remove the firmware protection feature from Windows Security?

Yes – disabling Secure Boot and Intel Virtualization Technology (VT‑x) will effectively remove the conditions Windows needs to offer “firmware protection” as shown in Windows Security.

In more detail:

• Secure Boot OFF
  • Secure Boot is a core part of the “trusted boot chain”.
  • Features under Firmware protection / System Guard / Secure Launch rely on Secure Boot to establish a hardware/firmware root of trust.
  • If you turn Secure Boot off, Windows will usually:
  • Downgrade your device from “Advanced” to “Standard” security
  • Hide or disable some firmware/boot protection options in Windows Security
• Virtualization (VT‑x) OFF
  • Turning VT‑x off prevents VBS (virtualization-based security) from running.
  • Without VBS, features like Core isolation / Memory integrity and some System Guard protections (which include firmware/boot protections) cannot function.
  • Windows Security may then:
  • Stop showing certain options
  • Or show them as unavailable / not meeting requirements

So:

• Yes, disabling Secure Boot and VT‑x makes it less likely that you’ll see or be able to use any “firmware protection” feature in Windows Security.
• Some low‑level protections (like basic UEFI behavior) still exist at firmware level, but Windows won’t treat the system as having full, hardware‑backed firmware protection.

If you want the strongest protection Windows can offer on your hardware:

• Re‑enable Secure Boot in BIOS/UEFI
• Re‑enable Intel Virtualization Technology / VT‑x
• Boot back into Windows and check:
  • Windows Security → Device security
  • msinfo32 → confirm:
  • Secure Boot State = On
  • Virtualization-based security = Running (if your hardware supports it)

Your system may still not show a “Firmware protection” toggle if the CPU/firmware doesn’t fully support all of System Guard’s features, but turning Secure Boot and VT‑x off definitely moves you further away from it, not closer.

 

[Sampei.Nihira]

I did but now the setting doesn't even appear in Security Center. It only appears when I enforce all DeviceGuard settings via Group Policy but then it's greyed out and disabled as shown in the screenshot... Is it hardware related? Maybe my hardware doesn't support it?

Follow the bot's advice to check.

I have an academic curiosity, excuse me for this digression, and this check would be very simple.
My PC does not support Stack Protection Hardware.
If you enable MD exploit protections, does the stack protection applied to the hardware work for you?
You can also check this using Process Explorer, obviously you have to enable the corresponding column.

 

[Sampei.Nihira]

@Kongo




Obviously, PE must be opened as an Administrator.