question

goncatin-4687 avatar image
1 Vote"
goncatin-4687 asked PercivalYang-MSFT commented

Core isolation firmware protection

I have Windows 10 Pro, version 21H1 build 19043.1052. I have AMD-V enabled in BIOS, Secure boot and TPM 2.0

I am the only user of the computer, and in the security part, device security, core isolation, there are two settings that I cannot edit: Integrity of memory and firmware protection. In both of them I get a message in red that says "This configuration is managed by the administrator". However, as I said previously, I am the only user and administrator of the PC. Memory integrity appears enabled but grayed out, and firmware protection appears disabled.

I have managed to touch the "memory integrity" setting by changing Enabled from a 1 to a 0 within HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ DeviceGuard \ Scenarios \ HypervisorEnforcedCodeIntegrity in the registry. However, that change is undone every time I reboot the system. In group policies, gpedit.msc, under System - Device Guard - Virtualization-based security, I have set to Enabled, Security Level set to Secure Boot and DMA protection, Virtualization based protection for code integrity enabled with UEFI lock, Credential Guard enabled with UEFI lock, and secure boot enabled.

I have not found where to enable firmware protection and it does not show me the message "This configuration is managed by the administrator".

109573-sin-titulo2.png

How can I prevent the "This setting is managed by the administrator" message from being displayed on every reboot for Memory Integrity, and how can I enable
firmware protection?


windows-10-security
sin-titulo2.png (303.4 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Just confirm your PC is not part of a domain?
Since when this problem started?

0 Votes 0 ·

II confirm my PC is not part of a domain, and until today I have not looked at those options

0 Votes 0 ·
www-8023 avatar image
0 Votes"
www-8023 answered www-8023 published

I also can't enable firmware protection, and can't find a solution.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

PercivalYang-MSFT avatar image
0 Votes"
PercivalYang-MSFT answered PercivalYang-MSFT commented

Hi
@goncatin-4687
From my own experience, I take it that you have enabled AMD-V, Secure boot and TMP/PTT in the BIOS setting/secure (this may vary with different AIC/OEM), if not, open them manually. And I suggest you check the bios to see whether there are others settings that raise this issue. Try disable one a time to test.
BIOS can be reset by on motherboard button CMOS or unplugged the button battery.
Some options are disabled in bios by default. And some variables maybe incompatible with HVCI as blow link which has something similar to what you have written.
https://docs.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity

To help you better, you should contact your PC/Motherboard provider, do simple consultation for confirmation, advice and bios usage. For instance, ask if it is a common phenomenon and has solution.


Hope this can help you
If your need further help, be free reply to me at your convenience.

==============================================================================
If the Answer is helpful, please click "Accept Answer" and upvote it

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

If that were the case and it was not supported by the hardware, this option would not appear. That is what happens to me for example on my laptop.

0 Votes 0 ·

Hi
@goncatin-4687
Found another docs including another methods to activate by registry change, thougha also includes the way you had tried editing the gpo setting, sadly failed. The docs also has the System requirements for System Guard. To check if meet the requirement,
Note that it only shows support intel cpu so far. So I suggest you contact the laptop OEM after-sale service staff for counseling.

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection

0 Votes 0 ·