Introduction

Windows Defender System Guard is a pivotal security feature in Windows 10 and 11, designed to protect the system's integrity from the moment the boot process begins. By leveraging hardware-rooted technologies such as Secure Boot, Trusted Platform Module (TPM) 2.0, and Virtualization-Based Security (VBS), System Guard establishes a robust defense against sophisticated threats targeting the early startup phases. However, users may encounter the status "Enabled but not running," indicating that while System Guard is enabled, it isn't actively protecting the system. This article delves into the causes of this issue and provides comprehensive solutions to ensure System Guard functions effectively.

Understanding System Guard

System Guard is integral to Microsoft's security framework, particularly in Secured-core PCs. It comprises three key components:

  • System Management Mode (SMM) Protection: Safeguards against vulnerabilities in firmware by isolating SMM code.
  • Secure Launch: Ensures the boot process starts in a trusted state, preventing unauthorized code execution.
  • Virtualization-Based Security (VBS): Utilizes hardware virtualization to create isolated memory regions, protecting critical system processes from malicious exploits.

These components work synergistically to establish a hardware-rooted trust, detect and block malicious code during boot, and isolate sensitive workloads from even highly privileged malware.

Diagnosing "Enabled but Not Running" Status

The "Enabled but not running" status typically indicates a misalignment between hardware configuration, firmware support, and Windows' system requirements. To address this, follow these steps:

1. Verify Hardware and Firmware Compatibility

Ensure your system meets the necessary hardware specifications for System Guard:

  • Processor Support:
    • Intel: vPro-class processors, 8th generation (Coffee Lake/Whiskey Lake) or newer.
    • AMD: Zen 2 generation and newer (e.g., Ryzen 3000 series, EPYC 7002 or later).
    • Qualcomm: Snapdragon SD850 and newer.
  • Firmware Requirements:
    • UEFI firmware with Secure Boot enabled.
    • TPM 2.0.
    • Hardware virtualization support (Intel VT-x or AMD-V).

Access your BIOS/UEFI settings to confirm these features are enabled. If any are missing or disabled, System Guard may not function correctly.

2. Configure System Guard in the Registry

Proper configuration in the Windows Registry is crucial:

  1. Press INLINECODE0 , type INLINECODE1 , and press Enter to open the Registry Editor.
  2. Navigate to INLINECODE2 .
  3. Ensure the INLINECODE3 DWORD is set to INLINECODE4 . If it doesn't exist, create it:
  • Right-click on INLINECODE5 > New > DWORD (32-bit) Value > Name it INLINECODE6 > Set the value to INLINECODE7 .

3. Enable Virtualization-Based Security (VBS)

VBS is essential for System Guard's operation:

  1. Press INLINECODE8 , type INLINECODE9 , and press Enter to open the Local Group Policy Editor.
  2. Navigate to INLINECODE10 .
  3. Set the policy to INLINECODE11 .
  4. Under "Select Platform Security Level," choose INLINECODE12 .
  5. Under "Credential Guard Configuration," select INLINECODE13 .
  6. Click INLINECODE14 , then INLINECODE15 .
  7. Restart your system to apply the changes.

4. Ensure Hypervisor is Active

System Guard relies on the Hyper-V hypervisor:

  1. Open Command Prompt as Administrator.
  2. Execute the command: INLINECODE16 .
  3. Restart your system.

This command configures Windows to load the Hyper-V hypervisor during startup, which is necessary for VBS and System Guard.

5. Configure BIOS/UEFI Settings

Certain BIOS/UEFI settings are critical:

  1. Enter BIOS/UEFI setup during system boot.
  2. Ensure the following features are enabled:
  • UEFI Boot Mode (disable Legacy/CSM).
  • Secure Boot.
  • TPM 2.0 (Firmware TPM or discrete TPM).
  • Intel VT-x / AMD-V (Hardware virtualization).
  • Kernel DMA Protection (if available).
  1. Save changes and exit.

Updating your BIOS/UEFI to the latest version can also resolve compatibility issues.

Case Study: Dell PowerEdge with Windows Server 2022 Core

Users running Windows Server 2022 Core on Dell PowerEdge servers have reported the "Enabled but not running" issue. Despite proper BIOS configuration, the absence of Dynamic Root of Trust for Measurement (DRTM) support or outdated firmware can prevent System Guard from fully activating. It's advisable to:

  • Verify your specific PowerEdge model against Dell’s Secured-core compatibility listings.
  • Apply all recommended BIOS and firmware updates.
  • If issues persist, consult Microsoft's hardware compatibility program or consider alternative hardware solutions.

Disabling System Guard: Considerations

Disabling System Guard is generally not recommended due to the security risks involved. However, if necessary:

  1. Open the Local Group Policy Editor (INLINECODE17 ).
  2. Navigate to INLINECODE18 .
  3. Set the policy to INLINECODE19 .
  4. Restart your system.

Be aware that disabling System Guard reduces protections provided by VBS and related security mechanisms.

Verifying System Guard Status

To confirm System Guard is active:

  1. Press INLINECODE20 , type INLINECODE21 , and press Enter to open System Information.
  2. Under "System Summary," check "Virtualization-based Security Services Running." Both Credential Guard and System Guard should be listed if operational.

Alternatively, PowerShell scripts and security audit tools can provide detailed status information.

Security Implications

An inactive System Guard increases susceptibility to:

  • Bootkits and Rootkits: Malicious code that initiates before the OS, often undetectable by traditional antivirus software.
  • Credential Theft: Exploitation of trust boundaries during startup, leading to credential theft or lateral movement within a network.
  • Kernel Vulnerabilities: Attackers leveraging the absence of VBS/Hyper-V isolation to inject exploits or escalate privileges.

Ensuring System Guard is active is crucial for maintaining a secure computing environment.

Conclusion

Addressing the "Enabled but not running" status in Windows Defender System Guard involves verifying hardware compatibility, configuring system settings appropriately, and ensuring all necessary features are enabled. By following the outlined steps, users can enhance their system's boot security and protect against advanced threats targeting the startup process.

Note: Always back up your system before making significant changes to system settings or the registry.