In the Authentication pane, select Windows Authentication. Click Enable in the Actions pane. Click Advanced Settings in the Actions pane. When the Advanced Settings dialog box appears, select one of the following options in the Extended Protection drop-down menu. Open Malwarebytes, select 'settings' 'protection tab'. Scroll down to 'Scan Options' ensure Scan for Rootkits and Scan within Archives are both on. Go back to 'DashBoard' select the Blue 'Scan Now' tab. When the scan completes deal with any found entries. Jun 06, 2019 Windows Defender is software that comes with Windows 10. It protects the system from malware, spyware, and different types of attacks. Sometimes people face the problem of windows defender real-time protection grayed out. There are many reasons that lead to the problem. Due to this, the system is at risk all the time when users are online. Exactly as described above by Karen. Go to Control PanelSystemSystem Protection. Click the Configure button, then select Turn on system protection. However the option on veracrypt was greyed out in Windows 10. I thought this was because of something with EFI booting or Windows 10 restrictions, so with great pain I installed Windows 7 on the machine. However, the option is still greyed out.
-->This topic explains how to configure System Guard Secure Launch and System Management Mode (SMM) protection to improve the startup security of Windows 10 devices. The information below is presented from a client perspective.
How to enable System Guard Secure Launch
System Protection Windows 10
You can enable System Guard Secure Launch by using any of these options:
Mobile Device Management
Turn On System Protection In Windows 10
System Guard Secure Launch can be configured for Mobile Device Management (MDM) by using DeviceGuard policies in the Policy CSP, specifically DeviceGuard/ConfigureSystemGuardLaunch.
Group Policy
- Click Start > type and then click Edit group policy.
- Click Computer Configuration > Administrative Templates > System > Device Guard > Turn On Virtualization Based Security > Secure Launch Configuration.
Windows Security Center
Click Start > Settings > Update & Security > Windows Security > Open Windows Security > Device security > Core isolation > Firmware protection.
Registry
- Open Registry editor.
- Click HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Control > DeviceGuard > Scenarios.
- Right-click Scenarios > New > Key and name the new key SystemGuard.
- Right-click SystemGuard > New > DWORD (32-bit) Value and name the new DWORD Enabled.
- Double-click Enabled, change the value to 1, and click OK.
How to verify System Guard Secure Launch is configured and running
To verify that Secure Launch is running, use System Information (MSInfo32). Click Start, search for System Information, and look under Virtualization-based Security Services Running and Virtualization-based Security Services Configured.
Note
System Protect
To enable System Guard Secure launch, the platform must meet all the baseline requirements for Device Guard, Credential Guard, and Virtualization Based Security.
System requirements for System Guard
For Intel® vPro™ processors starting with Intel® Coffeelake, Whiskeylake, or later silicon | Description |
---|---|
64-bit CPU | A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see Hyper-V on Windows Server 2016 or Introduction to Hyper-V on Windows 10. For more info about hypervisor, see Hypervisor Specifications. |
Trusted Platform Module (TPM) 2.0 | Platforms must support a discrete TPM 2.0. Integrated/firmware TPMs are not supported. |
Windows DMA Protection | Platforms must meet the Windows DMA Protection Specification (all external DMA ports must be off by default until the OS explicitly powers them). |
SMM communication buffers | All SMM communication buffers must be implemented in EfiRuntimeServicesData ,EfiRuntimeServicesCode , EfiACPIMemoryNVS, or EfiReservedMemoryType memory types. |
SMM Page Tables | Must NOT contain any mappings to EfiConventionalMemory (e.g. no OS/VMM owned memory). Must NOT contain any mappings to code sections within EfiRuntimeServicesCode. Must NOT have execute and write permissions for the same page Must allow ONLY that TSEG pages can be marked executable and the memory map must report TSEG EfiReservedMemoryType. BIOS SMI handler must be implemented such that SMM page tables are locked on every SMM entry. |
Modern/Connected Standby | Platforms must support Modern/Connected Standby. |
TPM AUX Index | Platform must set up a AUX index with index, attributes, and policy that exactly corresponds to the AUX index specified in the TXT DG with a data size of exactly 104 bytes (for SHA256 AUX data). (NameAlg = SHA256) Platforms must set up a PS (Platform Supplier) index with:
|
AUX Policy | The required AUX policy must be as follows:
|
TPM NV Index | Platform firmware must set up a TPM NV index for use by the OS with:
|
Platform firmware | Platform firmware must carry all code required to execute an Intel® Trusted Execution Technology secure launch:
|
Platform firmware update | System firmware is recommended to be updated via UpdateCapsule in Windows Update. |
For Qualcomm® processors with SD850 or later chipsets | Description |
---|---|
Monitor Mode Communication | All Monitor Mode communication buffers must be implemented in either EfiRuntimeServicesData (recommended), data sections of EfiRuntimeServicesCode as described by the Memory Attributes Table, EfiACPIMemoryNVS, or EfiReservedMemoryType memory types |
Monitor Mode Page Tables | All Monitor Mode page tables must:
|
Modern/Connected Standby | Platforms must support Modern/Connected Standby. |
Platform firmware | Platform firmware must carry all code required to perform a launch. |
Platform firmware update | System firmware is recommended to be updated via UpdateCapsule in Windows Update. |