Windows 11 - Enable "Firmware Protection" by InTune or otherwiseJanuary 05, 2024
Windows 11 - Firmware Protection setting is not simply a setting
Most of these can be turned on using fairly obvious means. However, if you find yourself staring a screen like you this may not be alone:
Seeing the warning Firmware Protection is off. Your device may be vulnerable is something you probably would like to fix. And you may come across a lot of threads on various forums explaining the InTune or Group Policies associated with this. You may find yourself helpfully looking through a series of Reddit threads with people asserting it’s easy, only to find you just can’t make the setting stick.
A good first place to look is
msinfo32, where you may see
Secure Launch is
Configured but not
Running. It’s not that you haven’t figured out how to use InTune properly to enable Firmware Protection (known as System Guard). Microsoft does note that older CPUs don’t support the feature, but I known mine does, it’s clearly in the spec sheet:
Windows 11’s feature requires TXT support in your BIOS
I’m sitting on a business class, HP Elitebook only a few months old, but it turns out this issue is because the Intel Trusted Execution Technology (TXT) feature, which ships with the CPU, isn’t supported by the BIOS. You’ll see this here, with an event log I cannot find a reference to anywhere online.
I have no knowledge of whether this persists across other vendors, but threads complaining noone can setup InTune right for this feature are common. As far as I can see, InTune only keeps coming up because people working on new baselines for Windows 11 are probably using InTune.
The manual for this model of laptop actually describes a BIOS setting to enable the TXT feature - but with the latest BIOS it simply isn’t there. I’ve had a case open for a while and it appears to be acknowledged, and I’ll update this blog as information becomes available.
HP have followed up on my ticket and basically said “yep, we only ship that feature in very specific models”, kindly revert.