23.4 (NG) Ensure 'Configure System Guard Launch' is set to 'Unmanaged Enables Secure Launch if supported by hardware'

Information

Secure Launch protects the Virtualization Based Security environment from exploited vulnerabilities in device firmware.

The recommended state for this setting is: Unmanaged Enables Secure Launch if supported by hardware

Note: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs.

Secure Launch changes the way Windows boots to use Intel Trusted Execution Technology (TXT) and Runtime BIOS Resilience features to prevent firmware exploits from being able to impact the security of the Windows Virtualization Based Security environment.

Solution

To establish the recommended configuration via configuration profiles, set the following Settings Catalog path to Unmanaged Enables Secure Launch if supported by hardware :

Device Guard\Configure System Guard Launch

Impact:

Warning : All drivers on the system must be compatible with this feature or the system may crash. Ensure that this policy setting is only deployed to computers which are known to be compatible.

See Also

https://workbench.cisecurity.org/benchmarks/16852