How to Enable or Disable System Guard Secure Launch for Firmware Protection in Windows

System Guard Secure Launch is an integrated Windows security feature that protects the system by validating firmware and the hypervisor during the boot process. With that said, it can’t be simply enabled without an advanced understanding of other Windows features and settings. This guide introduces the key requirements and primary methods for enabling or disabling System Guard Secure Launch on compatible systems.

Prerequisites and methods for managing System Guard Secure Launch settings

Before attempting to make any changes, consider these system and access requirements:

✔️ UEFI firmware with Secure Boot support is required.

✔️ TPM 2.0 must be active and enabled.

✔️ Hyper-V and Virtualization-based Security (VBS) must be supported/enabled.

✔️ Administrator privileges are required.

Method 1: Enable or Disable via Group Policy

This method is available on both Windows 10 (1903+) and Windows 11. On Windows 10, the setting may not appear unless ADMX templates are updated.

Group Policy management tools are available for Windows Pro, Enterprise, and Education editions. This GPO method is recommended for batch deployment.

1. Press Win + R, type gpedit.msc, and tap OK to open Local Group Policy Editor.
2. Navigate to Computer Configuration → Administrative Templates → System → Device Guard.
3. Double-click Turn on Secure Launch.
4. Select Enabled to enforce Secure Launch at boot or choose Disabled to disable Secure Launch. You can also leave it as Not Configured, which will follow the system default or the registry setting.
5. Click Apply, then OK to confirm and exit.
6. Reboot the system so the change takes effect.

ℹ️ Note: You can run the gpupdate /force command to apply the changes immediately. Check out this GPUpdate video demonstration. Otherwise, the new settings will be applied on the next interval.

When enabled, Secure Launch validates firmware and critical boot components against hardware-based measurements.

Method 2: Configure Secure Launch via Registry Editor

This method supports scripted deployments and is recommended for systems without access to GPO. It is supported on both Windows 10 and Windows 11, though Windows 11 offers better UI feedback for verification.

1. Press Win + R, type regedit, and tap OK to open the Registry Editor.
2. Navigate or copy and paste the following path into the Registry address bar: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard
3. Modify or create the EnableSecureLaunch value. (To create) On the right pane, right-click → New → DWORD (32-bit) Value. Skip this step if the value already exists.
4. Double-click the value and set the Value data to 1 to enable or 0 to disable it.
5. Click OK to confirm.

⚠️Warning: Unintended changes to the Windows Registry can affect your system’s performance and stability. Learn how to back up the Registry and create a restore point before configuring the database.

PowerShell Script for Secure Launch configuration

Meanwhile, you can use this PowerShell script to modify the registry values.

Enable Secure Launch:

1. Open PowerShell from Search and select Run as administrator.
2. Use the following command to enable Secure Launch:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard” `

-Name “EnableSecureLaunch” -Value 1

Disable Secure Launch:

1. Open PowerShell from Search and select Run as administrator.
2. Use the following command to enable Secure Launch:

Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Control\DeviceGuard” `

-Name “EnableSecureLaunch” -Value 0

After applying changes, restart the device. You can also use the Windows Registry to verify that the values have been successfully updated.

Note: Works the same on both Windows 10 and Windows 11. Use PowerShell or Registry to verify on Windows 10.

Secure Launch: Additional considerations and tips

Here are some important considerations when choosing to switch on or switch off the Secure Launch feature:

• Secure Boot must be enabled in UEFI for Secure Launch to work.
• BitLocker: Enabling Secure Launch may trigger a prompt for the recovery key on the next boot. Suspend BitLocker before making changes.
• Compatibility: Requires Intel vPro (Coffee Lake+) or AMD Zen 2+, TPM 2.0, Secure Boot, and virtualization extensions. Legacy devices may fail to boot with Secure Launch enabled.
• Hyper-V & VBS: Ensure both are enabled in firmware and Windows security settings.

In addition, Secure Launch issues often require complex troubleshooting. It’s advisable to pilot it first, verify driver compatibility, and benchmark boot times and system performance.

When to enable System Guard Secure Launch

System Guard Secure Launch adds a strong layer of protection during the system’s boot process. As a result, it can be crucial to deployment strategies in enterprise environments and key business endpoints.

Administrators can easily manage this feature using Group Policy, Registry, or PowerShell to meet security compliance and strengthen data protection protocols. Just keep in mind that this activation is not suitable for legacy devices. Additionally, IT staff must regularly verify if the program is meeting its objectives, especially since compatibility issues may arise every now and then.