Fix System Guard Enabled But Not Running on Windows 11

Windows Security features like System Guard are crucial for keeping your PC safe from malicious attacks, especially those targeting the boot process. However, some users encounter the message “System Guard: Enabled but not running”. This can be confusing and concerning. In this guide, we’ll explain what System Guard is, and step-by-step instructions to fix it.

What Is System Guard

System Guard is part of the Windows Defender System Guard family of features that protects the integrity of your system during startup. It uses hardware-based root-of-trust and virtualization-based security (VBS) technologies to help ensure your PC boots securely and hasn’t been tampered with.

How to Fix “System Guard Enabled But Not Running”

Follow these steps in order to troubleshoot and resolve the issue.

Method 1: Check Hardware Requirements

Before troubleshooting software configurations, it’s important to ensure your hardware supports System Guard’s requirements.

• Intel: vPro CPUs from Coffee Lake (8th Gen), Whiskey Lake, or later
• AMD: Zen 2 or newer architectures (e.g., Ryzen 3000 series, EPYC 7002 series)
• Qualcomm: Snapdragon SD850 or later
• UEFI with Secure Boot enabled
• TPM 2.0
• Hardware virtualization

Method 2: Configure System Guard

Proper configuration through Registry Editor is essential to activate System Guard features.

Step 1. Open the Registry Editor

Press Win + R, type regedit, and press Enter.

Step 2. Ensure System Guard is enabled

1. Navigate to the following path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceGuard\ScenariosSy

2. Find the Enabled value in the right pane, double-click it and set the value to 1.

Method 3: Ensure Virtualization-Based Security is Enabled

System Guard relies on VBS to isolate secure operations. VBS must be active for System Guard to run.

Step 1. Open Local Group Policy Editor

Press Win + R, type gpedit.msc, and press Enter.

Step 2. Navigate to VBS Policy

Go to the following path:

Computer Configuration > Administrative Templates > System > Device Guard

Step 3. Configure VBS Settings

1. Double-click Turn On Virtualization Based Security, configure the following:

• Set the policy to Enabled.
• Select Platform Security Level: choose Secure Boot.
• Virtualization Based Protection of Code Integrity: choose Enabled with UEFI lock.
• Credential Guard Configuration: choose Enabled with UEFI lock.

2. Click Apply, then OK.

Method 4: Enable the Hypervisor

The Windows hypervisor is a foundational component for running VBS and System Guard. It can be manually enforced using BCDEdit.

Step 1. Run Command Prompt

In the search bar, type cmd, right-click Command Prompt, and select Run as administrator.

Step 2. Set Hypervisor Launch Type

1. In the command prompt, enter the following command:

bcdedit /set hypervisorlaunchtype auto

2. Reboot the system afterward.

Method 5: Enable Required BIOS/UEFI Features

Some features critical for System Guard must be enabled directly in the firmware settings.

Step 1. Enter BIOS/UEFI

Restart your computer and press the setup key (commonly F2, F10, Del, or Esc) during boot to enter BIOS.

Step 2. Enable the Following Options

• UEFI Boot Mode
• Secure Boot
• TPM 2.0 
• Intel VT-x or AMD-V

Conclusion

The “System Guard Enabled But Not Running” message usually points to a misconfigured system rather than a serious security flaw. By enabling virtualization, Secure Boot, TPM, and core isolation features, you can restore full protection to your device. Always ensure your firmware and drivers are up-to-date, and consider creating a system restore point before changing BIOS settings.