Why can't I enable Firmware Protection?

[ahmedyaru159202e9]

I have a 12900K CPU and an MSI PRO Z960-A motherboard which should cover all the requirements of Firmware Protection on the latest Windows 11. For some reason I cannot enable that security feature while everything else is working without any problem. I tried enabling it using the Local Group Policy Editor and restarting and although there it appears to be enabled, it is still disabled in Core Isolation page of the security settings. I tried reparing with dism and other Windows diagnostic tools including resetting the Windows installation. I even updated all the drivers to the latest version but that made no difference whatsoever.

 

[plutomate]

You didn't mention the BIOS version though, make sure BIOS is up to date.
Once you update the BIOS, with BIOS default settings, just enter BIOS and manually flip core isolation to ON.

 

[ahmedyaru159202e9]

You didn't mention the BIOS version though, make sure BIOS is up to date.
Once you update the BIOS, with BIOS default settings, just enter BIOS and manually flip core isolation to ON.

I have already installed the latest bios version and core isolation is enabled and working in Windows. Firmware protection is not working though.

 

[plutomate]

Can you search "tpm.msc" to open TPM management windows and take a screenshot and post it here?

 

[ahmedyaru159202e9]

 

[plutomate]

You can see the fTPM is enabled as expected. So the cause of your problem (I assume you can't enable core isolation?) is elsewhere.
A clean windows installation might do

 

[doug.hogart153b02d9]

You can see the fTPM is enabled as expected. So the cause of your problem (I assume you can't enable core isolation?) is elsewhere.

The OP stated (Tuesday) that Core Isolation is enabled. They are talking about something more specific after that, presumably related to Firmware Attack Surface Reduction (FASR). I have no knowledge about the OP's assumption that Pro Z690-A motherboard supports it. However, the next thing I might try are whether MSI's Secure Boot settings that changed in 2023 are in a default Hardware/OS Compatibility Always Execute rather than something like Deny Execute for Maximum Security.