Enabling "Firmware Protection" (Microsoft Defender Device Guard)?

[ak47uk]

I am using the baseline but cannot get "Firmware protection" to turn on, Win - OIB - Device Security - U - Device Guard, Credential Guard and HVCI - v3.1 is assigned to all users and has successfully deployed to this user and laptop yet the feature is off in Defender. I am using a Windows 11 ISO where I have added some LAN/RAID drivers to streamline the install. Memory execution protection is enabled in the BIOS, this is a Lenovo Thinkpad T14 Gen 1.

In event viewer, DeviceGuard logs I see a lot of errors such as:

CodeIntegrity attempted to load the policy located at \SystemRoot\Boot\EFI\WinSiPolicy.p7b, but failed with status code 0x80070006
CodeIntegrity attempted to load the policy located at \Device\HarddiskVolume1\EFI\Microsoft\Boot\WinSiPolicy.p7b, but failed with status code 0x80070006
CodeIntegrity attempted to load the policy located at \SystemRoot\System32\CodeIntegrity\CiPolicies\Active\{4758RD74-VRE6-0S13-S50W-X40G1R69937E}.cip, but failed with status code 0x800711C7

Is firmware protection working for anyone else? I tried an Intel and AMD model of Thinkpad.

[xenadmin]

Mine is also set to off, and I also don't know why it is that way:

[ak47uk]

After a lot of research and testing, I believe the issue with this was that Intel TXT is only present on vPro CPUs.

I am not sure what is required of AMD CPUs, my Ryzen 7 Pro 6850U has Firmware Protection on.

[SkipToTheEndpoint]

Yeah, the SC setting is configured to "Configure System Guard Launch - Unmanaged Enables Secure Launch if supported by hardware.".

So I guess it's very hardware-specific. If it helps my main laptop, a Dell XPS 15 9520 which has a 12th Gen 19-12900HK doesn't want to enable it, I guess (as you mention) due to lack of VPro:
https://learn.microsoft.com/en-gb/windows/security/hardware-security/how-hardware-based-root-of-trust-helps-protect-windows#system-requirements-for-system-guard