System guard
This topic is an overview of System guard.
The System Guard feature takes a snapshot of the hardware component inventory as trusted reference, then monitors for any deviation from the reference snapshot. When deviation occurs, it can report an event to the user, optionally, can also prevent the server from booting into the OS and prompt the user for response.
User can take a snapshot at any time even while the feature is disabled. The generation of snapshot takes around one minute. User can select a subset of hardware components to enforce, and select a corresponding action to take when deviation is detected.
During AC restore followed by first power on, XCC may not notify UEFI to prevent OS boot if the following conditions are met:
System Guard enabled with:
CPU or DIMM hardware selected
'Prevent OS booting' option on
A hardware configuration change that doesn't match trusted snapshot
The XCC will report a configuration mismatch after POST, and this limitation will not persist in subsequent OS reboot.