Skip to main content

System guard

This topic is an overview of System guard.

The System Guard feature takes a snapshot of the hardware component inventory as trusted reference, then monitors for any deviation from the reference snapshot. When deviation occurs, it can report an event to the user, optionally, can also prevent the server from booting into the OS and prompt the user for response.

User can take a snapshot at any time even while the feature is disabled. The generation of snapshot takes around one minute. User can select a subset of hardware components to enforce, and select a corresponding action to take when deviation is detected.

Deviation detection is executed at server power on (POST) or system reboot. For example, while the OS is still running, if a disk drive is being pulled out and then plugged back in a moment later, System Guard is not going to record the event or take any action. If the pulled out disk drive remains absent until next reboot, then System Guard would get in action.

During AC restore followed by first power on, XCC may not notify UEFI to prevent OS boot if the following conditions are met:

  • System Guard enabled with:

    • CPU or DIMM hardware selected

    • 'Prevent OS booting' option on

  • A hardware configuration change that doesn't match trusted snapshot

The XCC will report a configuration mismatch after POST, and this limitation will not persist in subsequent OS reboot.