How to Enable Control Flow Guard for Windows Subsystem for Android

  • Thread Author
If you're a Windows 11 user who loves to play around with advanced features like the Windows Subsystem for Android™ (WSA), the clock is ticking. As of March 5, 2025, Microsoft will officially remove Windows Subsystem for Android and the Amazon Appstore from the Microsoft Store. However, until then, you can use WSA to run Android apps directly on your Windows device. But, there's a catch—Control Flow Guard (CFG) needs to be enabled on your system.
So, what is this Control Flow Guard? Why is it important to have it turned on, and how can you enable it today to ensure your system is ready to roll? Let’s unpack everything you need to know and then some.

A modern desktop PC shows Windows 11 interface on its monitor in an office setting.
What Is Control Flow Guard (CFG)?​

Think of Control Flow Guard (CFG) as a ruthless security guard for your Windows operating system. CFG is a built-in security feature designed to protect your computer against memory corruption vulnerabilities and exploit attacks. Sounds fancy, but what it really does is prevent applications from executing unapproved or malicious code paths in memory. It’s like training your computer to recognize safe behavior while throwing the suspicious stuff out the window.
Here's the technical bit for the curious: CFG achieves this by ensuring that indirect calls (calls through function pointers) only go to pre-authorized, valid locations. If an attacker tries to seize control of your process by tricking it into executing malicious memory locations, CFG steps in and shuts it down. Neat, right?

Why Do You Need CFG for Windows Subsystem for Android (WSA)?​

Windows Subsystem for Android enables you to run Android apps natively on Windows 11. It acts as a middle layer, essentially emulating Android so that apps think they're happily running on an Android device instead of a PC. When running a subsystem designed to handle apps formerly outside the Windows ecosystem, security becomes non-negotiable.
Since Android apps differ in their design from Windows apps, Microsoft asks you to enable CFG to safeguard your system. Android apps interacting with Windows might expose your system to specific vulnerabilities that CFG is designed to address. Without CFG, these apps could potentially misuse memory, execute rogue code, or bypass normal security measures.

Step-by-Step Guide: Enabling Control Flow Guard

Alright, now that we’ve convinced you of the virtues of CFG, here’s how you can enable it on your system. Don’t worry—this isn’t as technical as it might sound!
  • Open Windows Security:
  • In the search box on the taskbar, type Windows Security, then select it from the search results.
  • Navigate to Exploit Protection:
  • Once inside Windows Security, click on App & browser control.
  • Under Exploit protection, click on Exploit protection settings.
  • Enable Control Flow Guard (CFG):
  • In the settings menu, locate the Control flow guard (CFG) option.
  • Expand the menu, select the option called Use default (On), and ensure it’s toggled on.
  • Restart Your Computer:
  • Restarting is essential to apply the new settings. So don’t skip this step—get your system rebooted!
  • Voilà! CFG is now on.
Pro Tip: If you’re unsure which version of Windows you’re running, simply press Windows Key + R, type winver, and hit Enter. The details will be displayed. Make sure you have build 25266 or earlier for these instructions to apply.

Why Is CFG a Must-Have for Everyone?​

Even if you're not planning to run the Windows Subsystem for Android, enabling CFG is still a no-brainer. It works behind the scenes to protect you from numerous attack vectors, many of which you might not even know exist. Here are some other benefits of having CFG turned on:
  • Prevention of Code Injection Attacks: CFG can stop attackers from injecting malicious payloads into processes.
  • Enhanced Memory Safety: It reduces the chance of vulnerabilities caused by memory corruption, an all-too-common issue in exploit attacks.
  • Peace of Mind For Developers: Developers can have confidence that their apps are safeguarded against certain classes of threats during runtime.

Implications of Losing WSA in 2025​

A quick note on the elephant in the room: Why is Microsoft discontinuing WSA? Although specific reasons haven’t been provided, Microsoft might want to refocus resources or pivot toward other app solutions. Whatever the case, March 5, 2025, isn’t far off, so take advantage of WSA and Amazon Appstore integration while you still can.
For developers or tech enthusiasts looking to experiment with Android apps in Windows, now’s the time. With Control Flow Guard ready to defend your system, there’s also no excuse not to play with this tech while it lasts safely.

Final Words: Don’t Sleep on Security​

Whether you’re a casual user hoping to run Android apps or a power user dabbling in boundary-pushing features, security matters. Control Flow Guard is one of those quiet heroes in Windows that most people don’t even know exists but is hard at work making your system safer.
Got questions or stuck on enabling CFG? Whether you're a beginner embarking on your first tweak or a long-time Windows tinkerer, let’s discuss it in the comments below. Who knows—your question might just help someone else!
Ready to enable CFG and try out WSA? Go for it, and let us know how it works for you.

Source: Microsoft Support Turn on Control flow guard on your computer - Microsoft Support
 

Last edited:
Back
Top