windows-itpro-docs/windows/security/hardware.md

title, description, ms.reviewer, manager, ms.author, author, ms.collection, ms.prod, ms.technology

title	description	ms.reviewer	manager	ms.author	author	ms.collection	ms.prod	ms.technology
Windows hardware security	Get an overview of hardware security in Windows 11 and Windows 10		aaroncz	vinpa	vinaypamnani-msft	M365-security-compliance	windows-client	itpro-security

Windows hardware security

Modern threats require modern security with a strong alignment between hardware security and software security techniques to keep users, data, and devices protected. The operating system alone cannot protect from the wide range of tools and techniques cybercriminals use to compromise a computer deep inside its silicon. Once inside, intruders can be difficult to detect while engaging in multiple nefarious activities from stealing important data to capturing email addresses and other sensitive pieces of information. These new threats call for computing hardware that is secure down to the very core, including hardware chips and processors. Microsoft and our partners, including chip and device manufacturers, have worked together to integrate powerful security capabilities across software, firmware, and hardware.

Security Measures	Features & Capabilities
Trusted Platform Module (TPM)	A Trusted Platform Module (TPM) is designed to provide hardware-based security-related functions and help prevent unwanted tampering. TPMs provide security and privacy benefits for system hardware, platform owners, and users. A TPM chip is a secure crypto-processor that helps with actions such as generating, storing, and limiting the use of cryptographic keys. Many TPMs include multiple physical security mechanisms to make it tamper resistant and prevent malicious software from tampering with the security functions of the TPM. Learn more about the Trusted Platform Module.
Hardware-based root of trust with Windows Defender System Guard	To protect critical resources such as Windows authentication, single sign-on tokens, Windows Hello, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy. Windows Defender System Guard helps protect and maintain the integrity of the system as it starts up and validate that system integrity has truly been maintained through local and remote attestation. Learn more about How a hardware-based root of trust helps protect Windows and System Guard Secure Launch and SMM protection.
Enable virtualization-based protection of code integrity	Hypervisor-protected Code Integrity (HVCI) is a virtualization based security (VBS) feature available in Windows. In the Windows Device Security settings, HVCI is referred to as Memory Integrity. HVCI and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows Kernel. VBS uses the Windows Hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. HVCI is a critical component that protects and hardens this virtual environment by running kernel mode code integrity within it and restricting kernel memory allocations that could be used to compromise the system. Learn more: Enable virtualization-based protection of code integrity.
Kernel Direct Memory Access (DMA) Protection	PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with an experience identical to USB. Because PCI hot plug ports are external and easily accessible, PCs are susceptible to drive-by Direct Memory Access (DMA) attacks. Memory access protection (also known as Kernel DMA Protection) protects PCs against drive-by DMA attacks that use PCIe hot plug devices by limiting these external peripherals from being able to directly copy memory when the user has locked their PC. Learn more about Kernel DMA Protection.
Secured-core PCs	Microsoft is working closely with OEM partners and silicon vendors to build Secured-core PCs that feature deeply integrated hardware, firmware, and software to ensure enhanced security for devices, identities, and data. Secured-core PCs provide protections that are useful against sophisticated attacks and can provide increased assurance when handling mission-critical data in some of the most data-sensitive industries, such as healthcare workers that handle medical records and other personally identifiable information (PII), commercial roles that handle high business impact and highly sensitive data, such as a financial controller with earnings data. Learn more about Secured-core PCs.