Windows 11 provides chip to cloud security, giving IT administrators the attestation and measurements
to determine whether a device meets requirements and can be trusted. And Windows 11 works out of
the box with Microsoft Intune and Azure Active Directory, so access decisions and enforcement are
seamless.
Windows Secured-Core Benefits
Windows Secured-Core PCs provide several primary benefits to organizations and users. The most
important of those benefits are that the protections are turned on by default so users will know that
their device is protected right out of the box. Additionally, they provide these 3 core pillars of
protection:
Protecting identities from external threats
Passwords alone are not enough to protect system data and identities. Secured-core PC ensures that
user identities and credentials are protected against theft, compromise, and phishing attacks.
People are using the same password repeatedly and are more exposed than ever. Microsoft wanted to
help improve the security of identity and partnered with OEMs to help address this.
Windows Hello prevents phishing and credential-based attacks through a combination of biometric
sensors and hardware-based credential storage. Using your face, fingerprint, secure FIDO2 key, or PIN,
Windows Hello allows you to sign-in password-free and gives you the fastest, most secure way to unlock
your Secured-core PC devices.
Windows Defender Credential Guard, an optional service that can be enabled, leverages Virtualization-
Based Security (VBS) to prevent identity attack techniques such as Pass-the-Hash and Pass-the-Ticket
and isolates company confidential information so that only privileged system software can access it.
Credential Guard helps prevent attacks through virtualization-based security. When Credential Manager
domain credentials, NTLM, and Kerberos derived credentials are protected using virtualization-based
security, the credential theft attack techniques and tools used in many targeted attacks are blocked.
Secured-core PCs are built on the principles of assume breach and defense in depth. These devices have
virtualization-based security (VBS) turned on by default meaning that even if an attacker gains
administrative privileges through malware, authentication tokens are better protected in an isolated
environment. To use Windows Hello with biometrics specialized hardware, including fingerprint reader,
illuminated IR sensor, or other biometric sensors is required. Hardware based protection of the
Windows Hello credential/keys requires TPM 2.0 or greater.
Securing the operating system from malware
Along with ensuring a small, trusted computing base by establishing a hardware root of trust, Secured-
core PC ensures that code running within that trusted computing base runs with integrity and is not
subject to outside exploit or attack.
Secured-core PCs use policies enabled with Hypervisor Enforced Code Integrity (HVCI) to check system
software before it is loaded, and only start executables that are signed by known, approved authorities.
HVCI runs in the Virtualization Based Security (VBS), which protects it from outside attack. Kernel mode
code integrity checks all kernel mode drivers and binaries before they are started and prevents unsigned
drivers or system files from being loaded into system memory. This ensures that only code from trusted