Windows 11 Secured-core PCs
Microsoft works closely with OEM partners to help ensure that all certified Windows systems deliver a secure operating environment. Windows integrates closely with the hardware to deliver protections that take advantage of available hardware capabilities:
- Baseline Windows security – recommended baseline for all individual systems that provides foundational system integrity protections. Leverages TPM 2.0 for a hardware root of trust, secure boot and BitLocker drive encryption.
- Virtualization-based security enabled – leverages virtualization capabilities from hardware and the hypervisor to provide additional protection for critical subsystems and data.
- Secured-core – recommended for the most sensitive systems and industries like financial, healthcare, and government agencies. Builds on the previous layers and leverages advanced processor capabilities to provide protection from firmware attacks.
Secured-core PCs
Microsoft is working closely with OEM partners and silicon vendors to build Secured-core PCs that features deeply integrated hardware, firmware and software to ensure enhanced security for devices, identities and data.
Secured-core PCs provide protections that are useful against sophisticated attacks and can provide increased assurance when handling mission-critical data in some of the most data-sensitive industries, such as healthcare workers that handle medical records and other personally identifiable information (PII), commercial roles that handle high business impact and highly sensitive data, such as a financial controller with earnings data.
For general purpose laptops, tablets, 2-in-1's, mobile workstations, and desktops, Microsoft recommends using Security baselines for optimal configuration. For more info, see Windows security baselines.
Baseline Windows security is supported by Secure Boot, Bitlocker device encryption, Microsoft Defender, Windows Hello and a TPM 2.0 chip to provide a hardware root of trust for the OS platform. These features are designed to secure general purpose modern devices. If you are a decision maker purchasing new devices, your devices should meet the baseline Windows security requirements.
What makes a Secured-core PC
| Benefit | Feature | Hardware/Firmware requirement | Baseline Windows Security | Secured-core PCs |
|---|---|---|---|---|
| Create a hardware backed root of trust | ||||
| Secure Boot | Secure Boot is enabled in the BIOS by default. | ✅ | ✅ | |
| Secure Boot | Default trust for Microsoft bootloaders only, with BIOS option for enabling trust for non-Microsoft bootloaders | ✅ | ||
| Trusted Platform Module 2.0 (TPM) | Meet the latest Microsoft requirements for the Trusted Computing Group (TCG) specification | ✅ | ✅ | |
| Direct Memory Access (DMA) Protection | The device supports Memory Access Protection (Kernel DMA Protection) | ✅ | ✅ | |
| Defend against firmware level attacks (either of the 2 approaches specified can be used) | System Guard Secure Launch (D-RTM) with System Management Mode (SMM) isolation | Enabled on device (via Secure Launch) | ✅ | ✅ |
| S-RTM and Standalone MM with MM supervisor (the approach implemented on FASR devices) | Supported on devices that have the FASR firmware | ✅ | ||
| Protect the OS from execution of unverified code | Hypervisor Code Integrity (HVCI) | Enabled on device | ✅ | ✅ |
| Provide advanced identity verification and protection | Windows Hello with Enhanced Sign-in Security (ESS) | A device with Windows Hello with ESS is enabled if it has the ESS hardware built-in components for face or fingerprint authentication, and the necessary support in BIOS | ✅* | ✅ |
| Protect critical data if a device is lost, stolen or confiscated | BitLocker encryption | BitLocker can leverage the TPM 2.0 to encrypt and protect data | ✅ | ✅ |
*Only possible on devices that have built-in Windows Hello biometric sign-in face or fingerprint sensors.