Windows Defender Security Center provides the following built-in security options to help protect your device from attacks by malicious software.
To access the features described below, enter "windows security" in the search box on the taskbar, and then select Device security.
Core isolation provides added protection against malware and other attacks by isolating computer processes from your operating system and device. Select Core isolation details to change settings for core isolation features.
Memory integrity is a feature of core isolation. By turning on the Memory integrity setting, you can help prevent malicious code from accessing high-security processes in the event of an attack.
Your security processor provides additional encryption for your device.
This is where you’ll find info about the security processor manufacturer and version numbers, as well as about the security processor’s status. Select Security processor details, and then on the details page, select Security processor troubleshooting for additional info and options.
The following are advanced options for troubleshooting your security processor.
This is where you will see any relevant error messages about your security processor. Here is a list of the error messages that might appear:
- A firmware update is needed for your security processor (TPM).
- TPM is disabled and requires attention.
- TPM storage is not available. Please clear your TPM.
- Device health attestation isn't available. Please clear your TPM.
- Device health attestation isn't supported on this device.
- Your TPM isn't compatible with your firmware, and may not be working properly.
- TPM measured boot log is missing. Try restarting your device.
- There is a problem with your TPM. Try restarting your device.
If you still encounter problems after addressing an error message, contact your device manufacturer for assistance.
Select Clear TPM to reset your security processor to its default settings. Be sure to back up your data before clearing the TPM.
Select Collect logs to gather more information that might help you understand issues with your security processor. The logs will be saved to a folder on your desktop.
Secure boot prevents a sophisticated and dangerous type of malware—called a rootkit—from loading when you start your device. Rootkits use the same privileges as the operating system and start before it, which means they can completely hide themselves. Rootkits are often part of an entire suite of malware that can bypass local logins, record passwords and keystrokes, transfer private files, and capture cryptographic data.
Hardware security capability
At the bottom of the Device security screen, one of the following messages will appear indicating the security capability of your device:
Your device meets the requirements for standard hardware security
This means your device supports memory integrity and core isolation and also has:
- TPM 2.0 (also referred to as your security processor)
- Secure boot enabled
- UEFI MAT
Your device meets the requirements for enhanced hardware security
This means that in addition to meeting all the requirements of standard hardware security, your device also has memory integrity turned on.
Your device exceeds the requirements for enhanced hardware security
This means that in addition to meeting all the requirements of enhanced hardware security, your device also has System Management Mode (SMM) protection turned on.
Standard hardware security not supported
This means that your device does not meet at least one of the requirements of standard hardware security.
Improving hardware security
If the security capability of your device is not where you'd like it to be, you may need to turn on features of your hardware (such as secure boot, if supported) or change settings in your system's BIOS. Contact your hardware vendor to see what features are supported by your hardware and how to activate them.