Windows Defender Security Center provides the following built-in security options to help protect your device from attacks by malicious software.
To access the features described below, enter "windows security" in the search box on the taskbar, and then select Device security.
Core isolation provides added protection against malware and other attacks by isolating computer processes from your operating system and device. Select Core isolation details to enable, disable, and change the settings for core isolation features.
Memory integrity is a feature of core isolation. By turning on the Memory integrity setting, you can help prevent malicious code from accessing high-security processes in the event of an attack.
Your security processor provides additional encryption for your device.
This is where you’ll find info about the security processor manufacturer and version numbers, as well as about the security processor’s status. Select Security processor details, and then on the details page, select Security processor troubleshooting for additional info and options.
The following are advanced options for troubleshooting your security processor.
This is where you will see any relevant error messages about your security processor. Here's a list of the error messages that might appear:
- A firmware update is needed for your security processor (TPM).
- TPM is disabled and requires attention.
- TPM storage is not available. Please clear your TPM.
- Device health attestation isn't available. Please clear your TPM.
- Device health attestation isn't supported on this device.
- Your TPM isn't compatible with your firmware, and may not be working properly.
- TPM measured boot log is missing. Try restarting your device.
- There is a problem with your TPM. Try restarting your device.
If you still encounter problems after addressing an error message, contact your device manufacturer for assistance.
Select Clear TPM to reset your security processor to its default settings. Make sure to back up your data before you clear the TPM.
Select Collect logs to gather more information that might help you understand issues with your security processor. The logs will be saved to a folder on your desktop.
Secure boot prevents a sophisticated and dangerous type of malware—a rootkit—from loading when you start your device. Rootkits use the same permissions as the operating system and start before it, which means they can completely hide themselves. Rootkits are often part of an entire suite of malware that can bypass local logins, record passwords and keystrokes, transfer private files, and capture cryptographic data.
You may have to disable secure boot to run some PC graphics cards, hardware, or operating systems such as Linux or earlier versions of Windows. For more info, see How to disable and re-enable secure boot.
Hardware security capability
At the bottom of the Device security screen, one of the following messages appears, indicating the security capability of your device.
Your device meets the requirements for standard hardware security
This means your device supports memory integrity and core isolation and also has:
- TPM 2.0 (also referred to as your security processor)
- Secure boot enabled
- UEFI MAT
Your device meets the requirements for enhanced hardware security
This means that in addition to meeting all the requirements of standard hardware security, your device also has memory integrity turned on.
Your device exceeds the requirements for enhanced hardware security
This means that in addition to meeting all the requirements of enhanced hardware security, your device also has System Management Mode (SMM) protection turned on.
Standard hardware security not supported
This means that your device does not meet at least one of the requirements of standard hardware security.
Improving hardware security
If the security capability of your device isn't what you'd like it to be, you might need to turn on certain hardware features (such as secure boot, if supported) or change the settings in your system's BIOS. Contact your hardware manufacturer to see what features are supported by your hardware and how to activate them.
More info about Windows Defender Security Center
- If Windows Defender is displayed in the wrong language, follow the guidance in Windows Language Packs to get it to display in the language of your choice. Generally, Windows Defender uses the language that Windows 10 is set to at Start > Settings > Time & Language .
- If Windows Defender blocks printer installation, you can temporarily disable Windows Defender Firewall while you install the printer on your PC. To do this, see Turn Windows Defender Firewall on or off. After you've installed the printer, make sure you turn the firewall back on.
If you have a wireless printer on a network that you can't access after you've enabled Windows Defender, you may need to configure your Windows Defender Firewall settings to allow access. For help with this process, contact your printer manufacturer.
- If you're prompted repeatedly by Windows Defender pop-ups, see How to stop Windows Defender pop-ups in Windows 10 from Microsoft TechNet (in English only).
If a particular pop-up window is causing you problems, see How to close a pop-up window if Microsoft Edge isn't responding.
Finally, this issue might be caused by ad malware, which a good ad-blocker can prevent. In Microsoft Store, try searching on "adblock," choose an ad-blocker, install it, and see if this fixes the issue.
- If you experience a kernel security check failure when you run a Windows Defender feature, this may be a corrupted or outdated driver issue. To investigate and fix this situation, see Update drivers in Windows 10.