Device Security Options in Windows Security

Memory integrity, also known as Hypervisor-protected Code Integrity (HVCI) is a Windows security feature that makes it difficult for malicious programs to use low-level drivers to hijack your PC.

A driver is a piece of software that lets the operating system (Windows in this case) and a device (like a keyboard or a webcam) talk to each other. When the device wants Windows to do something, it uses the driver to send that request.

Memory integrity works by creating an isolated environment using hardware virtualization.

Think of it like a security guard inside a locked booth. This isolated environment (the locked booth in our analogy) prevents the memory integrity feature from being tampered with by an attacker. A program that wants to run a piece of code which may be dangerous has to pass the code to memory integrity inside that virtual booth so that it can be verified. When memory integrity is comfortable that the code is safe it hands the code back to Windows to run. Typically, this happens very quickly.

Without memory integrity running, the security guard stands right out in the open where it's much easier for an attacker to interfere with or sabotage the guard, making it easier for malicious code to sneak past and cause problems.

You can turn memory integrity On or Off using the toggle button.​​​​​​​

What if it says I have an incompatible driver?

If memory integrity fails to turn on, it may tell you that you have an incompatible device driver already installed. Check with the manufacturer of the device to see if they have an updated driver available. If they don’t have compatible driver available, you might be able to remove the device or app that uses that incompatible driver.

Hardware enforced stack protection is a hardware-based security feature that makes it difficult for malicious programs to use low-level drivers to hijack your PC.

A driver is a piece of software that lets the operating system (Windows in this case) and a device (like a keyboard or a webcam) talk to each other. When the device wants Windows to do something, it uses the driver to send that request.

Hardware enforced stack protection works by preventing attacks that modify return addresses in kernel-mode memory to launch malicious code. This security feature requires a CPU that contains the ability to verify the return addresses of running code.

When executing code in kernel-mode, return addresses on the kernel-mode stack can be corrupted by malicious programs or drivers in order to redirect normal code execution to malicious code. On supported CPUs, the CPU maintains a second copy of valid return addresses on a read-only shadow stack that drivers cannot modify. If a return address on the regular stack has been modified, the CPU can detect this discrepancy by checking the copy of the return address on the shadow stack. When this discrepancy occurs, the computer prompts a stop error, sometimes known as a blue screen, to prevent the malicious code from executing.

Not all drivers are compatible with this security feature, as a small number of legitimate drivers engage in return address modification for non-malicious purposes. Microsoft has been engaging with numerous driver publishers to ensure that their latest drivers are compatible with hardware enforced stack protection.

You can turn hardware enforced stack protection On or Off using the toggle button.​​​​​​​

To use hardware enforced stack protection, you must have memory integrity enabled, and you must be running a CPU that supports Intel Control-Flow Enforcement Technology or AMD Shadow Stack.

What if it says I have an incompatible driver or service?

If hardware enforced stack protection fails to turn on, it might tell you that you have an incompatible device driver or service already installed. Check with the manufacturer of the device or the application publisher to see if they have an updated driver available. If they don’t have a compatible driver available, you might be able to remove the device or app that uses that incompatible driver.

Some applications might install a service instead of a driver during the application's installation and install the driver only when the application is launched. For more accurate detection of incompatible drivers, services that are known to be associated with incompatible drivers are also enumerated.

Also known as Kernel DMA protection this security feature protects your device against attacks that can occur when a malicious device is plugged into a Peripheral Component Interconnect (PCI) port like a Thunderbolt port.

A simple example of one of these attacks would be if someone leaves their PC for a quick coffee break, and while they were away, an attacker steps in, plugs in a USB-like device and walks away with sensitive data from the machine, or injects malware that allows them to control the PC remotely. 

Memory access protection prevents these kinds of attacks by denying direct access to the memory to those devices except under special circumstances, particularly when the PC is locked, or the user is signed out.

Every device has some software that's been written to the read-only memory of the device - basically written to a chip on the system board - that is used for the basic functions of the device, such as loading the operating system that runs all the apps we're used to using. Since that software is difficult (but not impossible) to modify we refer to it as firmware.

Because the firmware loads first and runs under the operating system, security tools and features that run in the operating system have a difficult time detecting it or defending against it. Like a house that depends on a good foundation to be secure, a computer needs its firmware to be secure in order to ensure that the operating system, applications, and data on that computer are safe.

System Guard is a set of features that helps to ensure that attackers can't get your device to start with untrusted or malicious firmware.

Platforms that offer firmware protection typically also protect the System Management Mode (SMM), a highly privileged operating mode, to varying degrees. You can expect one of the three values, with a higher number indicating a greater degree of SMM protection:

• Your device meets firmware protection version one: this offers the foundational security mitigations to help SMM resist exploitation by malware, and prevents exfiltration of secrets from the OS (including VBS)

• Your device meets firmware protection version two: in addition to firmware protection version one, version two ensures that SMM can't disable Virtualization-based Security (VBS) and kernel DMA protections

• Your device meets firmware protection version three: in addition to firmware protection version two, it further hardens the SMM by preventing access to certain registers that have the ability to compromise the OS (including VBS)

Local Security Authority (LSA) protection is a Windows security feature to help prevent the theft of credentials used for signing into Windows.   

The Local Security Authority (LSA) is a crucial process in Windows involved in user authentication. It’s responsible for verifying credentials during the login process and managing authentication tokens and tickets used to enable single sign-on for services. LSA protection helps prevent untrusted software from running inside LSA or from accessing LSA memory.  

How do I manage Local Security Authority protection?

You can turn LSA protection On or Off using the toggle button.​​​​​​​

After you have changed the setting, you must reboot for it to take effect. 

What if I have incompatible software? 

If LSA protection is enabled and it blocks the loading of software into the LSA service, a notification indicates the blocked file. You might be able to remove the software loading the file, or you can disable future warnings for that file when it’s blocked from loading into LSA.  

While you're using your work or school device it will be quietly signing into and gaining access to a variety of things such as files, printers, apps, and other resources in your organization. Making that process secure, yet easy for the user, means that your PC has a number of authentication tokens on it at any given time.

If an attacker can gain access to one, or more, of those tokens, they might be able to use them to gain access to the organizational resource (sensitive files, etc) that the token is for. Credential Guard helps to protect those tokens by putting them in a protected, virtualized, environment where only certain services can access them when necessary.

A driver is a piece of software that lets the operating system (Windows in this case) and a device (like a keyboard or a webcam) talk to each other. When the device wants Windows to do something, it uses the driver to send that request. Because of this, drivers have a lot of sensitive access in your system.

Windows 11 includes a blocklist of drivers that have known security vulnerabilities, have been signed with certificates used to sign malware, or that circumvent the Windows Security Model.

If you have memory integrity, Smart App Control, or Windows S mode on, the vulnerable driver blocklist will be on too.

This is where you’ll find info about the security processor manufacturer and version numbers, as well as about the security processor’s status.

In the Windows Security app on your Windows device, select Device security > Security processor details or use the following shortcut:

Security processor details​​​​​​​

If your security processor isn't working properly, you can select the Security processor troubleshooting link to see any error messages and advanced options, or use the following shortcut:

Security processor troubleshooting​​​​​​​

The security processor troubleshooting page provides any relevant error messages about the TPM. Here's a list of the error messages and details:

Message	Details
A firmware update is needed for your security processor (TPM).	Your device's motherboard doesn't appear to support TPM currently, but a firmware update might resolve this. Check with your device's manufacturer to see if a firmware update is available and how to install it. Firmware updates are usually free.
TPM is disabled and requires attention.	The trusted platform module is probably turned off in the system BIOS (Basic Input/Output System) or UEFI (Unified Extensible Firmware Interface). Refer to your device manufacturer's support documentation, or contact their technical support, for instructions on how to turn it on.
TPM storage is not available. Please clear your TPM.	The clear TPM button is on this page. You'll want to make sure you have a good backup of your data before proceeding.
Device health attestation isn't available. Please clear your TPM.	The clear TPM button is on this page. You'll want to make sure you have a good backup of your data before proceeding.
Device health attestation isn't supported on this device.	This means the device doesn't give us enough information to determine why TPM may not be working properly on your device.
Your TPM isn't compatible with your firmware and may not be working properly.	Check with your device's manufacturer to see if a firmware update is available and how to get and install it. Firmware updates are usually free.
TPM measured boot log is missing. Try restarting your device.
There is a problem with your TPM. Try restarting your device.

If you still encounter problems after addressing an error message, contact your device manufacturer for assistance.

Select Clear TPM to reset your security processor to its default settings.