Thank you everyone, for your participation in this AMA! Sharing a list of the questions panelists covered, along with associated timestamps: 

Question – How do I tell—at scale—which devices can support VBS, HVCI, and newer kernel protections? – answered at 1:22.

Question – What does VBS actually do at a hardware level? – answered at 2:23.

Question – Do all TPMs behave the same, or are there differences between firmware TPM, discrete TPM, and Pluton? – answered at 4:05.

Question – How do we verify—remotely—that hardware-based protections are actually running? – answered at 6:22.

Question – What exactly does Secure Boot protect against—and what does it/doesn’t it stop? – answered at 8:09.

Question – What happens if our devices don't get updated with the new Secure Boot certs in time? – answered at 10:20.

• For more info go to Windows Secure Boot certificate expiration and CA updates.

Question – Can VBS or memory integrity break drivers, VPNs, or virtualization tools? – answered at 12:56.

Question – Why are features like Credential Guard and HVCI enabled by default on some devices but not others? – answered at 15:30.

Question – Will enabling Secure Boot break imaging, recovery media, or dual‑boot scenarios? – answered at 17:51.

Question – What’s the real‑world performance impact of VBS on modern CPUs? – answered at 19:48.

Question – What happens on older hardware that technically runs Windows 11 but can’t enable all hardware-backed protections? – answered at 20:52.

Question – What is kernel mode hardware enforced stack protection, and do we need new CPUs for it? – answered at 22:21.

Question – How do we explain the value of hardware-backed security to leadership in plain language? – answered at 23:15.