Thank you everyone, for your participation in this AMA! Sharing a list of the questions panelists covered, along with associated timestamps: 

Question – How do I tell—at scale—which devices can support VBS, HVCI, and newer kernel protections? – answered at 1:22.

Question – What does VBS actually do at a hardware level? – answered at 2:23.

Question – Do all TPMs behave the same, or are there differences between firmware TPM, discrete TPM, and Pluton? – answered at 4:05.

Question – How do we verify—remotely—that hardware-based protections are actually running? – answered at 6:22.

Question – What exactly does Secure Boot protect against—and what does it/doesn’t it stop? – answered at 8:09.

Question – What happens if our devices don't get updated with the new Secure Boot certs in time? – answered at 10:20.

• For more info go to Windows Secure Boot certificate expiration and CA updates.

Question – Can VBS or memory integrity break drivers, VPNs, or virtualization tools? – answered at 12:56.

Question – Why are features like Credential Guard and HVCI enabled by default on some devices but not others? – answered at 15:30.

Question – Will enabling Secure Boot break imaging, recovery media, or dual‑boot scenarios? – answered at 17:51.

Question – What’s the real‑world performance impact of VBS on modern CPUs? – answered at 19:48.

Question – What happens on older hardware that technically runs Windows 11 but can’t enable all hardware-backed protections? – answered at 20:52.

Question – What is kernel mode hardware enforced stack protection, and do we need new CPUs for it? – answered at 22:21.

Question – How do we explain the value of hardware-backed security to leadership in plain language? – answered at 23:15.

Thanks for joining today’s session on “AMA: The latest in Windows hardware security” at Microsoft Technical Takeoff. Q&A will remain open through Friday so keep your comments and questions coming! Up next: Zero Trust DNS: Securing Windows one connection at a time.

 

❓One of our Dell PCs running an up-to-date Windows 11 restarted with a blue screen requesting the BitLocker recovery key after an issue during a transition between the S0 and S0ix power states.

Do you have any recommendations on how to diagnose or mitigate this type of issue?

❓What conditions are required for the CPU to enter the S0ix state, and do drivers need to implement or support this transition?

Welcome to Tech Takeoff day 4! It's time to Ask Microsoft Anything about Windows hardware security. Post your questions here in the Comments. We'll get started in just a few moments.