Microsoft Defender System Guard

System Guard is a component of Microsoft Defender and follows the "assume breach" principle; that is, a system and its components are assumed to be fundamentally untrustworthy and potentially already compromised. Accordingly, system monitoring does not rely on Secure Boot having proven the integrity of the UEFI beyond doubt but, instead, it relies on the additional Secure Launch procedure and on safeguarding the CPU's System Management Mode (SMM) [3].

Microsoft also refers to Secure Launch as a dynamic root of trust for measurement (DRTM), because unlike Secure Boot, this procedure does not rely on static lists of trusted and revoked signatures. Instead, Defender System Guard uses the TPM itself to compute checksums for the firmware, the rest of the hardware configuration, and the operating system components, which it compares with previous states to detect anomalies. Additionally, system monitoring secures the SMM of the processor. Because code in this mode runs with the highest privileges, system monitoring uses security features implemented in the hardware of a state-of-the-art processor and establishes protections for access to sensitive areas of main memory.

Protection Against Peripherals

Boot DMA protection builds on kernel DMA protection that Microsoft first introduced in Windows 10 version 1803 [4]. This security feature protects the system from drive-by attacks with hot-pluggable peripherals. This attack vector aims to read sensitive data from main memory by direct memory access (DMA) or to inject malware directly into a system past the lock screen.

Boot DMA protection protects the external and internal PCI and PCIe interfaces of a system against these attempts during the boot phase and at runtime. However, this protection requires the device drivers of the external devices to support DMA remapping.

Security Through Virtualization

Virtualization-based security (VBS) uses features of Microsoft's Hyper-V hypervisor to store sensitive information, such as password hashes, in a specially secured memory area. Even privileged system processes cannot easily access this isolated memory area. VBS requires UEFI version 2.6 or later with support for a memory attributes table (MAT), which ensures a clean segregation of the runtime memory areas of code and data.

VBS forms the basis for the sixth and final component of Secured-core server: hypervisor enforced code integrity (HVCI). This function watches over the execution of code in kernel mode and only permits execution if the code can be verified as legitimate, including device drivers, any software that uses the Control Flow Guard (CFG) function, and certificates. If you want to install Windows Server 2022 directly on physical hardware, the best case scenario is that you can use all six features of Secured-core server – assuming the hardware, firmware, and device drivers support it.