This weekend, I pulled up the Windows Security Device security panel on my ThinkPad P16 Gen 3 (2025 build) and my ThinkPad X380 (2018 build), and put them side by side. The difference showed me something interesting — namely, evolving Windows Device Security hardware.
Both machines run Windows 11. Both are solid, business-class Lenovo laptops. However, the P16 Gen 3 panel is full: every tile is lit, every checkmark is present. The X380 panel, OTOH, shows obvious gaps. It closes out with a blunt verdict: “Standard hardware security not supported.” The lead-in screenshot tells a story of Windows device security hardware evolution over 7 years.
The X380 isn’t a bad machine. It was just built before the security landscape it now lives in actually existed. That distinction matters, so it’s worth unpacking what’s missing and why.
What Evolving Windows Device Security Hardware Means
The most visible absence on the X380 is the Secured-core PC badge. Not surprising when you check the timing: MS launched the Secured-core PC initiative on October 21, 2019. That’s over a year after the X380 shipped. The X380’s 8th-generation Intel Core (Kaby Lake Refresh) silicon predates the Dynamic Root of Trust for Measurement (DRTM) and System Guard Secure Launch capabilities that Secured-core status requires.
In sharp contrast, the P16 Gen 3 runs Intel Core Ultra 9 silicon that fully implements Intel Hardware Shield. That’s what underpins DRTM and Kernel DMA Protection at the hardware level. In addition, Secured-core mandates HVCI (Hypervisor-Protected Code Integrity) enforced at the silicon level. Older CPUs can enable this in software. Alas, they cannot deliver the hardware-based capability that Microsoft’s Secured-core PC requirements demand.
The second gap is the Security processor tile. The P16 Gen 3 surfaces an explicit tile confirming that TPM is visible, active, and reports correctly to the Windows Security layer. The X380 does have a TPM (Lenovo shipped TPM chips on all commercial machines by 2018). However, Windows Security on the X380 doesn’t surface that tile. Its firmware TPM integration doesn’t offer stricter attestation-visibility that newer UEFI and firmware stacks expose to the operating system. The chip is there, but the trust handshake simply isn’t good enough for Windows to show it as an attestable asset.
The X380 Bottom Line Is…Not Quite There
That brings us to the X380 bottom-line verdict: “Standard hardware security not supported.” Windows delivers this message when a device cannot simultaneously confirm TPM 2.0 attestation, Kernel DMA Protection, and VBS readiness at the hardware level. The X380 can satisfy some of those requirements individually, but not in hardware. As a result, it falls short of the full baseline. That is not a misconfiguration, but falls out because the required silicon-to-firmware-to-OS trust chain simply wasn’t designed into the X380.
What Both Machines Get Right
Let’s be fair to the X380, because calling it obsolete would be wrong. Core isolation runs. And indeed, Virtualization Based Security operates in software mode. Secure Boot is fully active, with all certificates up to date. BitLocker encrypts the drive. These are the foundational Windows security capabilities that survive on older hardware, and they aren’t trivial. The X380 still protects data at rest and guards boot integrity against tampering. It simply cannot make the firmware-to-OS trust chain guarantees that silicon-rooted security delivers. There’s a meaningful difference between those two tiers, but the lower tier is not nugatory.
A Seven-Year Gap in Numbers
Between 2018 and 2025, Intel moved from 8th-generation Kaby Lake Refresh to Core Ultra (Meteor Lake and Arrow Lake). AMD traveled from Ryzen 1000-series to Ryzen AI 300. Along the way, Microsoft introduced Secured-core PC certification (2019), Windows 11’s hard TPM 2.0 requirement (2021), the Pluton security processor co-design with AMD and Intel (2022 ), plus evolving memory encryption standards. Thus, the Device Security panel on a 2025 machine doesn’t just reflect software updates . It also reflects seven years of deliberate co-design among Microsoft, Intel, AMD, and various OEMs, baked directly into the silicon and firmware before the OS even loads.
Wondering About Continued Viability?
If you’re running a 2018-era machine and wondering why your Device Security panel looks thin, it’s not your fault and it’s not your settings. It’s the silicon that falls short. The hardware security stack that Windows 11 fully expects is built into CPU microarchitecture and firmware design from 2019 onward. No amount of registry tweaking can close that gap. That said, your older machine isn’t broken. Instead it’s working at a lower tier of the trust hierarchy, but it still does real security work. When it is finally time to refresh, pull up the Device Security panel on your new, Secured-core PC. It fills those gaps, and offers more and better security capability. Worth it!
