Device Guard and Credential Guard
Device Guard is one of Windows security features that is a combination of enterprise-related hardware, firmware, and software security features. When configured together, it will lock down a device so that it can only run trusted applications.
Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them.
Device Guard and Credential Guard are optional features, that when implemented and enabled, reduce the exposed attack surface to malware by requiring additional protectors be enabled on the device.