In order to protect against Firmware level attacks, Windows has introduced the Secured-Core PC with the partnership of some other tech companies.
Microsoft Secured-Core PC
Firmware is used to initialize the hardware and other software on the device and has a higher level of access and privilege than the hypervisor and operating system kernel thereby making it an attractive target for attackers.
The National Vulnerability Database has pointed out that Firmware based attacks and exploits have been rising every year with Hacking groups like Strontium who have been taking advantage of such exploits for a long time. These sorts of malware codes can even stay after the device has a hard drive cleanup or even an OS Re-install.
Secured-core PCs are to feature another layer of security underneath the operating system to protect the boot process from firmware attacks. A Secured-core PC device requirement is Windows Defender implementing System Guard Secure Launch using new hardware capabilities from AMD, Intel, and Qualcomm. System Guard leverages firmware to start the hardware and then shortly after reinitializing the system into a trusted state. Using the OS boot loader and processor capabilities, it sends the system down a known and verifiable code path.
Another requirement of Secured-core PCs is the Trusted Platform Module (TPM) 2.0, which lets administrators measure the components used to verify that a device booted securely. Additionally, Windows monitors and restricts the functionality of potentially dangerous firmware through System Management Mode.
As of now, this feature is only available on the Microsoft Surface X laptop and the HP Dragonfly Elite and the feature is coming soon to the Dell, Lenovo, HP, and Panasonic laptops as soon as possible.