But to me, this all looks like MS building a house of cards again. If I am writing a rootkit or other malware why can I not use this to make sure only the compromised devices secure processor can read the contents of memory or does defender get a pass?! A defender/analyst won't also be able to dump ram with volatility or a custom driver to analyze the malware/implant? No microsoft solution would prevent a user from downloading and running an executable entirely so malicious code would run, but can it now hide from security solutions? What part of HVCI am I missing?
As far as the rest of it, it will break legitimate use cases for users so I don't expect it to be a default anytime soon. I hate the remote attestation stuff but my hope is it will either fizzle out or regulations will be put in place for enabling user control of the secure computing private key for personally owned devices because code you can't introspect or keys you can't manage should not exist on a device you own (not license).