What is Windows 10 Device Guard?

In this Ask the Admin, I’ll explain the idea behind Windows 10 Device Guard, and how it differs from existing application control features built-in to Windows.

Editor’s Note: Microsoft released more details about Windows 10 Device Guard at the RSA Conference 2015. Microsoft’s Chris Hallum wrote on the official “Windows for your Business” blog that:

“[Device Guard]…gives organizations the ability to lock down devices in a way that provides advanced malware protection against new and unknown malware variants as well as Advanced Persistent Threats (APT’s). It provides better security against malware and zero days for Windows 10 by blocking anything other than trusted apps—which are apps that are signed by specific software vendors, the Windows Store, or even your own organization. You’re in control of what sources Device Guard considers trustworthy and it comes with tools that can make it easy to sign Universal or even Win32 apps that may not have been originally signed by the software vendor.”

You could be forgiven for thinking that Windows hardly needs another application control feature. Software Restriction Policies (SRP) and AppLocker in Enterprise versions of Vista and later OSes, allow organizations to control which Windows Store, Win32 apps, scripts and other types of executable can be launched, all through central policies stored in Active Directory. So a new application control feature in Windows 10 might come as a surprise.

Device Guard isn’t just a more sophisticated implementation of SRP however. Along with Windows Hello and Microsoft Passport, Device Guard provides IT with a way to lock down devices so that they are better protected against today’s Advanced Persistent Threats (APTs), which use sophisticated means to infect PCs, often exploiting zero-day vulnerabilities, and can remain undetected for long periods of time.

Device Guard in Action

Windows 10 Device Guard blocks all apps that are not considered to be trusted, and allows only apps from the Windows Store, selected software vendors, and signed line-of-business applications to run. Organizations will be able to decide the sources from which applications are deemed trusted, and there will be tools included so that apps developed in-house can be easily signed, whether they are Universal Windows Store, desktop, or unsigned third-party applications.

AppLocker provides similar functionality to what I’ve described above, but Device Guard differs significantly by segregating the process that determines whether apps are trusted, using hardware virtualization to ensure that a compromised Windows system can’t be used to launch untrusted applications. Microsoft claims that Device Guard provides better protection against malware, or administrators attempting to circumvent security policies, than existing application control solutions from third-parties.

Hardware-Based Hypervisor Security

Device Guard’s whitelist of allowed applications and checking capabilities run in virtual secure mode, which uses the Local Security Authority (LSA) to protect against hash attacks, and is isolated from the operating system using hardware-assisted virtualization. Code integrity and certificate checks are performed outside of the operating system kernel, so even if Windows is compromised, it would be hard for malware, or malicious users with administrative privileges, to run untrusted software on the device.

The technology behind Device Guard is borrowed from Windows Phone, and while you could argue that Windows Phone doesn’t have a large enough user base for it to be targeted by hackers, it has proven to be secure, with Microsoft claiming more secure than Android and Apple iOS. Device Guard will work on any hardware that’s certified for Windows 8, and uses Intel VT-D or compatible hardware virtualization support.

Copying the security model from Windows Phone seems like a good idea, as I’m not aware that it has seen any significant form of attack since its launch. But nevertheless, Device Guard won’t be able to protect against Just-In-Time (JIT) compiled applications, such as those requiring Java, or code running in documents, such as macros in Microsoft Word. As such, defense-in-depth security is still the best approach, using antivirus and least privilege security in addition to Device Guard to provide a comprehensive security solution.