In this Ask the Admin, I will explain the difference between Device Guard and AppLocker in Windows 10. We will also discuss whether they should be used independently of each other or together.
Application control or application whitelisting is an important line of defense for enterprises in the fight against malware. It has long been recognized that signature-based antimalware software is not enough by itself. Removing administrator privileges from end users, while definitely a critical step, also needs to be part of a defense-in-depth strategy.
Application whitelisting technology first appeared natively in Windows XP as Software Restriction Policies (SRP). It was not widely adopted because it was difficult to implement. AppLocker was introduced as a replacement for SRP in Windows 7. It is more flexible and easier to deploy. So, why does Windows 10 need a new application to control technology?
The tech behind Device Guard is not completely new but it is being exposed for the first time. There are other technologies such as Kernel Mode Code Integrity (KMCI) and User Mode Code Integrity (UMCI). KMCI came as part of Windows Vista and UMCI is new in Windows 10. These enforce policy rules that will allow drivers, user-mode binaries, MSIs, and scripts to run if signed off on by a trusted publisher. Furthermore, in Windows 10, KMCI can be protected by Virtualization-Based Security (VBS) on supported hardware. This isolates KMCI in a virtual machine that protects it. This is especially important should the Windows kernel be owned by malware. VBS can be enabled in Windows 10 by configuring Virtual Secure Mode (VSM) in Group Policy.
AppLocker can block unsigned apps but Device Guard offers deeper integration. Using Windows makes it even more robust. It comes with a chain of trust from the hardware through to the kernel. It also provides better protection against tampering when VSM is enabled.
Device Guard should be your first line of defense. AppLocker works with Device Guard if you need to block certain apps from the Windows Store. Device Guard trusts everything from Microsoft and all store apps will run. AppLocker is not completely redundant and is also supported. You can continue to use AppLocker rules after upgrading from Windows 7.
Device Guard is available in Windows 10 Enterprise and Education SKUs. There is no management GUI. If you want to enable UMCI, code integrity policies will need more comprehensive testing. Device Guard might not be quite ready to replace AppLocker in your organization. Nevertheless, Microsoft is working to improve Device Guard. Code integrity policies in the Windows 10 Creators Update (version 1703) can be used to determine whether specific plug-ins, add-ins, and modules are able to run. For example, you could block all Word add-ins that are not listed in the policy. Hopefully, future versions of Windows will see Microsoft build upon Device Guard’s capabilities, which helps to improve management.