Windows 10 Device Guard Versus AppLocker
In this Ask the Admin, I will explain the difference between Device Guard and AppLocker in Windows 10. We will also discuss whether they should be used independently of each other or together.
Application control or application whitelisting is an important line of defense for enterprises in the fight against malware. It has long been recognized that signature-based antimalware software is not enough by itself. Removing administrator privileges from end users, while definitely a critical step, also needs to be part of a defense-in-depth strategy.
Software Restriction Policies and AppLocker
Application whitelisting technology first appeared natively in Windows XP as Software Restriction Policies (SRP). It was not widely adopted because it was difficult to implement. AppLocker was introduced as a replacement for SRP in Windows 7. It is more flexible and easier to deploy. So, why does Windows 10 need a new application to control technology?
The tech behind Device Guard is not completely new but it is being exposed for the first time. There are other technologies such as Kernel Mode Code Integrity (KMCI) and User Mode Code Integrity (UMCI). KMCI came as part of Windows Vista and UMCI is new in Windows 10. These enforce policy rules that will allow drivers, user-mode binaries, MSIs, and scripts to run if signed off on by a trusted publisher. Furthermore, in Windows 10, KMCI can be protected by Virtualization-Based Security (VBS) on supported hardware. This isolates KMCI in a virtual machine that protects it. This is especially important should the Windows kernel be owned by malware. VBS can be enabled in Windows 10 by configuring Virtual Secure Mode (VSM) in Group Policy.
Does Device Guard Replace AppLocker?
AppLocker can block unsigned apps but Device Guard offers deeper integration. Using Windows makes it even more robust. It comes with a chain of trust from the hardware through to the kernel. It also provides better protection against tampering when VSM is enabled.
Device Guard should be your first line of defense. AppLocker works with Device Guard if you need to block certain apps from the Windows Store. Device Guard trusts everything from Microsoft and all store apps will run. AppLocker is not completely redundant and is also supported. You can continue to use AppLocker rules after upgrading from Windows 7.
Device Guard Improvements in the Creators Update
Device Guard is available in Windows 10 Enterprise and Education SKUs. There is no management GUI. If you want to enable UMCI, code integrity policies will need more comprehensive testing. Device Guard might not be quite ready to replace AppLocker in your organization. Nevertheless, Microsoft is working to improve Device Guard. Code integrity policies in the Windows 10 Creators Update (version 1703) can be used to determine whether specific plug-ins, add-ins, and modules are able to run. For example, you could block all Word add-ins that are not listed in the policy. Hopefully, future versions of Windows will see Microsoft build upon Device Guard’s capabilities, which helps to improve management.
More in Windows Client OS
How to Set Up Amazon FSx for Windows File Server
Aug 5, 2022 | Arian Modiramani
Windows Autopilot Deployment: A Step-by-Step Guide
Jul 29, 2022 | Dean Ellerby
How to Fix The "Trust Relationship Between This Workstation And The Primary Domain Failed" Error
Jul 27, 2022 | Michael Reinders
How to Use the Icacls Command to Manage File Permissions
Jul 20, 2022 | Michael Reinders
July Patch Tuesday Updates Fix 84 Vulnerabilities and LDAP Gets TLS 1.3
Jul 13, 2022 | Laurent Giret
How to Fix the "Remote Desktop Connection - An Internal Error Has Occurred" Error
Jul 8, 2022 | Michael Reinders
Most popular on petri