Windows Client OS

What Is Windows Defender System Guard in the Fall Creators Update?


In this Ask the Admin, I’ll explain how Windows Defender System Guard reorganizes existing security defenses.



Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.

Windows Defender System Guard in the Fall Creators Update is a new label for a set of technologies designed to ensure that the system can’t be compromised or if it is, notify the user. Microsoft says it has three goals for System Guard:

  1. Protect and maintain the integrity of the system as it starts up
  2. Protect and maintain the integrity of the system after it’s running
  3. Validate that system integrity has truly been maintained through local and remote attestation

It is important to focus on maintaining system integrity because if Windows is compromised, then all other security defenses will likely fail. System Guard isn’t compromised of new features but instead brings together existing security defenses. Microsoft hopes this will make it easier to invest in security and make further improvements in the next major Windows release, which is expected in spring 2018.

Hardware-based root of trust, or Secure Boot as Microsoft refers to it, was introduced in Windows 8 and helps protect the OS during startup, ensuring that a malicious bootloader cannot start before Windows loads. Secure Platform Boot then ensures that as Windows loads, files and drivers are signed. Finally, antivirus is started to check third-party drivers.



See Enabling Secure Boot in Windows 8 and Windows Server 2012 to check if Secure Boot is enabled on your system.

Virtualization-based security (VBS), which was introduced in Windows 10 to isolate critical parts of the OS using containers, has been renamed to the Windows Defender System Guard container. In addition to enabling Credential Guard and Device Guard, for protecting domain credentials and application control policies respectively, System Guard container enables other technologies, including Virtual TPM and parts of Exploit Guard.

System Guard can verify the integrity of the OS while it is running. In an ideal world, we’d be able to trust the security defenses that I’ve described to protect the OS and assume that Windows hasn’t been compromised. But we should never assume that a system hasn’t been breached and System Guard aims to determine that a system is healthy or notify the user if it is not.

Windows Defender System Guard in the Fall Creators Update (Image Credit: Microsoft)
Windows Defender System Guard in the Fall Creators Update (Image Credit: Microsoft)

By taking a set of integrity measurements as the system boots and storing them in a TPM to prevent tampering, System Guard can handover this data to management systems, like Intune or System Center Configuration Manager, and access blocked to resources if System Guard determines there’s a problem with the system’s integrity. Device Health Attestation (DHA) isn’t enabled by default in Windows 10 and is a reactive security defense. It won’t stop Windows booting if System Guard identifies a problem. But it can be used to block a device’s access to sensitive network resources.

In addition to a Mobile Device Management (MDM) service, like Intune, DHA requires a Health Attestation Service server, which can be either hosted on Windows Server 2016, a free Microsoft-managed DHA service, or a virtual host in Microsoft Azure. For more detailed information on Windows 10 DHA, see Microsoft’s website here.



Windows Defender System Guard is more a reorganization of existing technologies than something completely new but the groundwork that Microsoft has done in the Fall Creators Update is about simplifying Windows to make it easier to build new defenses into the operating system. But not only that, it helps Microsoft streamline its message around security.

Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.

Download this eBook!

External Sharing and Guest User Access in Microsoft 365 and Teams

his eBook will dive into policy considerations you need to make when creating and managing guest user access to your Teams network, as well as the different layers of guest access and the common challenges that accompany a more complicated Microsoft 365 infrastructure. The eBook will also outline some of the major decision points across four general-purpose guest access policy scenarios for how an organization can set this up with standard licensing.

Download Now

Sponsored By