Yesterday, during the RSA Conference in California, Microsoft shared more details on a feature that will help business customers protect Windows 10 based devices.
This feature, which they had apparently blogged about before but it did not have a name, is called Device Guard and allows organizations to lock those machines down to only run software from trusted sources.
It provides better security against malware and zero days for Windows 10 by blocking anything other than trusted apps—which are apps that are signed by specific software vendors, the Windows Store, or even your own organization. You’re in control of what sources Device Guard considers trustworthy and it comes with tools that can make it easy to sign Universal or even Win32 apps that may not have been originally signed by the software vendor.
When an app is run on a system with Device Guard active it is compared against a list of trustworthy software for that device and a decision is made whether the software is valid for that organization.
Using special hardware and virtualization that decision process is independent of the Windows OS so that any attacker/malware which may have gained full privileges to the OS is unable to modify the list or execute unauthorized software.
In practice, Device Guard will frequently be used in combination with traditional AV and app control technologies. Traditional AV solutions and app control technologies will be able to depend on Device Guard to help block executable and script based malware while AV will continue to cover areas that Device Guard doesn’t such as JIT based apps (e.g.: Java) and macros within documents. App control technologies can be used to define which trustworthy apps should be allowed to run on a device. In this case IT uses app control as a means to govern productivity and compliance rather than malware prevention.
Microsoft has already partnered with several OEM’s who will support the use of Device Guard on upcoming hardware:
The Redmond company believes using Device Guard in conjunction with Windows Hello and Microsoft Passport will reduce security related issues against many of the common attack vectors that are being used today and they feel Windows 10’s advanced security features are a big reason to make the move to the upcoming OS.