There's a new security feature in Windows 10 called Device Guard
Share on Twitter.
Get the most reliable SMTP service for your business. You wished you got it sooner!
April 24, 2015
This week at the RSA conference in San Francisco, Microsoft vice president Scott Charney outlined
a new security system in Windows 10 called Device Guard. Here's a closer look at how it works
and what it can do for the average user.
The details are still a bit sketchy for now, but more information will emerge at MS' Build Event next week.
However, from what we can tell, Device Guard wraps an extra layer of security around the
operating system to prevent malware from permanently compromising a PC or laptop.
To be sure, when enabled by an administrator, Device Guard checks to see if each and every
application is cryptographically signed by Microsoft as a trusted binary before it is allowed
The new system goes a step further than where Microsoft usually goes. Device Guard itself runs
in its own pocket of memory with its own minimal instance of Windows, and is protected from the rest
of the operating system by the IOMMU features in the PC's processor and motherboard chipset.
These IOMMU features work off Device Guard from the computer's hardware, so it cannot be tampered
with by other software, no matter how low level that software is, according to the software behemoth.
If the Windows 10 kernel is ever compromised, Device Guard will remain fire-walled off, and
cannot be subverted into allowing unauthorized code to run.
And to make 100 percent sure that this works, a hypervisor running beneath the kernel and Device
Guard enforces this at all times.
From the outset, it looks pretty clever. In theory, that is – similar "secure execution environments"
have been defeated in the past, so there's the nuance if you will...
But the new concept is to stop miscreants installing malware on a machine, thus limiting the
amount of long-term damage the attacker can do at any time.
"If you want to create a persistent threat on Windows you have to get code running in the kernel,
because then you can get under apps, under a lot of safeguards, and change the behavior of the system,"
said Dustin Ingalls, Microsoft's group program manager for operating system security.
"With MS' Device Guard, we take at least a similar sized step forward as the change for Windows
8 by making a bet on hypervisor-based security. With Windows 10, what will happen is that the hypervisor
will be on all the time. You'll have your main OS, but what you'll also have is this very tiny,
constrained version of Windows with no network or display stack. It's designed to be a very tiny,
tightly controlled secure execution environment."
Ingalls added that Device Guard will approve trusted universal apps on Windows 10 desktops,
tablets and phones.
Applications available from the Windows Store will be signed off and ready to run via Device Guard.
Enterprises with legacy apps can send hashes of the executables to Microsoft to be signed within
minutes, we're told.
"When apps are submitted to the Store, those apps go through vetting and all kinds of security checks,"
"But if an enterprise is saying 'Hey, sign this for me,' it will be done with a key that only works
for that company. If that enterprise wants to sign bad code, they are entitled to do that – we're not
trying to say we'll only sign this or that. All we're doing is trying to make it easy for you to get
an app signed so the new defenses will allow this piece of software to run," he added.
There is, of course, a catch. To get Device Guard working, a supported IOMMU setup must be present
in the PC or device. But Intel and AMD processors, and even certain ARM and MIPS cores, have had IOMMU
protection mechanisms built-in for a while already.
Intel calls its IOMMU tech VT-d. AMD prefers to call it AMD-Vi, but they all work in a very similar
When Windows 10 comes out this summer, computer giants such as HP, Dell, Lenovo, Acer, and Toshiba, will
tout their hardware as Device Guard-capable or Device Guard-ready.
Device Guard-ready systems will have the required IOMMU hardware present, kernel drivers optimized
for Device Guard installed, and the security feature enabled.
Device Guard-capable devices will have just the IOMMU hardware present, leaving the driver installation
and configuration up to the user.
There may be an extra cost for Device Guard-ready systems over Device Guard-capable products, but that's
up to the manufacturers, Microsoft said.
In the longer term, it's hoped that cost will disappear. "Device Guard has to be one of the most compelling
security innovations we're shipped in Windows," Ingalls said. "But it doesn't signal an end to malware. It
makes it much more difficult especially in the world where you're dealing with cybercriminals."
Get the most dependable SMTP server for your company. You will congratulate yourself!
Share on Twitter.