Definition

Microsoft Windows Defender Device Guard

Windows Defender Device Guard is a security feature for Windows 10 Enterprise and Windows Server 2016 designed to use application whitelisting and code integrity policies to protect users' devices from malicious code that could compromise the operating system.

With a code integrity policy, which IT creates to determine what software can run on Windows 10, IT can prevent unknown or untrusted applications, as well as specific plug-ins, add-ons or other application modules, from accessing end-user devices.

Device Guard goes hand-in-hand with Microsoft's AppLocker and Windows Defender Credential Guard to provide a preventative security system. IT can use Device Guard alongside Virtual Secure Mode (VSM), a Windows hypervisor-protected kernel, to provide virtualization-based security, which helps keep bad drivers and files off the system.

How Windows Defender Device Guard works


An introduction to Windows 10
Device Guard.

Windows Defender Device Guard uses code integrity policies, which are known as Windows Defender Application Control as of Windows 10 version 1709, for IT to whitelist applications and extensions within those applications that can run on the OS. This allows IT to block unwanted software before it ever enters the system.  IT can also create a set of trusted users with trusted signatures who are the only people who can alter the code integrity policies. Device Guard runs the code integrity policies through a kernel in a container.

Device Guard provides security for both physical and virtual desktop deployments. Device Guard code integrity policies work on CPU virtualization extensions, second level address translations and input/output memory management units (IOMMUs).

Device Guard features to know

An additional tool in Windows Defender Application Control called Package Inspector creates a catalog of the binary files for all trusted applications. Even if malware does seep into the VSM kernel, Device Guard prevents it from executing code with code integrity checks in secure systems. If there is a direct memory access attack, the IOMMUs deny access to unusual memory requests. Windows Defender Device Guard also has a Universal Extensible Firmware Interface that performs a secure boot to protect against boot kits and brute-force attackers.

Tools for managing Device Guard features

IT professionals can use similar management methods with Device Guard as they do with other Windows programs. IT can set up and manage the catalog files and code integrity policies with Group Policy Objects in the administrative template. IT can deploy and manage code integrity policies, catalog files and hardware security features with System Center Configuration Manager. Windows PowerShell works well for IT professionals that want to focus on creating and sending out code integrity policies. Microsoft Intune may eventually support deployment and management of catalog files and code integrity policies as well, according to Microsoft.

This was last updated in November 2017

Continue Reading About Microsoft Windows Defender Device Guard

Dig Deeper on Microsoft Windows desktop operating systems security management

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Do you think virtualization-based security is important? Why or why not?
Cancel

-ADS BY GOOGLE

File Extensions and File Formats

Powered by:

SearchVirtualDesktop

SearchWindowsServer

SearchExchange

Close