Windows Defender Device Guard is a security feature for Windows 10 Enterprise and Windows Server 2016 designed to use application whitelisting and code integrity policies to protect users' devices from malicious code that could compromise the operating system.
With a code integrity policy, which IT creates to determine what software can run on Windows 10, IT can prevent unknown or untrusted applications, as well as specific plug-ins, add-ons or other application modules, from accessing end-user devices.
Device Guard goes hand-in-hand with Microsoft's AppLocker and Windows Defender Credential Guard to provide a preventative security system. IT can use Device Guard alongside Virtual Secure Mode (VSM), a Windows hypervisor-protected kernel, to provide virtualization-based security, which helps keep bad drivers and files off the system.
How Windows Defender Device Guard works
Windows Defender Device Guard uses code integrity policies, which are known as Windows Defender Application Control as of Windows 10 version 1709, for IT to whitelist applications and extensions within those applications that can run on the OS. This allows IT to block unwanted software before it ever enters the system. IT can also create a set of trusted users with trusted signatures who are the only people who can alter the code integrity policies. Device Guard runs the code integrity policies through a kernel in a container.
Device Guard provides security for both physical and virtual desktop deployments. Device Guard code integrity policies work on CPU virtualization extensions, second level address translations and input/output memory management units (IOMMUs).
Device Guard features to know
An additional tool in Windows Defender Application Control called Package Inspector creates a catalog of the binary files for all trusted applications. Even if malware does seep into the VSM kernel, Device Guard prevents it from executing code with code integrity checks in secure systems. If there is a direct memory access attack, the IOMMUs deny access to unusual memory requests. Windows Defender Device Guard also has a Universal Extensible Firmware Interface that performs a secure boot to protect against boot kits and brute-force attackers.
Tools for managing Device Guard features
IT professionals can use similar management methods with Device Guard as they do with other Windows programs. IT can set up and manage the catalog files and code integrity policies with Group Policy Objects in the administrative template. IT can deploy and manage code integrity policies, catalog files and hardware security features with System Center Configuration Manager. Windows PowerShell works well for IT professionals that want to focus on creating and sending out code integrity policies. Microsoft Intune may eventually support deployment and management of catalog files and code integrity policies as well, according to Microsoft.