Microsoft’s Device Guard locks down Windows 10 so it can only run trusted apps

At the RSA Conference in San Francisco today, Microsoft announced Device Guard, a new Windows 10 security feature that will allow enterprises to lock down their desktops so they are “incapable of running anything other than trusted apps.” Impressively, the company claims that Device Guard is capable of thwarting an attacker or malware that has gained full system privilege.

Microsoft has talked about Device Guard before, though as an unnamed feature. The company is now officially detailing it and giving some proper context.

Device Guard lets organizations lock down devices to provide advanced malware protection against new and unknown malware variants as well as Advanced Persistent Threats. The feature takes an all-or-nothing approach: It blocks everything but trusted apps, which have to be signed by specific software vendors, the Windows Store, or your specific organization.

Device Guard comes with tools for signing universal Windows apps (touch apps that run across desktops, tablets, smartphones, and more) as well as standard Windows desktop apps (Win32). Even if they have not been signed by the original software vendor, organizations can sign them to mark them as trusted apps internally.

Here is how Device Guard works in practice:

To help protect users from malware, when an app is executed, Windows makes a determination on whether that app is trustworthy, and notifies the user if it is not. Device Guard can use hardware technology and virtualization to isolate that decision making function from the rest of the Windows operating system, which helps provide protection from attackers or malware that have managed to gain full system privilege.

This gives it a significant advantage over traditional anti-virus and app control technologies like AppLocker, Bit9, and others which are subject to tampering by an administrator or malware. In practice, Device Guard will frequently be used in combination with traditional AV and app control technologies. Traditional AV solutions and app control technologies will be able to depend on Device Guard to help block executable and script based malware while AV will continue to cover areas that Device Guard doesn’t such as JIT based apps (e.g.: Java) and macros within documents.

Microsoft says the following computer makers have already signed on to support Device Guard: Acer, Fujitsu, HP, NCR, Lenovo, Par Technology, and Toshiba.

Microsoft also talked about two other Windows 10 security features announced last month: Windows Hello and Microsoft Passport. Windows Hello lets users unlock their Windows 10 device — whether it be a PC, tablet, or a smartphone — with their finger, iris, or face. Microsoft Passport takes the functionality a step further by letting users access apps and online services without a password.

Today, Microsoft confirmed that all computers that have Intel’s RealSense 3D F200 camera will support Windows Hello’s and Microsoft Passport’s facial unlock features. The camera uses infrared lasers, multiple lenses, and a special processing chip to analyze images. While it isn’t the only device to support the upcoming Windows 10 features, Microsoft is highlighting it because it’s already available in the market.

Because of Windows’ massive userbase, security is all the more critical. Microsoft claims “some customers are already telling us that Windows 10’s security benefits are one of the key reasons they choose to migrate.” If that is true, the company has a real enterprise winner on its hands.