Device Guard safeguards Windows 10 with hardware authentication

Microsoft at RSA 2015

Continuing the theme of Microsoft's RSA keynote that hardware-based security is superior to a software approach, I sat down with Microsoft's Windows Security and Identity Group program manager Dustin Ingalls and senior product marketing manager Chris Hallum to discuss Device Guard, a feature that will launch with Windows 10. Device Guard will join Windows 10's three-pronged approach to security this summer, alongside Microsoft Passport and Windows Hello.

Our current version of security is that we trust everything until antivirus programs - like McAfee, Norton and Windows Defender - tells us otherwise, says Hallum. However, there are unknown threats out there that remain undetected until the threats are known. At that point, there will already be victims and data would have been compromised.

Moving away from this model, Microsoft Trustworthy Computing corporate vice president Scott Charney proposes that companies should whitelist apps and migrate to hardware-based authentication.

Windows security

With each version of Windows, Microsoft has evolved the way it approaches security for its desktop operating system.

On Windows 7, Microsoft uses a software approach. However, that changed to a hardware-based strategy starting with Windows 8, which uses a platform secure boot through a feature called Unified Extensible Firmware Interface, or UEFI, to prevent BIOS-based firmware attacks.

On Windows 10, Microsoft is continuing its focus on hardware security with a hypervisor-based solution to create a trusted secure mode with Device Guard.

Device Guard

Device Guard offers better malware protection by blocking any app other than trusted apps. This essentially creates a whitelist of apps for your organization to use, and locks the system from new or unknown malware attacks.

Ingalls says this begins with the Local Security Authority (LSA) to create a virtual secure mode that prevents hash attacks. The virtual secure mode runs outside of the main operating system to keep things safe, even if the operating system is compromised.

Then, we move to kernel mode integrity component. This moves the Code Integrity outside of the kernel, and Windows checks to see if a software package has been officially signed by Microsoft or a trusted publisher. This prevents rogue or malicious software from running in what Microsoft terms as user mode code integrity.

Ingalls says that the hypervisor-based approach keeps things safe by moving the security feature outside of the main OS and is hardware-dependent. When an app is run, Windows determines if the app is trustworthy. By using hardware and virtualization to isolate this decision-making process outside of Windows, Device Guard remains secure and safe, even if a malicious code gains access to full system privileges.

Roots in Windows Phone

In effect, by requiring applications to be signed through the Code Integrity program along with the hardware-based hypervisor feature, Device Guard creates a whitelist of applications that can run on a system.

"This is an architectural change to the system, not just another [antivirus] solution, and it contains elements from Windows Phone," said Hallum.

Microsoft says that Device Guard is a newly coined name, but the feature has been around and is in use on Windows Phone. By vetting apps in the Store and requiring apps to be digitally signed, Microsoft says that its approach, compared to the competing Android operating system, significantly reduces the risk of malicious attacks.


Ingalls says that apps can be signed in two ways. Publishers can submit their apps to Microsoft for a digital signature as the easy and quick approach.

For enterprises with proprietary code and data, and publishers who may not want to expose their apps to Microsoft, the company will provide tools for them to sign their own apps to run on their systems.

In order to use Device Guard, Ingalls says that any device that's certified for Windows 8 will be compatible. Essentially, you'll need a device that supports hypervisor, including any device that supports Intel's VT-D. To support the complete features of Device Guard, Microsoft says that it will work with hardware partners to roll out systems that are Device Guard certified.