Microsoft details how Device Guard fights malware in Windows 10

As Windows 10 was being prepared for release, Microsoft presented many new security features (and we’ve written about some) to be included in the new version of the popular OS.

With a technical guide published last week, the company has offered more details about a particular security feature introduced in the enterprise version: Device Guard.

Device Guard allows admins to protect users by blocking the execution of all software that is not digitally signed by Microsoft or a trusted vendor, and it’s meant to block zero-day exploits. It’s also meant to be employed alongside other Windows threat mitigation features such as AppLocker and Credential Guard.

“Device Guard’s features revolutionize the Windows operating system’s security by taking advantage of new virtualization-based security (VBS) options and the trust-nothing mobile device operating system model, which makes its defenses much more difficult for malware to penetrate. By using configurable code integrity policies, organizations are able to choose exactly which applications are allowed to run in their environment,” Microsoft explained in the document.

Organizations can easily sign their own existing applications so that they can trust their own code – they won’t need to repackage them. Signing third-party apps with their signature will allow these apps to be trusted within the organization.

“Along with code integrity, Windows 10 leverages advanced hardware features such as CPU virtualization extensions, input/output memory management units (IOMMUs), Trusted Platform Module (TPM), and second-level address translation (SLAT) to offer comprehensive modern security to its users,” they noted.

For more details about the feature, deployment scenarios and instructions, and configuration tips, check out the very detailed guide.