Microsoft Device Guard Combines Software And Hardware To Protect Windows 10 Installations From Advanced Malware

A lot of the attention Windows 10 has received from the media has focused on consumer features and amenities, but there's quite a bit for enterprise users to look forward to as well. One of them is called Device Guard, a previously unnamed feature from Microsoft that gives organizations the ability to lock down devices in a way that's designed to offer advanced malware protection.

"It provides better security against malware and zero days for Windows 10 by blocking anything other than trusted apps—which are apps that are signed by specific software vendors, the Windows Store, or even your own organization," Microsoft explains. "You’re in control of what sources Device Guard considers trustworthy and it comes with tools that can make it easy to sign Universal or even Win32 apps that may not have been originally signed by the software vendor."

HP Envy 15

This is both a hardware and software solution. When an app is executed, Windows determines if it's trustworthy or up to no good, and notifies the user if it's the latter. Where Device Guard comes into play is by using hardware technology and virtualization to isolate that decision making function from the rest of Windows, thereby adding a layer of protection from attackers that may have gained full system privilege.

According to Microsoft, this ability gives Device Guard a huge advantage over traditional antivirus and app control technologies like AppLock, Bit9, and others, all of which can be altered by an admin or malware. In fact, Microsoft considers Device Guard to be one of its top security features in Windows 10, which will ship out later this summer.

Several OEM partners are already on board with Device Guard, including Acer, Fujitsu, Hewlett-Packard, Lenovo, NCR, Par, and Toshiba.