Device Guard is a group of key features, designed to harden a computer system against malware. Its focus is preventing malicious code from running by ensuring only known good code can run. We had earlier talked about how Windows is an anti-malware operating system. It acts on itself and other applications to see if they are genuine applications required by the computer, much before loading the interface, so that a level of security is added to the computers where it is being run. In short, it provides Trusted Boot, a boot time malware protection service to keep malware at bay. But malware writers are smart and they can use certain techniques to bypass this inspection. Microsoft has therefore brought in another feature that promises tougher anti-malware measures during booting.
Device Guard in Windows 11/10
With security concerns rising, Microsoft is now bringing in a firmware that will act at the hardware level during and even before boot, to let only properly signed applications and scripts to load. This is being called Windows Device Guard and OEMs are happily ready to install it on the computers they manufacture. Device Guard is one of Microsoft’s top security features in Windows 11/10. OEMs like Acer, Fujitsu, HP, NCR, Lenovo, PAR and Toshiba have also endorsed it. The basic function of Device Guard in Windows would be to test each process being loaded into the memory for execution, prior to and during the boot process. It would check for genuineness, based on proper signatures of the applications and will prevent any process that lacks a proper signature, from loading into the memory. Microsoft’s Device Guard employs technology embedded at the hardware level – rather than being at the software level, which could miss detecting malware. It also employs virtualization to bring proper decision-making process, that will tell the computer what to allow and what to prevent from being loaded into the memory. This isolation will prevent malware, even if the attacker has full control of systems where the guard is installed. They may try, but will not be able to execute the code, as the Guard has its own algorithms that will block the malware from execution. Says Microsoft:
Device Guard vs Antivirus Software
Windows users will still need to install antimalware software to be running on their devices for malware originating from other sources. The only thing that Windows Device Guard will protect you against is the malware that tries to load into memory during boot time, before that antivirus software is able to protect you. Since the new Device Guard may not be able to access macros in documents and script based malware, Microsoft says users will have to use antimalware software in addition to the Guard. Windows now has built-in antimalware called Windows Defender. You might depend on it or use a third party antimalware to protect yourself better.
Does Device Guard allow other operating systems
The Windows Guard will let only pre-approved applications to be processed during boot time. IT developers can choose to allow all applications by a trusted vendor or they can configure it to check each application for approval. Irrespective of the configuration, Windows Guard will let only approved applications to run. In most cases, the approved applications will be decided by the signature of the application developer. This gives a twist to boot options. Those operating systems that do not have verified digital signatures, will not be allowed by the Windows Guard to be loaded. It does not however, take much to get any application or OS to get certified. Read: What is Credential Guard in Windows 11/10
Required hardware & software for Device Guard
To use Device Guard, you need to install and configure the following hardware and software: Read: Device Guard and Credential Guard Hardware Readiness Tool Now spare some time to read about Enterprise Data Protection in Windows.
