none
Device Guard - what is it? RRS feed

  • General discussion

  • Hello!

    Very stupid question: what is the Device Guard?

    I'm asking this question after reading a great deal of msdn and technet articles regarding Device Guard and all of them say something like this:

    https://technet.microsoft.com/itpro/windows/whats-new/device-guard-overview


    I don't want to know WITH which additional security features I can use the Device Guard, I just want to see the list of the "software system integrity hardening features" which comprises (along with the "hardware system integrity hardening features") the Device Guard.

    For example, configurable code integrity, credential manager and applocker are NOT parts of the DG, so where can I see what does DG consist of?  Is there some short list of its components anywhere on the net???

    Thank you in advance,

    Michael


    Monday, April 18, 2016 9:52 AM

All replies

  • P.S. Later in this guide we can see that the only "software system integrity hardening feature "  which can be applied to clients is the code integrity - located in the Device Guard section of the corresponding Administrative template:


    So are there any other software features???


    • Edited by MF47 Monday, April 18, 2016 2:32 PM
    Monday, April 18, 2016 2:30 PM
  • Hi, 

    For your first question, 

    This guide explores the individual features in Device Guard as well as how to plan for, configure, and deploy them.

     

    Windows Passport

    Microsoft Passport has been around for quite a while. It serves as a single point entry to all of the Microsoft products such as Outlook.com, OneDrive, Messenger (when it was alive), People, contacts and more. In Windows 10, Microsoft Passport will replace passwords with strong two-factor authentication that consists of an enrolled device and a Windows Hello (biometric) or PIN.

     

    Windows Hello

    Windows Hello is the biometric authentication feature that helps strengthen authentication and helps to guard against potential spoofing through fingerprint matching and facial recognition.

     

    OS Servicing (WU)

    Windows Update for Business (WUfB) allows you to keep Windows 10-based devices in your organization always up to date with the latest security defenses and Windows features when these devices connect directly to the Windows Update (WU) service. Configuration Manager has the ability to differentiate between Windows 10 computers that use WUfB and WSUS for getting software updates.

     

    Windows Defender

    Windows Defender is a security technology used for the detection and mitigation of spyware and other potentially unwanted software. Windows Defender provides advanced system scanning and spyware removal technologies that simplify the removal of spyware and other potentially unwanted software from a compute 

    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, April 19, 2016 2:52 PM
    Owner
  • Hi Kate,

    Sorry, I didn't understand it: you mean Windows Passport, Windows Defender, OS Servicing (WU) and Windows Hello are all parts of the Device Guard?

    Tuesday, April 19, 2016 4:55 PM
  • Hi,

    I mean that these software will be combined in this Feature to  make your device more security.


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Wednesday, April 20, 2016 2:23 PM
    Owner
  • "these software will be combined in this Feature" - so the answer to my question "are all parts of the Device Guard?" is "yes"?
    Thursday, April 21, 2016 10:57 AM
  • Hi Kate,

    Sorry, I didn't understand it: you mean Windows Passport, Windows Defender, OS Servicing (WU) and Windows Hello are all parts of the Device Guard?


    Jesus, what a mess, even within MS staff. Windows Defender part of Device Guard? I don´t think so. True, it is hard to find the occurate information about Device Guard. If I just enable the common GPO for that, I will see from System Info, that Device Guard and Credential Guard are enabled. Those requires UEFI and vCPU support. But, by doing only that I can´t promise the customer, that we provide Device Guard, can I?

    Please remember to mark my post as an answer, if I really helped you out, or vote if usefull. Thank you!

    Thursday, August 31, 2017 9:27 AM
  • I think this answers best the main question:

    Device Guard consists of three primary components:

    • Configurable Code Integrity (CCI) – Ensures that only trusted code runs from the boot loader onwards.
    • VSM Protected Code Integrity – Moves Kernel Mode Code Integrity (KMCI) and Hypervisor Code Integrity (HVCI) components into VSM, hardening them from attack.
    • Platform and UEFI Secure Boot – Ensuring the boot binaries and UEFI firmware are signed and have not been tampered with.

    When these features are enabled together, the system is protected by Device Guard, providing class leading malware resistance in Windows 10.

    Copied from:  https://blogs.technet.microsoft.com/ash/2016/03/02/windows-10-device-guard-and-credential-guard-demystified/


    Please remember to mark my post as an answer, if I really helped you out, or vote if usefull. Thank you!

    Friday, September 1, 2017 5:52 AM
  • Thank you very much for the clarification, yannara!

    Regards,

    Michael

    Tuesday, September 5, 2017 9:11 AM