Device Guard in Windows 10 keeps malware away

Device Guard in Windows 10 is a firmware that will not let un-authenticated, unsigned, unauthorized programs as well as operating systems to load. We have already talked how we need an operating system that performs self-checks on what all is being fed to it and loaded into its RAM for execution. Depending only on an anti-malware software is not a wise thing these days, though we don’t have many options. An anti-malware is a separate application and needs to be loaded into the memory, before it starts scanning the applications being loaded into the memory.

Windows 10

We had earlier talked about how Windows 8.1 is an anti-malware operating system. It acts on itself and other applications to see if they are genuine applications required by the computer, much before loading the interface, so that a level of security is added to the computers where it is being run. In short, it provides Trusted Boot, a boot time malware protection service to keep malware at bay. But malware writers are smart and they can use certain techniques to bypass this inspection. Microsoft has therefore brought in another feature that promises tougher anti-malware measures during booting.

Device Guard in Windows 10

With security concerns rising, Microsoft is now bringing in a firmware that will act at the hardware level during and even before boot, to let only properly signed applications and scripts to load. This is being called Windows Device Guard and OEMs are happily ready to install it on the computers they manufacture.

Device Guard is one of Microsoft’s top security features in Windows 10. OEMs like Acer, Fujitsu, HP, NCR, Lenovo, PAR and Toshiba have also endorsed it.

Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. It uses the new virtualization-based security in Windows 10 to isolate the Code Integrity service from the Windows kernel itself, letting the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy.

The basic function of Device Guard in Windows 10 would be to test each process being loaded into the memory for execution, prior to and during the boot process. It would check for genuineness, based on proper signatures of the applications and will prevent any process that lacks a proper signature, from loading into the memory.

Microsoft’s Device Guard employs technology embedded at the hardware level – rather than being at the software level, which could miss detecting malware. It also employs virtualization to bring proper decision-making process, that will tell the computer what to allow and what to prevent from being loaded into the memory. This isolation will prevent malware, even if the attacker has full control of systems where the guard is installed. They may try, but will not be able to execute the code, as the Guard has its own algorithms that will block the malware from execution.

Says Microsoft:

This gives it a significant advantage over traditional anti-virus and app control technologies like AppLocker, Bit9, and others that are subject to tampering by an administrator or malware.

Device Guard vs Antivirus Software

Windows users will still need to install antimalware software to be running on their devices for malware originating from other sources. The only thing that Windows Device Guard will protect you against is the malware that tries to load into memory during boot time, before that antivirus software is able to protect you.

Since the new Device Guard may not be able to access macros in documents and script based malware, Microsoft says users will have to use antimalware software in addition to the Guard. Windows now has built-in antimalware called Windows Defender. You might depend on it or use a third party antimalware to protect yourself better.

Does Device Guard allow other operating systems

The Windows Guard will let only pre-approved applications to be processed during boot time. IT developers can choose to allow all applications by a trusted vendor or they can configure it to check each application for approval. Irrespective of the configuration, Windows Guard will let only approved applications to run. In most cases, the approved applications will be decided by the signature of the application developer.

This gives a twist to boot options. Those operating systems that do not have verified digital signatures, will not be allowed by the Windows Guard to be loaded. It does not however, take much to get any application or OS to get certified.

Required hardware & software for Device Guard

To use Device Guard, you need to install and configure the following hardware and software:

  1. Windows 10. Device Guard only works with devices running Windows 10.
  2. UEFI.  It includes a feature called Secure Boot that helps protect your device’s integrity within the firmware itself.
  3. Trusted Boot. It is an architectural change that helps protect against rootkit attacks.
  4. Virtualization-based security. A Hyper-V protected container that isolates the sensitive Windows 10 processes. T
  5. Package inspector tool. A tool that helps you create a catalog of the files that require signing for Classic Windows applications.

You can read more about this on TechNet.

Spare some time to read about Enterprise Data Protection in Windows 10.

Posted by on , in Category Security with Tags
Anand Khanse is the Admin of, a 10-year Microsoft MVP Awardee in Windows (2006-16) & a Windows Insider MVP. Please read the entire post & the comments first, create a System Restore Point before making any changes to your system & be careful about any 3rd-party offers while installing freeware.


  1. ReadandShare

    Curious who gets to decide which are the ‘trusted applications’?

  2. Eternal Optimist

    Wait, I thought this was going to be preloaded as part of the new OS

  3. Mouliano

    I hope that this is a feature that can be disabled. I have an issue with MS dictating which apps I can run.

  4. Erniek

    Device Guard is a good idea if implemented properly. But I believe it will only benifit large companies.

    This will mean that perfectly legitimate and excelent software that has not been certified by MS will not run. Will the maker of the software have to pay MS before they can get their software certified? I think they will. There are small companies and individuals who produce really great programs and who will not/can not afford these costs. I believe that this is just another money making excersise by MS. I also think that this could be a way MS is trying to put folks of trying to install other OS’s as it will be to difficult for most PC users

  5. Arun Kumar

    The firmware would be from Microsoft so obviously, it would be Microsoft that gets to decide. Probably, we can add more trusted certificates to the certificate managers so that we can run the programs we want.

  6. Arun Kumar

    New computers will have this option as a firmware. OS will, at most, allow some customization such as whitelisting programs. That’s my conclusion based on what I’ve read.

  7. Arun Kumar

    It will be Microsoft. But since we can add trusted certificates, we’ll be able to use other programs – provided they have proper certificates. There will be some customization options in the operating system but basically, the thing is a hardware program so choices will be limited.

  8. Arun Kumar

    “There are small companies and individuals who produce really great programs and who will not/can not afford these costs”.

    I will have to agree with that. Even after whitelisting, the programs will need proper certificates to be executed. Process of getting certified is costly even if the certification authority is someone other than Microsoft. Let’s see what Microsoft does on this issue.

  9. New computers will have this option as a firmware. Windows may at most, allow some
    customization such as whitelisting of programs, I guess…

  10. youngblody

    This will stop dual booting then no other OS sharing the system !!

  11. Mr SnapChat

    kik messenger doesnt even allows you to register an account, its a certified app… microsoft can’t take care of every individual line of code made by other entities, and automatizating this process (like compilers do) doesnt means anything at all…

    I do really trust microsoft, i dont think they care a lot about what i do… but… i dont trust the others microsoft do trust…

    Do you?

  12. Larry Farmer

    Window 10 IS malware by definition. The fact that all of these pseudo
    bloggers are posting the same exact buzzwords means microsoft got caught
    astroturfing again.

  13. Larry Farmer

    Caught microsoft astroturfing again. Windows 10 is malware plain and simple.

  14. John Goodman

    Window 10 IS malware by definition. The fact that all of these pseudo
    bloggers are posting the same exact buzzwords means microsoft got caught
    astroturfing again.

Leave a Reply

Your email address will not be published. Required fields are marked *

6 + 6 =