How Windows Defender System Guard works on Windows 10

Windows 10 has made system attacks difficult with the platform integrity becoming more difficult to compromise. The Windows Defender System Guard comes with the Fall Creators Update for Windows 10. The Update reorganized the system integrity features such that it cannot be compromised.

Windows Defender System Guard

Windows Defender System Guard

The Windows Defender System Guard is created to:

  1. Protect system integrity at startup.
  2. Maintain system integrity through the runtime.
  3. Validate system integrity maintenance via local and remote indicators.

How System Guard works during boot-time

In Windows 7 threats went undetected and installed the Bootkit or Rootkit. The malware starts before Windows boots completely and gets the higher ground. This problem can be avoided if you are running Windows 10 on hardware certified for Windows 8 and above. The hardware ensures only authorized firmware gets through to the bootloader. The Secure Boot feature of the UEFI ensures this feature does not allow malware like bootkit on the system.

Windows Defender System Guard protects the device and system from boot-level malware, so attackers don’t have the optimum advantage anymore. System Guard allows only authorized files, drivers, and third-party apps to function during booting. When the booting is complete, System Guard starts the anti-malware to scan third-party drivers post booting.

System Guard also ensures that the booting has completed without system integrity having been compromised. Only then does the rest of the system defense come into action.

How System Guard works during runtime

Acquiring ultimate security at the core level is not enough unless it is maintained. Attacks can be kept at bay even if an attacker has the upper hand, by safeguarding the integrity of crucial services and data. Windows 10 came with VBS to help us to isolate the most sensitive data.

Windows 10 calls this portion the Windows Defender System Guard container. The hardware-based security required to maintain critical integrity during runtime are Credential Guard, Device Guard, etc. Parts of the Windows Defender Exploit Guard is also one of the many that come under this.

How System Guard works to ensure overall security

It is not enough to acquire and maintain system integrity at the start. Throughout the runtime and after, the system must be ensured free from malware. Windows Defender System Guard helps to validate platform integrity even at this stage. It is good to never assume security no matter how advanced the protection maybe. We must always be breach-ready. This is why System Guard comes with a plethora of technologies to enable remote analysis of system integrity.

How System Guard works to ensure overall security

During the boot-time of Windows 10, a few integrity measurements are recorded by System Guard using TPM 2.0 and hardware isolated to ensure the data is not tampered with in case of a system breach. This data can now help detect anomalies in configuration, boot components, and more. System Guard seals the data using TPM and keeps it available for remote analysis by management systems like Intune and System Center Configuration Manager. According to the necessity, the management system can deny device access to resources if anything is fishy.

Windows 10 brought the Windows Defender System Guard to enable a simplified Windows design and help users maintain and validate the integrity of the platform. Further work on this new System Guard will help make advancements in the field of platform integrity protection. The Windows Defender System Guard is still a work in progress and will give ultimate platform integrity and security to the OS. The future of Windows is in its advanced security system now, and every big and small update is taking it closer to that future.

Please check more details about the same on Technet.

Read next: Windows Defender Application Control feature in Windows 10.

Posted by on , in Category Security with Tags
Anand Khanse is the Admin of, a 10-year Microsoft MVP Awardee in Windows (2006-16) & a Windows Insider MVP. Please read the entire post & the comments first, create a System Restore Point before making any changes to your system & be careful about any 3rd-party offers while installing freeware.


  1. Evanna

    the option is only available in windows enterprise edition(?). Correct me if im wrong

  2. Caleb

    Yes, Windows 10 Enterprise edition only.

  3. Dan

    Yes, COMODO et al are still useful in the home version.

Leave a Reply

Your email address will not be published. Required fields are marked *

8 + 9 =