The Windows Club

TheWindowsClub covers authentic Windows 11, Windows 10 tips, tutorials, how-to's, features, freeware. Created by Anand Khanse, MVP.

What is Device Guard in Windows 11

Download Windows Speedup Tool to fix errors and make PC run faster

Device Guard in Windows 11/10 is a firmware that will not let unauthenticated, unsigned, unauthorized programs as well as operating systems load. We have already talked about how we need an operating system that performs self-checks on what is being fed to it and loaded into its RAM for execution. Depending only on anti-malware software is not wise these days, though we don’t have many options. An anti-malware is a separate application and needs to be loaded into the memory before it starts scanning the applications being loaded into the memory.

Windows 10

Device Guard is a group of key features designed to harden a computer system against malware. Its focus is preventing malicious code by ensuring only known good code can run.

We had earlier talked about how Windows is an anti-malware operating system. It acts on itself and other applications to see if they are genuine applications required by the computer, much before loading the interface, so that a level of security is added to the computers where it is being run. In short, it provides Trusted Boot, a boot time malware protection service to keep malware at bay. But malware writers are smart and they can use certain techniques to bypass this inspection. Microsoft has, therefore, brought in another feature that promises tougher anti-malware measures during booting.

What is Device Guard in Windows 11/10

With security concerns rising, Microsoft is now introducing firmware that will act at the hardware level during and even before boot to let only properly signed applications and scripts load. This is being called Windows Device Guard, and OEMs are happily ready to install it on the computers they manufacture.

Device Guard is one of Microsoft’s top security features in Windows 11/10. OEMs like Acer, Fujitsu, HP, NCR, Lenovo, PAR and Toshiba have also endorsed it.

Device Guard is a combination of hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications. It uses the new virtualization-based security in Windows to isolate the Code Integrity service from the Windows kernel itself, letting the service use signatures defined by your enterprise-controlled policy to help determine what is trustworthy.

The basic function of Device Guard in Windows would be to test each process being loaded into the memory for execution before and during the boot process. It checks for genuineness based on the proper signatures of the applications and prevents any process that lacks a proper signature from loading into the memory.

Microsoft’s Device Guard employs technology embedded at the hardware level – rather than being at the software level, which could miss detecting malware. It also employs virtualization to bring a proper decision-making process that will tell the computer what to allow and what to prevent from being loaded into the memory. This isolation will prevent malware, even if the attacker has full control of systems where the guard is installed. They may try, but cannot execute the code, as the Guard has its own algorithms that will block the malware from execution.

Says Microsoft:

This gives it a significant advantage over traditional anti-virus and app control technologies like AppLocker, Bit9, and others that are subject to tampering by an administrator or malware.

Device Guard vs Antivirus Software

Windows users will still need to install antimalware software to run on their devices for malware originating from other sources. The only thing that Windows Device Guard will protect you against is malware that tries to load into memory during boot time, before that antivirus software can protect you.

Since the new Device Guard may not be able to access macros in documents and script-based malware, Microsoft says users will have to use antimalware software in addition to the Guard. Windows now has built-in antimalware called Windows Defender. You might depend on it or use third-party antimalware to better protect yourself.

Does Device Guard allow other operating systems

Windows Guard will process only pre-approved applications during boot time. IT developers can choose to allow all applications by a trusted vendor or configure it to check each application for approval. Irrespective of the configuration, Windows Guard will let only approved applications run. In most cases, the approved applications will be decided by the application developer’s signature.

Windows Guard will not allow operating systems that do not have verified digital signatures to be loaded. However, it does not take much to get any application or OS certified.

Read: What is Credential Guard in Windows 11

Required hardware & software for Device Guard

To use Device Guard, you need to install and configure the following hardware and software:

  1. Device Guard only works with devices running Windows 11/10.
  2. UEFI.  It includes a feature called Secure Boot that helps protect your device’s integrity within the firmware itself.
  3. Trusted Boot. It is an architectural change that helps protect against rootkit attacks.
  4. Virtualization-based security. A Hyper-V protected container that isolates the sensitive Windows 11/10 processes.
  5. Package inspector tool. A tool that helps you create a catalog of the files that require signing for Classic Windows applications.

ReadDevice Guard and Credential Guard Hardware Readiness Tool

Now spare some time to read about Enterprise Data Protection in Windows.

AnandK@TWC

Anand Khanse is the Admin of TheWindowsClub.com, a 10-year Microsoft MVP (2006-16) & a Windows Insider MVP (2016-2022). Please read the entire post & the comments first, create a System Restore Point before making any changes to your system & be careful about any 3rd-party offers while installing freeware.