Device Guard safeguards Windows 10 with hardware authentication

Continuing the theme of Microsoft’s RSA keynote that hardware-based security is superior to a software approach, I sat down with Microsoft’s Windows Security and Identity Group program manager Dustin Ingalls and senior product marketing manager Chris Hallum to discuss Device Guard, a feature that will launch with Windows 10. Device Guard will join Windows 10’s three-pronged approach to security this summer, alongside Microsoft Passport and Windows Hello.

Our current version of security is that we trust everything until antivirus programs – like McAfee, Norton and Windows Defender – tells us otherwise, says Hallum. However, there are unknown threats out there that remain undetected until the threats are known. At that point, there will already be victims and data would have been compromised.

Moving away from this model, Microsoft Trustworthy Computing corporate vice president Scott Charney proposes that companies should whitelist apps and migrate to hardware-based authentication.

Windows security

With each version of Windows, Microsoft has evolved the way it approaches security for its desktop operating system.

On Windows 7, Microsoft uses a software approach. However, that changed to a hardware-based strategy starting with Windows 8, which uses a platform secure boot through a feature called Unified Extensible Firmware Interface, or UEFI, to prevent BIOS-based firmware attacks.

On Windows 10, Microsoft is continuing its focus on hardware security with a hypervisor-based solution to create a trusted secure mode with Device Guard.

Device Guard

Device Guard offers better malware protection by blocking any app other than trusted apps. This essentially creates a whitelist of apps for your organization to use, and locks the system from new or unknown malware attacks.

Ingalls says this begins with the Local Security Authority (LSA) to create a virtual secure mode that prevents hash attacks. The virtual secure mode runs outside of the main operating system to keep things safe, even if the operating system is compromised.

Then, we move to kernel mode integrity component. This moves the Code Integrity outside of the kernel, and Windows checks to see if a software package has been officially signed by Microsoft or a trusted publisher. This prevents rogue or malicious software from running in what Microsoft terms as user mode code integrity.

Ingalls says that the hypervisor-based approach keeps things safe by moving the security feature outside of the main OS and is hardware-dependent. When an app is run, Windows determines if the app is trustworthy. By using hardware and virtualization to isolate this decision-making process outside of Windows, Device Guard remains secure and safe, even if a malicious code gains access to full system privileges.

Roots in Windows Phone

In effect, by requiring applications to be signed through the Code Integrity program along with the hardware-based hypervisor feature, Device Guard creates a whitelist of applications that can run on a system.

“This is an architectural change to the system, not just another [antivirus] solution, and it contains elements from Windows Phone,” said Hallum.

Microsoft says that Device Guard is a newly coined name, but the feature has been around and is in use on Windows Phone. By vetting apps in the Store and requiring apps to be digitally signed, Microsoft says that its approach, compared to the competing Android operating system, significantly reduces the risk of malicious attacks.


Ingalls says that apps can be signed in two ways. Publishers can submit their apps to Microsoft for a digital signature as the easy and quick approach.

For enterprises with proprietary code and data, and publishers who may not want to expose their apps to Microsoft, the company will provide tools for them to sign their own apps to run on their systems.

In order to use Device Guard, Ingalls says that any device that’s certified for Windows 8 will be compatible. Essentially, you’ll need a device that supports hypervisor, including any device that supports Intel’s VT-D. To support the complete features of Device Guard, Microsoft says that it will work with hardware partners to roll out systems that are Device Guard certified.

Reducing friction and maximizing security

So while Device Guard addresses the problem of malicious code on a system, data still needs to be protected. Short passcodes are not secure, but requiring strong passwords increases friction.

Another problem is that enterprises may only issue secure log-ins – like RSA’s keyfob – for a subset of users or only for certain apps, like logging into VPNs. Additionally, there is no good version for consumers currently, and there isn’t a system-wide log-in that delivers the enterprise-grade security.

To combat this, Microsoft introduced Passport and Windows Hello.

Hi, Windows Hello

With Windows Hello, Microsoft is relying on enterprise-level biometric authentication. Depending on the machine, users can log in with a fingerprint, face scan with advanced cameras like Intel’s RealSense 3D Camera, and iris scan.

This eliminates the need for a PIN or complex passcode requirements, and makes securing a system easy. Microsoft hopes that security will come without friction for Windows users.

Beyond Windows

After logging into Windows with Hello, Passport allows users to also log into trusted apps.

In a demonstration at RSA 2015, Hallum showed me that it took less than a second for the Intel RealSense 3D Camera, which was attached to a Lenovo ThinkPad X1 Carbon Ultrabook via USB, to recognize his face. After he logged into Windows with hello, Hallum was also instantly logged into other apps – like the Azure service – that would normally require a password.

As Microsoft is part of the FIDO Alliance for security authentication, it will allow third-party apps to support Passport login.

For consumers, this means that in the future, once you log onto Windows, you can also log onto your Bank of America or Wells Fargo banking account, access your eBay auction and payments on PayPal, and check the status of your Amazon order without having to log into these individual services, provided they support Passport.

Enterprise applications

For enterprises who may want to keep things even more secure, Microsoft could also deliver multi-device authentication with Windows Hello.

In a demonstration, Hallum showed that business customers can use their phones to log into Windows Hello on their PCs. This means that if a computer was stolen, the user cannot log into the system unless they have the phone and PIN.

With a Windows Phone-powered Lumia connected to the Lenovo ThinkPad over Wi-Fi or Bluetooth, Hallum typed his PIN into the phone, rather than onto the computer, to log into his PC.

Passport, Ingalls says, is a hardware-bound solution that’s similar to a smart card.

The Windows 10 family

Even though Microsoft executives remain tight-lipped about their plans for Passport on other devices and screens inside the Windows 10 family, Ingalls admitted that Xbox, Windows 10 for phones, and Windows 10 all share the same code, meaning that it’s just as easy to run Passport on those devices.

The possibility for Passport is endless, and the technology makes computing even more personal and secure. One potential use could be unlocking parental controls on an Xbox for gaming or TV watching with a face scan, or securely logging into mobile apps on a Windows 10 phone with a new 3D camera on a future Lumia phone.