Windows Defender Device Guard deployment guide

Applies to

  • Windows 10
  • Windows Server 2016

Windows Defender Device Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications that you define in your code integrity policies. If the app isn’t trusted it can’t run, period. With hardware that meets basic requirements, it also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code. With appropriate hardware, Windows Defender Device Guard can use the new virtualization-based security in Windows 10 (available in Enterprise and Education desktop SKUs and in all Server SKUs) to isolate the Code Integrity service from the Microsoft Windows kernel itself. In this case, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.

This guide explores the individual features in Windows Defender Device Guard as well as how to plan for, configure, and deploy them. It includes:

AppLocker overview

Code integrity

Protect derived domain credentials with Windows Defender Credential Guard

Driver compatibility with Windows Defender Device Guard in Windows 10

Dropping the Hammer Down on Malware Threats with Windows 10’s Windows Defender Device Guard