Windows Defender Device Guard deployment guide

Applies to

  • Windows 10
  • Windows Server 2016

With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. Windows Defender Device Guard describes a locked-down device configuration state that uses multiple enterprise-related hardware and software security features that run on Windows 10 Enterprise edition and Windows Server. When these features are configured together, Windows Defender Device Guard changes from a mode where apps are trusted unless blocked by an antivirus or other security solution, to a mode where the operating system trusts only apps authorized by your enterprise. If the app isn’t trusted, it can’t run, period.

Windows Defender Device Guard also uses virtualization-based security to isolate the Code Integrity service and run it alongside the Windows kernel in a hypervisor-protected container. Even if an attacker manages to get control of the Windows kernel itself, the ability to run malicious executable code is much less likely.

This guide explores the individual features in Windows Defender Device Guard as well as how to plan for, configure, and deploy them. It includes:

AppLocker overview

Code integrity

Protect derived domain credentials with Windows Defender Credential Guard

Driver compatibility with Windows Defender Device Guard in Windows 10

Dropping the Hammer Down on Malware Threats with Windows 10’s Windows Defender Device Guard