In this case, the Code Integrity service runs alongside the kernel in a Windows hypervisor-protected container.ĭevice Guard references: (recommend to read) With appropriate hardware, Device Guard can use the new virtualization-based security in Windows 10 (available in Enterprise and Education desktop SKUs and in all Server SKUs) to isolate the Code Integrity service from the Microsoft Windows kernel itself. With hardware that meets basic requirements, it also means that even if an attacker manages to get control of the Windows kernel, he or she will be much less likely to be able to run malicious executable code. If the app isn’t trusted it can’t run, period.
How to Enable or Disable Device Guard in Windows 10ĭevice Guard is a combination of enterprise-related hardware and software security features that, when configured together, will lock a device down so that it can only run trusted applications that you define in your code integrity policies.
