Slashdot Mirror


Microsoft Announces Device Guard For Windows 10

jones_supa writes: Microsoft has announced a new feature for Windows 10 called Device Guard, which aims to give administrators full control over what software can or cannot be installed on a device. "It provides better security against malware and zero days for Windows 10 by blocking anything other than trusted apps—which are apps that are signed by specific software vendors, the Windows Store, or even your own organization. ... To help protect users from malware, when an app is executed, Windows makes a determination on whether that app is trustworthy, and notifies the user if it is not. Device Guard can use hardware technology and virtualization to isolate that decision making function from the rest of the Windows operating system, which helps provide protection from attackers or malware that have managed to gain full system privilege." It's intended to be used in conjunction with traditional anti-virus, not as a replacement.

2 of 190 comments (clear)

  1. Re:privacy :{ by Anonymous Coward · · Score: 5, Insightful

    No imbecile, it's talking about checking the code signing certificate.
    If you've trusted the particular vendor or cert chain, then the app is allowed to be installed, if you don't trust the cert, it warns or blocks installation or execution.

  2. Corporate IT salvation by edtice1559 · · Score: 5, Insightful

    Most of the posts on here are of the variety that this is taking away a fundamental human right or that everybody is an administrator so it's a meaningless feature. In the corporate IT world, this is hugely valuable. Most non-programmers *don't* have administrator privileges. But, even if they do, you don't want to allow untrusted binaries. Windows has local administrators and domain administrators. Nobody is a domain administrator. Even local admin privileges won't let you override a group policy. This really is as near perfect solution as you can get. As far as interpreted languages... uh, non-programmers don't need to have interpreters on their machines. Some "interpreted" languages (like the .Net CLR) will honor this and not interpret things that aren't properly signed. So I see this as a big win. Although it's hugely helpful for the large organizations who spend billions of dollars on IT, I do agree that it's a bit of an inconvenience for people who live in their parent's basement and run pirated copies of Windows while claiming to live and die by Linux.