Threat Detection using Windows Defender Application Control (Device Guard) in Audit Mode

Matt Graeber
Security Researcher, SpecterOps
Jun 26
Note: I originally scrapped this post because I didn’t like that audit events were only logged once per boot due to caching, however, Casey’s tweet reminded me that I shouldn’t let perfect be the enemy of good. This is still one of the best options that I know of (without requiring a commercial solution) to log all driver loads.[…]


Microsoft Updates OEM Device/Credential Guard requirements

Microsoft just updated this page:

No list of what’s changed, it seems that would be a reasonable thing for a large list of requirements…  I’ll leave you to figure out what changed. 🙂

(If someone knows of a good way to diff this page against the same page a few weeks ago (without, please leave a Comment on this blog post. Thanks.)


Device Guard: undocumented policies

“Interesting undocumented Device Guard code integrity policy rules. Obtained via the SIPolicy XML schema.”

WordPress mangles Github Gist urls, click on the above Twitter URLs to get the Gist URL.

Troy Martin’s Windows Device Guard trilogy

Troy Martin of 1E has written the final of this 3-part blog posts on Device Guard, a new feature of Windows 10, targetting enterprise sysadmins.

Welcome to the third and final blog in the series on Device Guard!!
Device Guard hardens various attack surfaces on an endpoint creating a “chain of trust” from the hardware through to the Windows OS kernel and to software running in Windows.
Device Guard components run in isolation from the Windows kernel and is secured by a Windows Hyper-V container called Virtual Secure Mode (VSM).
It is evident that Device Guard provides revolutionary endpoint security in Windows 10; a formidable opponent and offense against viruses, malware, bad actors and other modern day threats. Time to start taking advantage of it and securing the enterprise!!

Windows Device Guard information

Ash de Zylva of Microsoft has a blog post on Windows 10’s Device Guard and Credential Guard:
Windows 10 Device Guard and Credential Guard Demystified
While helping Windows Enterprise customers deploy and realize the benefits of Windows 10, I’ve observed there’s still a lot of confusion regarding the security features of the operating system. This is a shame since some of the key benefits of Windows 10 involve these deep security features. This post serves to detail the Device Guard and Credential Guard feature sets, and their relationship to each other. […]


MalwareTech on Microsoft Device Guard

The MalwareTech blog has a good article on Microsoft Device Guard for Windows:


Everyone is probably already familiar with x64 driver signature enforcement (64-bit Windows systems can only load signed drivers); Well, now Microsoft has introduced a similar feature for user mode code, which is a huge deal when it comes to malware (Currently the feature is only present on Windows 10 Enterprise, but I’m fairly certain as it matures it will make it’s way to home systems). Device Guard not only adds customizable user mode code integrity checks (UMCI), but re-works a lot of the kernel mode code integrity (KMCI) allowing far more flexibility than just allowing all signed drivers. The policy can either be deployed locally by and administrator or from a domain controller, making it scalable for enterprise networks. Something I was actually quite surprised by is the fact that the user mode code integrity is not simply limited to executable (I was expecting Device Guard to be just another throw away pseudo-security feature like UAC, but it’s clear some real thought has gone into this).

Full post:

Microsoft Device Guard

Thanks to Matt Graeber’s Twitter post, I became aware of Microsoft’s new documentation for Device Guard, a security technology for Microsoft Windows.

Microsoft Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security. Windows 10 employs Device Guard as well as code integrity and advanced hardware features such as CPU virtualization extensions, Trusted Platform Module, and second-level address translation to offer comprehensive modern security to its users. This guide explores the individual features in Device Guard as well as how to plan for, configure, and deploy them. […]