Windows Defender Device Guard deployment guide

Applies to

• Windows 10
• Windows Server 2016

Windows Defender Device Guard is a combination of enterprise-related hardware and software security features that run on Windows 10 Enterprise edition and Windows Server. When these features are configured together, Windows Defender Device Guard will lock a device down so that it can only run trusted applications that you define in your code integrity policies. If the app isn’t trusted, it can’t run, period.

With hardware that meets basic qualifications, Windows Defender Device Guard can also use virtualization-based security to isolate the Code Integrity service and run it alongside the Windows kernel in a hypervisor-protected container. Even if an attacker manages to get control of the Windows kernel itself, the ability to run malicious executable code is much less likely.

This guide explores the individual features in Windows Defender Device Guard as well as how to plan for, configure, and deploy them. It includes:

• Introduction to Windows Defender Device Guard: virtualization-based security and code integrity policies

• Requirements and deployment planning guidelines for Windows Defender Device Guard

• Planning and getting started on the Windows Defender Device Guard deployment process

• Deploy Windows Defender Device Guard: deploy code integrity policies

  • Optional: Create a code signing certificate for code integrity policies

  • Deploy code integrity policies: policy rules and file rules

  • Deploy code integrity policies: steps

  • Deploy catalog files to support code integrity policies

• Deploy Windows Defender Device Guard: enable virtualization-based security

Related topics

AppLocker overview

Code integrity

Protect derived domain credentials with Windows Defender Credential Guard

Driver compatibility with Windows Defender Device Guard in Windows 10

Dropping the Hammer Down on Malware Threats with Windows 10’s Windows Defender Device Guard