Windows 10 security innovations at RSA: Device Guard, Windows Hello, and Microsoft Passport

Back in October, we shared how security and identity features will continue to evolve in Windows 10. This week at the RSA Conference in San Francisco, we’re providing more details on what this means for our enterprise customers.

Earlier today, Scott Charney, Corporate Vice President of Trustworthy Computing, spoke about the security innovations that give Microsoft cloud customers’ more transparency and control over their data, as well as key security innovations in Windows 10—Device Guard, Microsoft Passport and Windows Hello.

Device Guard is the previously unnamed feature we blogged about that gives organizations the ability to lock down devices in a way that provides advanced malware protection against new and unknown malware variants as well as Advanced Persistent Threats (APT’s). It provides better security against malware and zero days for Windows 10 by blocking anything other than trusted apps—which are apps that are signed by specific software vendors, the Windows Store, or even your own organization. You’re in control of what sources Device Guard considers trustworthy and it comes with tools that can make it easy to sign Universal or even Win32 apps that may not have been originally signed by the software vendor.

Putting Device Guard to Use

To help protect users from malware, when an app is executed, Windows makes a determination on whether that app is trustworthy, and notifies the user if it is not. Device Guard can use hardware technology and virtualization to isolate that decision making function from the rest of the Windows operating system, which helps provide protection from attackers or malware that have managed to gain full system privilege. This gives it a significant advantage over traditional anti-virus and app control technologies like AppLocker, Bit9, and others which are subject to tampering by an administrator or malware. In practice, Device Guard will frequently be used in combination with traditional AV and app control technologies. Traditional AV solutions and app control technologies will be able to depend on Device Guard to help block executable and script based malware while AV will continue to cover areas that Device Guard doesn’t such as JIT based apps (e.g.: Java) and macros within documents. App control technologies can be used to define which trustworthy apps should be allowed to run on a device. In this case IT uses app control as a means to govern productivity and compliance rather than malware prevention.

Original Equipment Manufacturers (OEMs) are On Board with Device Guard

The following OEMs are endorsing the use of Device Guard on their Windows 8 certified devices.

Device Guard Partners FINAL

Enterprise-Ready Identity Solutions in Windows 10

Device Guard is one of our top security features in Windows 10 but investments are also required to address the challenges organizations and consumer face when it comes to identity. Windows Hello* and Microsoft Passport, announced at WinHEC last month, are two of the key features that we are delivering in the space. System support for biometric authentication and enterprise grade two-factor authentication in Windows 10 will help protect business data and online experiences without the need for regularly changing passwords.

Fingerprint based sensors are already present on some Windows devices and will work with Windows Hello.  We’re also working closely with our hardware partners to deliver Windows Hello capable devices that will ship with Windows 10, and we are excited that all OEM systems incorporating the Intel® RealSense™ 3D Camera (F200) will support the facial unlock features of Windows Hello, including automatic sign-in to Windows, and support to unlock Microsoft Passport without the need for a PIN. There are three devices that support this feature that I’m really excited about which we encourage you to take a look at.

Dell Inspiron 15 (i5548-4167SLV) Laptop· 15.6-inch Full HD touchscreen

· Intel Core i5-5200U

· 12GB memory/1TB HDD

· Intel RealSense 3D 1080p camera

HP ENVY 15 (v010nr) Laptop· 15.6-inch Full HD touchscreen

· Intel Core i5-5200U

· 8GB memory/1TB HDD

· Intel RealSense 3D 1080p camera

Lenovo B50-30 All-In-One· 23.8-inch Full HD touchscreen

· Intel Core i7-4790S

· 6GB memory/2TB SSHD

· Intel RealSense 3D 1080p camera


DELL Inspiron 15 HP ENVY 15 LENOVO B50-30

The Windows Hello technology behind these devices, Intel’s® RealSense™ F200 camera technology, uses infrared lasers, multiple lenses, and a special processing chip to analyze images for Windows Hello. While Windows Hello’s facial recognition isn’t going to be limited to the Intel RealSense technology it’s a great option that is currently in the marketplace so look for devices using this technology.

Organizations that deploy Device Guard, Microsoft Passport and Windows Hello will help eliminate some of the most common tactics that are being used against them. And some customers are already telling us that Windows 10’s security benefits are one of the key reasons they choose to migrate. If you haven’t already joined the Windows Insider Program and would like to, please follow the link to join the program and witness Windows 10 evolve first-hand! If you are unsure of whether or not you should install the Windows 10 Technical Preview, please read the FAQ carefully before you install to see if it is right for you.

For all of the latest Microsoft news at RSA, check out today’s Official Microsoft blog.

* Windows Hello requires specialized illuminated infrared camera for facial recognition or iris detection or a finger print reader which supports the Window Biometric Framework.