Explore Device Guard technology. Device guard enables companies to lock down a Windows device so that only approved apps and programs can run. The PC must run Windows 10 Enterprise, have UEFI firmware and secure boot, and meet other requirements. An enterprise must plan for and implement the required infrastructure as well, devices should be categorized, and so on.
- [Instructor] Employees often use their own laptops, tablets, and other devices to access corporate resources. Sometimes they use devices provisioned by the company. Whatever the case, it's part of a Network Administrator's job to protect those devices from harm. They do this in part by limiting what apps can run on any given machine. When Admins limit a device so that it can only run trusted apps, the device is protected from anything deemed untrusted. This technology is called Device Guard.
The Device Guard works by incorporating existing virtualization, security, and code integrity policies. Security includes things like secure boot and second-level address translation. Code integrity policies define what apps are trusted. Once set up, Device Guard protects the computer from malware and unsigned code, boot kits, and even physically present attackers Administrators can manage Device Guard in many ways, including group policy, SCCM, Intune and PowerShell.
What they choose depends on their current infostructure. A client computer must meet certain requirements to use Device Guard. These requirements are listed here and include a 64 bit CPU, UEFI Firmware, and Windows 10 Enterprise or Education among other things. Take a look at these requirements when time allows. You must also be able to enable the necessary Windows features, which includes the Hyper V Hypervisor. There's a tool that can help called the Device Guard and Credential Guard Hardware Readiness Tool.
You can see it here. Use this tool to see if your hardware is ready for Device Guard. You can also use it to enable Device Guard, however its easy enough to do it yourself, so let's do that instead. To get started, in the Search box, type turn on or turn off Windows Features and click turn Windows Features on or off in the results. Expand Hyper V and expand Hyper V platform. You'll need to select all of the entries here. Click okay and then restart your computer when prompted.
I've already done that, so I'll click cancel. Now you'll need to enable two entries for Device Guard in local security policy. In the search box, type gpedit to get started and click edit group policy. I'll maximize the window and expand the left pane to make it easier to see. Now navigate to Computer Configuration, Administrative Templates, System, and Device Guard. Right click turn on virtualization-based security and click edit.
Enable this policy and configure the applicable settings. What you choose depends on your hardware. I'll leave mine at Secure Boot, and then click okay. Repeat this for Deploy Code Integrity Policy if you have policies in place. You'll need to type the path to the policy in the group policy settings window if you do. I'll click cancel. With all of that in place, a network administrator can control what apps can run on a device and what can't.
This protects the device from malware and other attacks, but also gives granular control to the administrators regarding what can and can't be used on a particular device. To verify you've enabled Device Guard, type msinfo32 here in the search box and click system information in the results. I'll maximize the window and scroll down. At the bottom, you'll see entries for Device Guard. Here you can see Device Guard is enabled.
Note: The course also maps to the third part of MCSA exam 70-698, Installing and Configuring Windows 10. Taking this course will prepare you for objectives in the Manage and Maintain Windows domain of the test.
- Configuring Windows Update
- Updating Windows apps
- Reviewing event logs
- Using Resource Monitor and Performance Monitor
- Managing security with Windows Defender
- Creating a recovery drive
- Restoring and recovering files
- Recovering the OS with Windows Recovery
- Configuring authorization and authentication
- Securing Windows 10 with passwords
- Joining workgroups and domains
- Creating and using accounts
- Automating tasks with PowerShell