#Build2016

Device Guard Compatible Application DevelopmentGetting Your Apps Into the Circle of Trust Scott AndersonKlaudia Leja

Device Guard - What is Device Guard?Combination of hardware + software securityEnables businesses to strongly control what is allowed to runBrings Appliance or mobile-like security protections to desktop OS with support for existing line of business apps

Kernel Development for Device GuardWindows 10 drivers must be signed by MicrosoftStrong driver publisher identity verification via Extended Validation (EV) certificatesSign drivers with Sysdev portal – cross-signing not good enough anymore

Virtualization Based Security CompatibilityMake drivers HVCI compatible by using NX APIs etc test with Driver verifierNo unsafe drivers (no peek/poke) also filename version, etc. in resources

Enterprises can control driver requirements via Device Guard policy

User Mode Code IntegrityEnterprises can require everything that runs to be trustedAllow an enterprise to specify trusted signers either internal or external

Enterprise CI configuration may be signed for further protectionIf signed, the configuration is stored in the pre-OS and it can only be modified by a new signed updateProtects against admin level attacks/malware which seek to delete, modify, or weaken CI configuration

User Mode Application DevelopmentSign your applicationsInclude filename, version, company name resources

Catalog SigningA signed file that identifies one or more binariesHas been required for driver packages (install-time check)Can also be used for any application signing

Published to the Windows catalog databaseEach machine has its own catalog database of trusted binaries

Can be managed and deployed independently of the packaged binariesPreserves any existing signatures

The Elephant in the Room

Code-signing is hardJust as most Malware is unsigned, so too are the vast majority of LOB apps

Enterprises shouldn’t blindly trust all software from an ISV even if signedWindows 10 includes tools to enable IT to address code-signing for existing apps

The Elephant in the Room – IT Code-signing

Microsoft Store signed and distributed appsDevelopers can sign using their own certs Enterprise signing via internally managed Public Key Infrastructure (PKI)Microsoft Device Guard Signing Service

Getting Apps in to the Circle of Trust

Device Guard Signing

Device Guard Signing can be used by enterprises to sign catalogs and CI policiesEither using the GUI in the Windows Store for Business or the PowerShell Commandlets

It will expose the public certificates that are used for signingSigning certificates and keys will be unique for each enterpriseAll private keys will be locked in Hardware Security Modules (HSMs) and never exposed

PKI-as-a-service

Demo

• Windows Store for Business • Device Guard White Paper• Making drivers HVCI compatible • Driver Signing Requirements• Managing Device Guard with Configuration

Manager• Continue your education at

Microsoft Virtual Academy online.

Call to Action – Sign your apps!

© 2016 Microsoft Corporation. All rights reserved.