[Microsoft Ignite] - Windows 10 Device Guard feature

[GoodBytes]

Continuing with the Microsoft Ignite coverage of the event, Microsoft is announcing a new security feature for companies, called Device Guard.

It is a system that IT admins can setup, which allows to set filters in allowing only certain program to run on the system only, even if the user has admin privileges.

If you wonder for running other apps for maintenance or debugging.

You have to think in a business setting, where accounts aren't local, they are remote accounts stored on the company servers via Microsoft Active Directory. These accounts policies are set by groups. Say: IT, Staff, and Directors. So, you, as an IT, can still login into your admin account where these restriction aren't applied, and you can run what you want. This feature gives the ability to users to be admin like to their system. Where they can install and run software that are approved by the company, whether be programs from the Windows App Store, or desktop ones, or acquired online.

Microsoft did a demo where a user opens an e-mail that looks legit from the company, and has a download button, clicking on it, leads to a site that also looks legit, with a download button, but the program the fictional employee would run is malware. Under Windows 7, there is nothing really to stop this. But under Windows 10, even if the app request admin privileges, and the employee clicks on Yes, as he/she thinks it is 100% legit. He or she will be presented with an error message.

In the demo, Windows 7 system got infected, Windows 10 is safe.

The big upside for this, is allowing employees to personalize their mobile work system, and install the software that they want, but only allow approved applications.

So that is a bit of Device Guard feature in Windows 10. You can view the full day 1 keynote here: http://channel9.msdn.com/Events/Ignite/2015/KEY01(warning HQ quality is 6.1GB)

What do you think?

[Misanthrope]

Umm it's kinda neat but I don't get it: you have admin rights yet not trusted to install software. If you don't trust users to install software why would you trust them with an admin level account on their system where they can potentially do other things to damage the system or the OS deployment or whatever, or if that isn't the case then why does it needs to be an admin account....

[Derranged]

-snip-

I work in I.T. at a school and I can tell you that if our staff didn't have administration permissions half of the software that we use wouldn't work. Plus it would mean we have to install all of the software ourselves.

I am really excited for Windows 10.

[GoodBytes]

Yea.

I work in I.T. at a school and I can tell you that if our staff didn't have administration permissions half of the software that we use wouldn't work. Plus it would mean we have to install all of the software ourselves.

I am really excited for Windows 10.

Yea. when I worked at IT, we had old software that loved writing its settings, and logs where the program is installed. We found a way to go around it, by setting full permission of the directory where the program is installed. But it is a serious pain, as you need to do it on everywhere, one by one. Sure you can make a script. But it is still a pain to do.

Also, some employees want to install their programs on the company systems, and if it is trusted by us, we allow it. But they need to come at the IT desk, and we need to do it, and that is just annoying, if we re-image the systems, you have a bunch of people coming, and all your projects, work, help desk calls, everything is on hold (pretty much) by a week or two, because you are installing apps all day. This allows them to install what they want that is approved, and give protection.

[Misanthrope]

I work in I.T. at a school and I can tell you that if our staff didn't have administration permissions half of the software that we use wouldn't work. Plus it would mean we have to install all of the software ourselves.

I am really excited for Windows 10.

 

Oh ok I understand now. I mean ideally, you'd want a system that allows software to operate without admin permissions but since work software often has little in the way of alternatives this is a nice workaround, thanks for clarifying.