Pretty much all those things you name are nearly useless for the average business customer or are unlikely to work in the case of the so-called “security” improvements. I’ve yet to see a “security” feature that can’t be bypassed on a Microsoft OS, because Windows is inherently insecure, always has been and always will be.
Do you even KNOW what Device Guard is?
So what exactly is Device Guard?This is part of my course on Windows 10. I then go on to turn on Device Guard and then everyone does in the lab.Well its a device configuration for Windows that literally locks the device down, just like we do on Windows Phone, such that it can only run trusted applications. If the app isnt trusted Windows wont allow it to run. (By Trust Microsoft means digital signatures using AES 256-bit encryption.)
Platform or app vulnerability related bypasses can be mitigated using virtualization technology meaning that even if an attacker manages to gain control of the kernel they still couldnt run malicious executable code..
The decision making on what can run vs not is performed in the Hypervisor Windows Code Integrity services which has been moved out of Windows and runs alongside it in a hyper-v protected container that we call a Virtual Secure Mode (VSM). The service determines whats trustworthy vs not based on signatures that are configuring using Windows policy.
As mentioned before Device Guard mode is supported for both Universal and Win32 apps. Trust is established when apps are signed using either the Windows store publishing process or a web service that ISVs and Enterprises can use to sign their own applications.
The signatures that Microsoft uses to sign apps arent any old signatures. Theyre special and either roll up to Microsoft's certificate authority, one you trust, or your own. In other words the apps need to be more than signed. They need to be signed using a signature that Microsoft or you believe is trustworthy.
The apps signing process is automatic for apps that are published through the Windows store and for ISVs and Enterprises that want to sign their own apps Microsoft provides them with access to a secure web service. The webs service can sign actual binaries or it can sign what they call a catalog file which is basically a hash table for the apps binaries. The catalog file can easily be generated using a tool that will run simulates the app setup process and generates and the file as the output.
If you send me your personal info in a PM I'll get you in the next class for free, but you have to pay your own T&E!