All the Guards–Part 1

A while back I wrote an article about all the Defender products Microsoft has:

All the Defenders

Turns out that Microsoft also has a range of “Guard” products as well. In general, you can think of Microsoft Guard products as interfacing and working in combination with the physical device to enhance the security of your environment.

You’ll also find that there is plenty of cross over between Defender and Guard products, for example, Windows Defender Application Guard (WDAG).

What I’m going to try and do here is look specifically at all the products that have the name ‘guard’ in them and show how they help improve the security of your environment. I will readily admit, that because of the integration of hardware and software here, getting definitive answers on many questions has proved extremely challenging. Thus, I’ll do my best here to share what I have learned but I’m sure there is still more to uncover.

To commence this journey we need to examine the actual Windows 10 boot process, which is nicely covered in this article from Microsoft:

Secure the Windows 10 boot process

and from which I’ll quote:

Secure Boot

When the PC starts, the firmware checks the signature of each piece of boot software, including UEFI firmware drivers (also known as Option ROMs), EFI applications, and the operating system. If the signatures are valid, the PC boots, and the firmware gives control to the operating system.


When a PC equipped with UEFI starts, the PC first verifies that the firmware is digitally signed, reducing the risk of firmware rootkits. If Secure Boot is enabled, the firmware examines the bootloader’s digital signature to verify that it hasn’t been modified. If the bootloader is intact, the firmware starts the bootloader only if one of the following conditions is true:


– The bootloader was signed using a trusted certificate. In the case of PCs certified for Windows 10, the Microsoft® certificate is trusted.
– The user has manually approved the bootloader’s digital signature. This allows the user to load non-Microsoft operating systems.

The first step you’ll need to take is to ensure that your UEFI boot is enabled on your device. You can follow this article:

Enable Secure Boot on your device

To verify you have Secure Boot enabled you can:

image

Run the system configuration utility (Start | MSINFO) which should show you something like:

image

Here you should find both the BIOS mode set to UEFI and the Secure Boot State set to ON.

image

You can also run the PowerShell command:

confirm-securebootuefi

as an administrator as shown above, which should return as True.

image

 Finally, you can also open Windows Defender on your device, select Device Security and under the Secure boot option, shown above, you should see Secure boot is ON.

Windows 10 startup process

The above, from the Secure the Windows 10 boot process gives you a good idea of how the boot sequence proceeds. To again quote the article:

Trusted Boot

Trusted Boot takes over where Secure Boot leaves off. The bootloader verifies the digital signature of the Windows 10 kernel before loading it. The Windows 10 kernel, in turn, verifies every other component of the Windows startup process, including the boot drivers, startup files, and ELAM. If a file has been modified, the bootloader detects the problem and refuses to load the corrupted component. Often, Windows 10 can automatically repair the corrupted component, restoring the integrity of Windows and allowing the PC to start normally.

Measured Boot

Working with the TPM and non-Microsoft software, Measured Boot in Windows 10 allows a trusted server on the network to verify the integrity of the Windows startup process. Measured Boot uses the following process:


    1. The PC’s UEFI firmware stores in the TPM a hash of the firmware, bootloader, boot drivers, and everything that will be loaded before the anti-malware app.
     2. At the end of the startup process, Windows starts the non-Microsoft remote attestation client. The trusted attestation server sends the client a unique key.
     3. The TPM uses the unique key to digitally sign the log recorded by the UEFI.
     4. The client sends the log to the server, possibly with other security information.


Depending on the implementation and configuration, the server can now determine whether the client is healthy and grant the client access to either a limited quarantine network or to the full network.

Windows 10 includes the application programming interfaces to support Measured Boot, but you’ll need non-Microsoft tools to implement a remote attestation client and trusted attestation server to take advantage of it.

Now that the boot process is complete and secure, thanks to Secure Boot, we can move onto the next phase in protection with Windows 10 Guards,

Next – Virtualization Based Security