Microsoft has published a technical manual describing its new features Device Guard in Windows 10, to help with setting up anti-malware technology on the device you will need to use.
We first learned about the new Device Guard in April when the company introduced it to the RSA 2015 conference in San Francisco. At that time, it turned out that technology controls critical parts of the operating system of each device that is protected, and which is fenced off by all other applications and the rest of the Windows operating system.
The main protection technology is IOMMU (PDF) and other mechanisms that protect the computer processor by ensuring core-level storage. IOMMU technology works by blocking hardware that can be touched in the system memory to prevent malicious drivers and devices that can access the operating system and applications that are being used.
Microsoft states: “The same hypervisor technology used to run virtual machines in Microsoft Hyper-V is used to isolate core services of Windows in a virtualization based on the operation of a protected container.”
"This isolation removes the vulnerabilities of these services from both user and kernel functions and acts as an impenetrable barrier to most malware in use today."
Device Guard is targeted at businesses and other large organizations.
"Historically, UMCI (Code Integrity Mode User) has only been available in Windows RT and Windows for telephone devices, making it difficult for these devices to be infected with viruses and malware," says a post in TechNet.
“In Windows 10, these same successful UMCI standards are available. Historically, most malware is unsigned. By developing code integrity policies, organizations can immediately protect themselves against unsigned malicious software, which is estimated to be responsible for more than 95 percent of attacks.”
So in simple words if the "container" that Microsoft uses in Device Guard gets infected, the rest of the system will remain protected, in theory at least. It would be quite interesting to see the virtualization technology of Windows 10 in personal computers and not only for servers.
Meanwhile, Microsoft will also have to deal with the malware that gets signed to our computers. It can be a rare species but it exists.