Microsoft introduces Windows Defender System Guard Runtime Attestation

Microsoft has been striving to help users be in control of their own devices. They have also been working on introducing new features that would help users know the security health of their Windows system. It is very crucial that users should be alerted if important security features fail. It is for this reason that Microsoft has announced Windows Defender System Guard Runtime Attestation.

Windows Defender System Guard Runtime Attestation
Windows Defender System Guard Runtime Attestation

As part of the Windows 10, Fall Creators Update all the system integrity features are reorganized into Windows Defender System Guard. This feature works similar to the Credential Guard and makes use of hardware-rooted security technology in VBS to mitigate the attacks. Generally speaking, the security technologies are targeted by running in the same domain of trust. Privileged processes are designed to isolate such processes so that they are an arm’s length away from harm.

Runtime attestation will help in multiple scenarios. First things first it helps by providing supplementary signals for endpoint detection and response (EDR) and also antivirus vendors. It also helps in detecting artifacts of kernel tempering, exploits, and rootkits. Adding to that the Runtime attestation also helps in securing the sensitive transactions and providing conditional access.

Attestation Mechanism

Windows will be providing an API which will allow relying parties to attest to the state of the device at that particular time. The API will then furnish a runtime report which will further depict the security state of the system. With the help of this, the attestation will provide significant protection tampering. That being said this also gives rise to certain challenges like runtime report should be isolated from an attacker, the isolation should not affect the attestation process negatively, the report should be cryptographically signed so that it is tamperproof in any environment.

Contents of the runtime report

Needless to say, the security metrics that have been generated by the session is important in itself. The Windows Defender System Guard will also provide additional features like the runtime measurement of system security posture. Microsoft likes to call this ‘assertion engine’ and it is based on the idea of measuring and asserting system integrity alongside the security level at boot. With all these new security features in place, Microsoft will be able to set up an unprecedented level of platform security.

Mahit Huilgol has been using Windows on PC and Mobile since long. He has been following Microsoft developments from close quarters and loves writing about it.