More on Processes and Features in Windows 10 Isolated User Mode with Dave Probert

Sign in to queue

Description

In this final video in the Windows 10 Isolated User mode series Dave takes us through several engineering aspects associated with trustlets. First he describes how lsass.exe (the Local Security Authority Subsystem Service responsible for enforcing security on Windows) now can have a companion process running in the Secure System (LsaIso.exe otherwise known as Credential Guard - tasked with protecting secrets). He then delves into more generic trustlet concerns and how the Secure Kernel in Isolated User Mode deals with these challenges.

Overall it was tremendously fascinating to learn some of the great innovations that are happening in the Windows 10 Operating System from the folks that are actually working on the code! I'm hoping to get a lot more content from this wonderful set of engineers and look forward to the great conversations we get to have.

Tag:

Kernel

Embed

Download

Download this episode

The Discussion

  • User profile image
    Jason Fossen

    Great! Even more in-depth would be nicer. I hope Microsoft will soon release a whitepaper documenting all the details, requirements, limitations, third-party pentesting results, etc. Thanks!

  • User profile image
    Jeroen Frijters

    It would be good to mention that Isolated User Mode is only available on Windows 10 Enterprise and on the Server SKUs.

  • User profile image
    Jonathan Posadowski

    Overall, it was brief but right to the point. Like Jason said it would be nice to be able to watch whitepaper documentation, or at least a more in depth look at all these function for the die hard fans. Perhaps for a low subscription fee of some sort.

  • User profile image
    timreilly
  • User profile image
    sethjuarez

    @timreilly:Yep! Good catch - I am planning to do more of these with the Windows team (hopefully soon).

  • User profile image
    Spongman

    great series. more like this please.

  • User profile image
    boundscheck​ed

    Super-informative series.  (Far, far more informative than anything I've seen in writing anywhere.)  Thanks a lot.  Thought I pretty much understood the major security architecture changes that shipped in Windows 10; turns out my knowledge was barely scratching the surface.

    But one important question: when is the new hypervisor/secure silo architecture in general, and the Credential Guard feature in particular, coming to Windows clients that don't use Enterprise licensing and management?  Or maybe put another way, when is the capability to protect identity secrets other than domain identity credentials--like Microsoft Account authentication credentials, as the most obvious non-enterprise example-- going to be added to Windows 10?  (And made available at least to Pro edition users.) Also importantly, it sure would be really, really great to see a broadly available Credential Guard capability ability able to protect credentials used to access 3rd-party network/Internet services with high security requirements (medical records databases, payment processing systems, etc.)

    BTW, are any of these mechanisms the same as those that protect private key storage for the new Passport auth element in Windows 10?  Still a bit confused as to how all these pieces of the Windows 10 security story fit together, I guess. 

    Anyway, I'll just close by throwing out another friendly reminder to keep in mind the small businesses and others who don't have Enterprise domain systems but still have important stuff to protect.  :)  In any event, thanks for the series Ch. 9, and keep up the impressive work Kernel group.       

  • User profile image
    jasony

    how about some configuration walkthroughs. . . .?????

Add Your 2 Cents