More on Processes and Features in Windows 10 Isolated User Mode with Dave Probert

Download this episode

Download Video

Description

In this final video in the Windows 10 Isolated User mode series Dave takes us through several engineering aspects associated with trustlets. First he describes how lsass.exe (the Local Security Authority Subsystem Service responsible for enforcing security on Windows) now can have a companion process running in the Secure System (LsaIso.exe otherwise known as Credential Guard - tasked with protecting secrets). He then delves into more generic trustlet concerns and how the Secure Kernel in Isolated User Mode deals with these challenges.

Overall it was tremendously fascinating to learn some of the great innovations that are happening in the Windows 10 Operating System from the folks that are actually working on the code! I'm hoping to get a lot more content from this wonderful set of engineers and look forward to the great conversations we get to have.

Tag:

Kernel

Embed

Format

Available formats for this video:

Actual format may change based on video formats available and browser capability.

    The Discussion

    • User profile image
      Jason Fossen

      Great! Even more in-depth would be nicer. I hope Microsoft will soon release a whitepaper documenting all the details, requirements, limitations, third-party pentesting results, etc. Thanks!

    • User profile image
      Jeroen Frijters

      It would be good to mention that Isolated User Mode is only available on Windows 10 Enterprise and on the Server SKUs.

    • User profile image
      Jonathan Posadowski

      Overall, it was brief but right to the point. Like Jason said it would be nice to be able to watch whitepaper documentation, or at least a more in depth look at all these function for the die hard fans. Perhaps for a low subscription fee of some sort.

    • User profile image
      timreilly
    • User profile image
      sethjuarez

      @timreilly:Yep! Good catch - I am planning to do more of these with the Windows team (hopefully soon).

    • User profile image
      Spongman

      great series. more like this please.

    • User profile image
      boundscheck​ed

      Super-informative series.  (Far, far more informative than anything I've seen in writing anywhere.)  Thanks a lot.  Thought I pretty much understood the major security architecture changes that shipped in Windows 10; turns out my knowledge was barely scratching the surface.

      But one important question: when is the new hypervisor/secure silo architecture in general, and the Credential Guard feature in particular, coming to Windows clients that don't use Enterprise licensing and management?  Or maybe put another way, when is the capability to protect identity secrets other than domain identity credentials--like Microsoft Account authentication credentials, as the most obvious non-enterprise example-- going to be added to Windows 10?  (And made available at least to Pro edition users.) Also importantly, it sure would be really, really great to see a broadly available Credential Guard capability ability able to protect credentials used to access 3rd-party network/Internet services with high security requirements (medical records databases, payment processing systems, etc.)

      BTW, are any of these mechanisms the same as those that protect private key storage for the new Passport auth element in Windows 10?  Still a bit confused as to how all these pieces of the Windows 10 security story fit together, I guess. 

      Anyway, I'll just close by throwing out another friendly reminder to keep in mind the small businesses and others who don't have Enterprise domain systems but still have important stuff to protect.  :)  In any event, thanks for the series Ch. 9, and keep up the impressive work Kernel group.       

    • User profile image
      jasony

      how about some configuration walkthroughs. . . .?????

    Comments closed

    Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.