In-Depth

Q&A on Microsoft Virtualization, Part 3

Ben Armstrong discusses Windows 10 development, and new security features.

• By Paul Schnackenburg
• 12/09/2015

More on this:

• Part 1
• Part 2
• Part 4
• Part 5
• Part 6

Contributing Editor Paul Schnackenburg continues his interview with Ben Armstrong, Microsoft's program lead for Hyper-V.

Ben Armstrong: The thing that really excites me about [using Device Guard to protect a Windows 10 client PC] and it's such a strange thing for someone on the engineering team at Microsoft to say, is that I have no hesitation in saying, "Look, Windows 10 Enterprise with Device Guard enabled is the most secure desktop operating system out there today. Full stop." 

And for years the argument about which is more secure or not has been like a philosophical debate …  You know, the first time we got that working, the idea that we can protect your credentials against a rogue administrative process ... it's the sort of thing like five or 10 years ago if you had sat down with a bunch of computer scientists and said can you solve this problem, they would have said No, that's not the way operating systems work.  So that's the first focus and, as I said, it's an area we're going to be continuing to dig in. 

The second one is providing great tools and experiences for people developing on the Windows platform.  So, of course, we have people using Hyper-V just directly for running different operating systems for development.  We also spend a huge amount of time working with the Visual Studio guys on their various device simulators and building development experiences. Have you played with the Windows Phone and the Android emulator?

Paul Schnackenburg: No, I haven't.

Ben Armstrong: So just to step you through this, if you install Visual Studio 2015 and say I want to do phone development, they'll actually enable Hyper-V and they create virtual machines that have Windows Phone and Android images in them, and you get very similar experience to a phone on your laptop: press F5 debug, deploy to virtual phone environment. And that's all built on top of Hyper-V.

So those are our two main areas of focus on the desktop.

Paul Schnackenburg: Would you have created Credential Guard if Pass-the-Hash hadn't been around? Were you prompted by it or were you already doing it before?

Ben Armstrong: I mean, we absolutely were prompted by it.  Would we have done it if it wasn't around?  I don't know, possibly.  The two pieces of information ...  the first one is if you go and read up on the architecture and you read about what we call virtual secure mode, we have definitely designed virtual secure mode so that it's an extensible platform that we can do lots of things like that in, and the Credential Guard was just an obvious first choice, and that was largely motivated by Pass-the-Hash. 

The more interesting aspect of this for me was when we started planning Windows 10. In Windows 8.1 we'd done a great job of making Windows work for tablets and touch based devices and so on, but to be frank we also knew we'd alienated a bunch of our enterprises in that process.  And so when we were planning Windows 10 there was a very explicit and clear focus where we spent a bunch of time going out to enterprises and saying, What do we need to do to make Windows 10 something that you will be happy to employ?

And really there were two big pieces of feedback that came through loud and clear. The first one was to lower the bar for training, for bringing someone across from Windows 7 which is where we tooled around with the Start menu and with a lot of the UI to try and come up with something that gives you the goodness of Windows 8, but something that a Windows 7 user could feel at home with. 

But the second big thing was, Anything you can do to make the platform more secure. Enterprises were very clear when they said: Microsoft, if you can come out with a story where it's unquestionable that Windows 10 is more secure than Windows 7, we will deploy it.  And that's been a huge focus across the team.  I mean, we've of course done the Credential Guard and Device Guard.  I absolutely love the Windows Hello stuff.  Have you played with that at all?

Paul Schnackenburg: I've seen video demos. We're going to see some new devices. 

Ben Armstrong: One of the things that I love about Windows Hello and whenever I'm chatting to CIOs, CTOs, and so on, and I point this out, when was the last time an enterprise deployed a piece of infrastructure that made the entire enterprise more secure and made the users happy? 

Paul Schnackenburg: Yes, fair enough!

Ben Armstrong: But that's what Windows Hello does.

Paul Schnackenburg: Yes, yes, that makes sense.

Ben Armstrong: For the business it is more secure, for the user it is easier to use, and that is just such an awesome thing, to pull off that combination! On top of that I love the technology behind it. I don't know if you've had time to look into that, but there's actually been a substantial overhaul of the way we do authentication and credential management to enable this. One of the things that we realised very early on ... we realised the huge power of having a great biometric platform, but the kind of cliché saying is, if someone steals your password you can change your password but if someone steals your face, it's a bit harder.

So one of the interesting things is we get the cool Windows Hello functionality and the underlying infrastructure is the Microsoft Passport infrastructure. The key thing about that is using that infrastructure we're able to do biometric authentication where, one, your biometrics, your face, your iris, your whatever; A) it never goes over the wire, and B) aren't even stored on disk.

And the way we do that is Microsoft Passport is essentially a token-based authorization system where when you authenticate on a device for the first time, that device produces a token and that token is encrypted with your biometric data; so your face, your iris, your thumbprint is the key to unlock the token.  It's not ever stored on disk; it's not ever transmitted. It's the token that's moved around. 

Paul Schnackenburg: That's cool.

Ben Armstrong: The reason I work on the engineering team is because I get excited about some things.