Microsoft has announced that Windows 10 Enterprise will be getting an extra security feature for its Microsoft Edge browser called the Windows Defender Application Guard. It will be designed to run Edge using Microsoft's Hyper-V virtualization technology.
In basic terms, the Windows Defender Application Guard is designed to box in security threats like malware, phishing attacks and even zero-day issues that can impact Microsoft Edge users. The company stated that when the feature is activated, trusted websites open in Edge normally. However, when someone at work goes to a site on Edge that has not been listed as a trusted page, the Application Guard is activated:
Application Guard creates a new instance of Windows at the hardware layer, with an entirely separate copy of the kernel and the minimum Windows Platform Services required to run Microsoft Edge. The underlying hardware enforces that this separate copy of Windows has no access to the user's normal operating environment. Application Guard's enforcement includes completely blocking access to memory, local storage, other installed applications, corporate network endpoints, or any other resources of interest to the attacker. This separate copy of Windows has no access to any credentials, including domain credentials, that may be stored in the permanent credential store.
Even with Application Guard activated, employees can still access the website normally. If a person gets an email designed to send them to a malicious website, Application Guard can jump in to protect the user, and the business network, as well.
In order to proactively keep the user and enterprise resources safe, Application Guard coordinates with Microsoft Edge to open that site in a temporary and isolated copy of Windows. In this case, even if the attacker's code is successful in attempting to exploit the browser, the attacker finds their code running in a clean environment with no interesting data, no access to any user credentials, and no access to other endpoints on the corporate network. The attack is completely disrupted.
Microsoft plans to add Windows Defender Application Guard later this year for Windows Insiders to check out first, before it is released for all Windows 10 Enterprise users sometime in 2017.