Microsoft has announced that Windows 10 Enterprise will be getting an extra security feature for its Microsoft Edge browser called the Windows Defender Application Guard. It will be designed to run Edge using Microsoft's Hyper-V virtualization technology.
Application Guard creates a new instance of Windows at the hardware layer, with an entirely separate copy of the kernel and the minimum Windows Platform Services required to run Microsoft Edge. The underlying hardware enforces that this separate copy of Windows has no access to the user's normal operating environment. Application Guard's enforcement includes completely blocking access to memory, local storage, other installed applications, corporate network endpoints, or any other resources of interest to the attacker. This separate copy of Windows has no access to any credentials, including domain credentials, that may be stored in the permanent credential store.
Even with Application Guard activated, employees can still access the website normally. If a person gets an email designed to send them to a malicious website, Application Guard can jump in to protect the user, and the business network, as well.
In order to proactively keep the user and enterprise resources safe, Application Guard coordinates with Microsoft Edge to open that site in a temporary and isolated copy of Windows. In this case, even if the attacker's code is successful in attempting to exploit the browser, the attacker finds their code running in a clean environment with no interesting data, no access to any user credentials, and no access to other endpoints on the corporate network. The attack is completely disrupted.
Microsoft plans to add Windows Defender Application Guard later this year for Windows Insiders to check out first, before it is released for all Windows 10 Enterprise users sometime in 2017.
