Microsoft Edge business users will soon get some extra web browsing protection

By John Callaham
published

Microsoft has announced that Windows 10 Enterprise will be getting an extra security feature for its Microsoft Edge browser called the Windows Defender Application Guard. It will be designed to run Edge using Microsoft's Hyper-V virtualization technology.

In basic terms, the Windows Defender Application Guard is designed to box in security threats like malware, phishing attacks and even zero-day issues that can impact Microsoft Edge users. The company stated that when the feature is activated, trusted websites open in Edge normally. However, when someone at work goes to a site on Edge that has not been listed as a trusted page, the Application Guard is activated:

Application Guard creates a new instance of Windows at the hardware layer, with an entirely separate copy of the kernel and the minimum Windows Platform Services required to run Microsoft Edge. The underlying hardware enforces that this separate copy of Windows has no access to the user's normal operating environment. Application Guard's enforcement includes completely blocking access to memory, local storage, other installed applications, corporate network endpoints, or any other resources of interest to the attacker. This separate copy of Windows has no access to any credentials, including domain credentials, that may be stored in the permanent credential store.

Even with Application Guard activated, employees can still access the website normally. If a person gets an email designed to send them to a malicious website, Application Guard can jump in to protect the user, and the business network, as well.

In order to proactively keep the user and enterprise resources safe, Application Guard coordinates with Microsoft Edge to open that site in a temporary and isolated copy of Windows. In this case, even if the attacker's code is successful in attempting to exploit the browser, the attacker finds their code running in a clean environment with no interesting data, no access to any user credentials, and no access to other endpoints on the corporate network. The attack is completely disrupted.

Microsoft plans to add Windows Defender Application Guard later this year for Windows Insiders to check out first, before it is released for all Windows 10 Enterprise users sometime in 2017.

John Callaham
John Callaham
16 Comments
  • Why not for non-business users?
  • Why not for consumers?
  • Probably because there has to be some reason for enterprises to get enterprise windows ;)
  • This wouldn't be particularly enjoyable for regular consumers. With it running in a VM whenever you initiate it, it will essentially be clean whenever you restart it. No bookmarks, no cookies, etc. It would be like always running in a super incognito mode.
  • I've tried so hard to stay with Edge, but after more than a year I've had to do back to chrome. Edge just doesn't work and gives ' page not responding ' error on almost week website
  • That's odd, 'cause it has been working just fine for me. Not that either of my laptops is very powerful, either.
  • A computer reset will fix this ...
  • based on the comments I've seen, I swear you and some of the other regular commentors on this website have the worst of the worst bugs 24 hours 7 days a week lol. Such bad luck.
  • Your assessment seems on the money to me as well...
  • From my experience it works pretty well after AU, my main issue is the absolutely appaling favorite management. There is a pretty good "Manage Edge" tool out there which I use at home, but I cannot use it at work, as it requires admin access.
    ​They should just store favorites in the favorites folder, instead of hiding it somewhere in AppData for no good reason. At the very least they should add an export and import feature.
  • I realize it probably depends on sites visited, extensions added, etc., so we will all have different experiences. But since the AU for me, now that I can add extensions and with numerous fixes to Favorite management, tabs, and more, Edge is now easily my main browser, with Opera and Firefox still being used heavily to help me keep dozens of open tabs more visually separated, and IE11 for a few sites that really need it. I have it installed and use Chrome occasionally, but genneraly I avoid it because Google.
  • I may have misheard during the stream but thought I heard them say the feature would come to other browsers in Windows down the line. I could be VERY wrong on that but I'd have to go back and re watch it to be sure
  • Too bad Edge doesn't work when connected to VPN, in fact, no Windows Store app works when I connected to my company's VPN.
  • If they want business users to use Edge, then they should make it easy to manage favorites, like with IE. Why on earth would they hide them in some database file on AppData? They should have stored them in the favorites folder, it was so much better for maagement and backups. ​At the very least they should add an export and import feature... You can't sync stuff with an AD account.
  • @Sargon Aelther, I agree that was a step backwards. But I don't think businesses users care about that, most of whom are not technical and wouldn't do anything like that. For IT managers, company profiles with pre-defined favorites can be set up just fine. For regular users, there is a good third-party program called Edge Manage (http://www.emmet-gray.com/Articles/EdgeManage.html), which is an improvement over the old way in most arears, except you can't drag and drop more than Favorite at a time. I hope that one limitation will be fixed in a future update.
  • Yes I do use that tool at home already. I especially love the Favicon generation feature. Too bad that it required admin access, so It's not really usable on a standard account. MS should add an export and import feature at the very least, so everyone could do it.