Protection for Windows Edge is a nice start, but Microsoft needs to go a step further and include protection for IE as well as the user’s system.
Windows Defender Application Guard is a new security feature of the Windows 10 operating system that Microsoft revealed back in 2016. The company revealed back then that it would integrate the feature in a future Windows Insider build before shipping it with the new feature update of Windows, the Windows 10 Creators Update.
It appears that the time has come, as information about the feature is now included in Microsoft Edge already.
When you load about:applicationguard right now in the latest Microsoft Edge Insider Build version, you are taken to a welcome screen that highlights the feature to you.
Windows Defender Application Guard
The Welcome Screen reads: Welcome to Windows Defender Application Guard. Windows Defender Application Guard is a lightweight virtual machine that helps isolate potentially malicious website activity from reaching your operating system, apps, and data.
Below that are the three core features of Windows Defender Application Guard:
- Isolated Browsing — Windows Defender Application Guard uses the latest virtualization technology to help protect your operating system by creating an isolated environment for your Microsoft Edge session.
- Help Safeguard your PC — Windows Defender Application Guard starts up every time you visit a non-work-related site to help keep potentially malicious attacks away from your PC.
- Malware Removal — Any websites you visit, files you download, or settings you change while in this isolated environment are deleted when you sign out of Windows, wiping out any potential malware.
Microsoft’s introduction of the feature back in 2016 reveals the underlying technology used to power the feature. According to the article — linked in the first paragraph — it uses Microsoft’s Hyper-V virtualization technology to create a new layer of defense around Microsoft Edge.
This is a sandbox more or less that Edge processes run in if they are not in the list of trusted sites. Trusted sites work exactly like they do right now in the current stable version of Edge. Sites and services have access to local storage, may read and write cookies, and do all the other things they have permission for either automatically or on user request.
The following happens if a site or service is not in the trusted sites list.
Application Guard’s enforcement includes completely blocking access to memory, local storage, other installed applications, corporate network endpoints, or any other resources of interest to the attacker
Microsoft notes that this sandboxed copy has no access to credentials, including domain credentials. Strict no access to anything rules would break sites or services that rely on these features. Application Guard does provide access to “essential features”, and some can be configured via the Grop Policy or other management tools.
If you open the Group Policy editor in the latest Insider Build for instance, you find four application guard specific entries under Computer Configuration > Administrative Templates > Windows Components > Windows Defender Application Guard:
- Turn On/Off Windows Defender Application Guard.
- Block Enterprise websites to load non-Enterprise content in IE and Edge.
- Configure Windows Defender Application Guard clipboard settings.
- Configure Windows Defender Application Guard print settings.
Since Microsoft mentions Internet Explorer in the Group Policy, it seems that at least some of the security feature’s functionality is protecting Internet Explorer users as well.
It remains to be seen how effective Windows Defender Application Guard is in protecting user systems, and how restrictive it is for users to work with.
Microsoft has not revealed yet if Application Guard will be made available to all editions of Windows 10. Also, it is unclear whether the company plans to expand the use of the feature to other applications on the system.