Microsoft Edge Application Guard Takes Center Stage

Microsoft's biggest security announcement this week during its Ignite event for IT pros may have concerned Edge, the company's consumer-oriented Web browser.

The newly announced "Windows Defender Application Guard for Microsoft Edge" technology, which works with the Windows 10 Enterprise edition, could turn Edge into "the most secure browser in the enterprise," suggested Yusuf Mehdi, corporate vice president of the Windows and Devices Group, in an announcement this week.

Microsoft Edge, released with Windows 10, has tended to be a work in progress so far. It's maybe not the first choice of enterprises, as they may still be using Internet Explorer 11 to support their older Web applications. August Net Applications browser-use data generally showed Chrome as the leading browser at 53.9 percent, followed by Internet Explorer (27.3 percent) and Firefox (7.6 percent). The Microsoft Edge browser had a 5.1 percent market share.

Windows Defender Application Guard adds security to the Edge browser using Microsoft's Hyper-V virtualization solution. It leverages the device's hardware to run untrusted sites in a virtual machine. Any malicious actions that might get executed by malware located on the untrusted site are isolated from an organization's network resources in this way.

This hardware-based virtual machine approach for the Microsoft Edge browser seems somewhat like the Google Chrome OS approach that's used to protect Chromebooks computers. However, by tapping the hardware, Windows Defender Application Guard for Microsoft Edge differs from the software-based sandbox technologies that are used by other browsers, according to Mehdi:

Unlike other browsers that use software-based sandboxes, which still provide a pathway for malware and vulnerability exploits, Microsoft Edge's use of Application Guard isolates the browser and employee activity using a hardware-based container to prevent malicious code from impacting the device and moving across the enterprise network. This robust security service helps protect enterprises from malware, viruses, vulnerabilities, and even zero-day attacks.

Edge gets protected by a "hardware-based container." It's actually a copy that has no access to the underlying operating system. The temporary container will get discarded at the end of the session, and any injected malware gets deleted as well. This virtualization security approach is used by other Windows 10 features, according to a blog post by Rob Lefferts, director of program management for Windows Enterprise and Security:

Hardware based isolation, with Virtualization Based Security (VBS), is one of the key ways we've hardened against attacks with Windows 10. VBS uses the processors' virtualization extensions to create a hardware-based security boundary between sensitive Windows components and data and the rest of the operating system. With Windows 10, this secure execution environment powered some of our most impactful security features, including Virtual TPM, Device Guard and Credential Guard.

Application Guard blocks access to "memory, local storage, other installed applications, corporate network endpoints, or any other resources of interest to the attacker," Microsoft explained, in an Edge team blog post. The idea is to prevent credential stealing, which can be used to escalate attacker privileges from a single PC, as in so-called "pass-the-hash" attacks.

Under the Application Guard protection scheme, IT pros create a list of trusted sites for employees to use. Application Guard will kick in for the sites that aren't recognized as trusted. Those browser sessions are "visually different" for end users, according to a Microsoft video, which showed a red shield-like icon appearing in the upper left corner of an Edge browser.

Windows Defender Application Guard will be available for testing by Windows Insider program participants "in the coming months," according to Mehdi. It'll get rolled out "more broadly next year." So far, Microsoft has described it as just a Windows 10 Enterprise edition offering. The feature isn't shown yet in Microsoft's Windows 10 edition comparison page.

On another security note, Mehdi also announced this week that Microsoft is now enhancing the "threat intelligence sharing" between its Windows Defender Advanced Threat Protection service, which helps organizations perform system log research after security breaches, and its Office 365 Advanced Threat Protection service. The enhancement will permit organizations to "follow the complete chain of an attack from an email." It will reduce the investigation time from "days or weeks to mere hours," Mehdi claimed.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Microsoft Hires Movial To Build Android OS for Microsoft Devices

    Microsoft has hired the Romanian operations of software engineering and design services company Movial to develop an Android-based operating system solution for the Microsoft Devices business segment.

  • Microsoft Ending Workflows for SharePoint 2010 Online Next Month

    Microsoft on Monday gave notice that it will be ending support this year for the "workflows" component of SharePoint 2010 Online, as well as deprecating that component for SharePoint 2013 Online.

  • Why Windows Phone Is Dead, But Not Completely Gone

    Don't call it a comeback (because that's not likely). But as Brien explains, there are three ways that today's smartphone market leaves the door open for Microsoft to bring Windows back to smartphones.

  • Feature Update Deferral Mix-Up in Windows 10 Version 2004 Further Explained

    Microsoft last week described the confusion it is attempting to avoid by removing the client graphical user interface (GUI)-based controls to defer Windows 10 feature updates, starting with version 2004.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.