Occasionally, for whatever reason, we browse parts of the web we know could be dangerous, where malicious pop-ups, ransomware or other malware could infect our PCs. While no (known) solution is totally safe, Microsoft now has a free, specialized version of its Edge browser specifically designed to protect you online: “Windows Device Application Guard, or WDAG.“
This feature is available in Windows 10 editions:
- Windows 10 Enterprise Edition, version 1709 or higher
- Windows 10 Professional Edition, version 1803
When a person tries to access a site that is not recognized or trusted, the Application Guard creates a new case of Windows which has the ability to support the running of Microsoft Edge browser. This new case of Windows has no access to the user’s normal operating environment, which means that it has no access to local storage, any domain credentials, installed applications, memory etc.
Quote: Microsoft has posted a Browser comparison graph to show that Edge browser had ‘substantially fewer’ vulnerabilities since its launch than Chrome and Firefox, explaining that all the security improvements that the company has been making are paying off.
Windows Defender Application Guard for Windows 10 1803 lets you run Edge in a protected virtualized environment, protecting your PC from possible malicious code.
With the introduction of Windows 10 Version 1803 (April 2018 Update) Windows 10 Professional will now allow you to enable Application Guard. In the past, this option was only available in Windows 10 Enterprise. If you are using Windows 10 Home, you are required to upgrade to Windows 10 pro to use Application Guard.
Note: For this to work your computer will need to have support for “Hyper-V“. Most modern computers will support it, but not all processors have the required SLAT virtualization technology. Please note you cannot use WDAG on the Home version of Windows 10. Microsoft has a list of the actual minimal system requirements.
Update: Microsoft has released a Windows Defender Browser Protection extension (add-on) for Google Chrome allowing an additional layer of protection when browsing online. This is Powered by the same trusted intelligence found in the Microsoft Edge browser. The new Chrome extension is available as a free download from the Chrome Web Store. It also comes with a real-time indicator to notify users about potentially unsecured sites.
Can My Windows 10 Computer Run Hyper-V?
Hyper-V requires a AMD or Intel 64-bit processor that supports Second Level Address Translation (SLAT). SLAT virtualization hardware is now part of recent CPU’s such as; the Intel Core i3, i5, i7, and AMD’s Barcelona CPUs.
Test System CPU for SLAT Using CoreInfo
There are a some free utilities that can test your CPU for SLAT capability. CoreInfo is a command line utility that will work with both AMD and Intel systems.
Intel Processor Identification Utility
Another option for users who have an Intel Processor is a free tool from Intel called the Intel Processor Identification Utility. Just like Coreinfo above, it will tell you if your CPU supports SLAT or not.
The utility will run and check out your system. Click the CPU Technologies tab at the top. If your processor supports SLAT it will display Yes next to Intel VT-x with Extended Page Tables.
Microsoft Edge Application Guard
To turn it on hit the Windows Key and type: features and choose the Turn Windows features on or off option from the search results.
The Windows Features windows will open and you need to scroll down and check the Windows Defender Application Guard option and click OK. Then you will need to restart your system for it to complete.
Notes: If “Windows Defender Application Guard” is not showing as above you are likely either using a Windows 10 Home or you have not upgraded to the Windows 10 April 2018 Update.
Windows will apply the change and ask you to restart the system. Click on the “Restart Now” button to continue.
After restarting, launch the Edge browser. To use the Edge browser with Windows Defender Application Guard, use the Settings menu (…) on the top-right corner and select the option “New Application Guard window.” See image below.
That opens a new instance of Microsoft Edge with Application Guard enabled. You know it’s running because the first tab and outline of Edge will display in red. Also, you will see a small security shield icon displayed on the Edge icon on the taskbar for each instance of Edge that’s using WDAG.
Notes: WDAG performance can be somewhat slow, however that will soon improve.
Note that Edge is now running in a separate environment so favorites, browsing history, and other settings will not be synced up. This feature can come in handy when you need to browse to untrusted sites and want the extra protection. Your session is using a separate Hyper-V virtualized container and is separate from the rest of your Windows 10 system. If a site were to attempt to deliver malware, your computer and its data will be protected.
The Application Guard window will appear as a separate taskbar icon from the normal Microsoft Edge browser one. This icon has a blue Edge “e” logo with a gray shield icon over it.
Using the Application Guard on Edge will disable all extensions for the new instance. Features such as page pinning, developer tools, casting, read aloud, etc will not be available. The normal use of Edge browser is not affected. You can perform basic actions like copy and paste, printing, etc.
To disable the Edge Application Guard, open the Windows Features and uncheck the checkbox next to “Windows Defender Application Guard”, then save the change.
With the Application Guard active, Edge may launch document viewers or other types of applications if you download and open them. When a application is running in Application Guard mode, a gray shield icon appears over its taskbar icon. See image below.
In Application Guard mode, you cannot use Edge’s Favorites or Reading list features. Any browser history you create will also be deleted when you sign out of your PC. All cookies from the current session will be cleared when you sing out of your PC, too. This means you’ll have to sign back into your websites every time you start using Application Guard mode.
Downloads are also limited. The isolated Edge browser cannot access your normal file system, so you cannot download files to your system or upload files from your normal folders to websites in Application Guard mode. You cannot download and open most types of files in Application Guard mode, including .exe files, although you can view PDFs and other types of documents. Files you download are stored in a special Application Guard file system, and are erased after you sign out of your PC.
Other features, including copy and paste and printing, are also disabled for Application Guard windows.
Microsoft added some options to remove these limitations, if you like, but these are the default settings.
Is browsing with Chrome safer than browsing with Edge WDAG?
As you might expect, that’s not an easily answered question. Basically, Chrome has existed for years, and has built up its defenses over time—including a new site isolation capability that helps better isolate one tab from another. The new Edge WDAG has not yet built up that same history of comprehensive third-party testing.
Windows Defender Application Guard provides fairly reliable protection when it comes to protecting a Windows 10 machine from Internet threats. It may well be worthwhile to install and use the protection on computers. Microsoft have released a Windows Defender Browser Protection extension (add-on) for Google Chrome. The new Chrome extension is available as a free download from the Chrome Web Store.
WDAG creates a temporary instance of both Windows and Edge – a small version of the OS and the browser – in a virtualization environment built with Windows’ HyperVisor. Every line from the temporary environment, the virtual machine, to the real system is closed, so that there is little interaction between the web session and the machine.