Here's how Microsoft is using containerization to protect Edge users

Windows Defender Application Guard locks untrusted browsing sessions away from the rest of the OS

One of the biggest security risks for computer users is their web browser. According to Microsoft, 90 percent of phishing emails use the browser to initiate attacks, which can then be used to help attackers establish a beachhead inside a company.

Microsoft is aiming to better protect users and organizations from the threats that they face with a new feature called Windows Defender Application Guard. It's designed to isolate Microsoft Edge from the rest of the files and processes running on a user's computer and prevent computer exploits from taking hold.

This is a move that could drive greater adoption of Microsoft's browser in the enterprise, at a time when the company is fiercely competing with Google in that space. Security of company assets is a big problem for enterprises, and Microsoft is offering them another way to help protect their users without requiring those users to be security experts.

Here's how it works: when users navigate to untrusted websites in Edge with the feature enabled, Microsoft’s browser launches new sessions that run in virtualized containers on their Windows 10 PCs and tablets.

In the event there’s malicious code on those sites that tries to deploy on users’ machines, it gets deployed into the container, isolated from the operating system and everything else.

When users quit their Edge sessions, the container is destroyed, and the malicious code is supposed to go along with it, thereby protecting users from whatever payload they may have been exposed to.

According to Rob Lefferts, Microsoft's director of program management for Windows Enterprise and Security, the other key thing about the feature is that the container’s isolation is enforced using a secure root of trust that runs on the computer’s processor itself.  

While Application Guard is a powerful capability, that comes at a cost. Because the container is destroyed whenever a user quits Edge, any cookies or cached items accumulated during that time go with it. In other words, even if users check the "Remember Me" button on a website, they'll have to log back in next time they open Edge. Virtualizing Microsoft's browser will also lead to some loss of performance.

IT administrators will be able to set the service up to whitelist certain trusted sites which will run in a traditional, non-containerized form, so users can get the same sort of browsing experience they're used to from those sites.

Lefferts cautioned that the feature won't be right for every organization, or even every employee.

"It is really [for] environments that want to run locked-down browsers," he said in an interview. "Finance organizations, healthcare organizations, a whole slew of military organizations that I talk to."

Microsoft is still in the process of building the feature, and will be rolling it out to Windows Insiders in the coming months. The company expects Windows Defender Application Guard to be generally available some time in 2017, for organizations that are subscribed to the Windows 10 Enterprise E3 and E5 plans.

That means there are still some questions left unanswered about what Windows 10 Application Guard will mean for users. For example, the company isn't saying yet what sort of impact running Edge in a container will have on its performance.

Lefferts said that the company is still working on getting the performance right, and wants to make both the Edge startup experience and the browsing experience feel good to users.

Looking forward, Microsoft may make the same containerization technology available to other applications, Matt Barlow, the corporate vice president for Windows Marketing, said during a press conference. But right now, the company is working to ship the first version of the feature.

Windows Defender Application Guard is one of a number of security-focused announcements that the company made at its Ignite conference in Atlanta, Georgia on Monday. It also announced that Windows Defender Advanced Threat Protection and Office 365 Advanced Threat Protection will share intelligence across both services to provide IT administrators with an easier way to manage threats.  

The company is also releasing a new Secure Productive Enterprise service, which gives companies an easy way to buy a suite of its advanced security capabilities across Office, Windows and its Enterprise Mobility + Security suite.

Join the PC World newsletter!

Error: Please check your email address.

Tags MicrosoftWindows 10

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Blair Hanley Frank

IDG News Service
Show Comments

Cool Tech

Crucial Ballistix Elite 32GB Kit (4 x 8GB) DDR4-3000 UDIMM

Learn more >

Gadgets & Things

Lexar® Professional 1000x microSDHC™/microSDXC™ UHS-II cards

Learn more >

Family Friendly

Lexar® JumpDrive® S57 USB 3.0 flash drive 

Learn more >

Stocking Stuffer

Plox Star Wars Death Star Levitating Bluetooth Speaker

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?