How Microsoft Edge's hidden WDAG browser lets you surf the web securely
- 19 September, 2018 08:09
Occasionally, for whatever reason, we browse parts of the web we know could be dangerous, where malicious pop-ups, ransomware or other malware could infect our PCs. While no solution is totally safe, Microsoft now has a free, specialized version of its Edge browser specifically designed to protect you online: Windows Device Application Guard, or WDAG.
WDAG was originally developed for Windows 10 Enterprise, protecting companies with billions of dollars at stake. Now that same protection has migrated to Windows 10 Pro—sorry, Windows 10 Home users—as an optional feature that you can turn on within Windows, for free. It debuted on Windows 10 Pro as part of the Windows 10 April 2018 Update, and will receive some new features as part of the October 2018 update, too.
You may have heard that Google Chrome works by “sandboxing” your browser, isolating the browser renderer and protecting Windows, other PCs on the network, and other devices from malware. WDAG takes sandboxing a bit further, using your PC’s capability for virtualization to protect against malware escaping from the browser. Essentially, Windows is creating a small “virtual” OS and browser for every untrusted browser session (and not every tab), and isolating it from the rest of your PC. Even if malware manages to crash the browser, the idea is that the rest of your PC will remain untouched.
Is browsing with Chrome safer than browsing in an Edge WDAG tab? As you might expect, that’s not an easily answered question. While security experts seem to think highly of WDAG’s sandbox implementation, WDAG does come with some limitations, which we’ll discuss further.
Microsoft Edge (apparently without WDAG enabled) was hacked several times in the Pwn2Own 2017 hacking competition, while Chrome remained untouched. Edge was also hacked in the March 2018 competition. But the bottom line seems to be that Chrome has existed for years, and has built up its defenses over time—including a new site isolation capability that helps better isolate one tab from another. Edge WDAG doesn’t yet seem to have built up that same history of comprehensive third-party testing -- though it doesn't necessarily mean that it's any less safe.
Right now, it's safe to say that browsing with Chrome and a coterie of security plugins is more convenient, though.
WDAG—a true hidden feature of Windows
Normally, when we review the semi-annual feature updates for Windows 10, we include a “best hidden features” companion article—a sort of junior-varsity list of features that hide deep within the OS. WDAG was significant enough to make our review, but it certainly qualifies as hidden. In the October Update, though, it will emerge from the shadows.
WDAG requires two elements to work: Windows 10 Pro (updated to the April 2018 Update or beyond) as well as a 64-bit, Hyper-V capable processor. Generally speaking, most sixth-, seventh- and eight-generation Intel Core chips will include this capability, and many AMD64 chips will as well. Don’t worry too much about researching this information, however—if your PC supports both of these, WDAG will be enabled.
To find it within the April 2018 Update, you’ll need to open your PC’s Control Panel, then open the Turn Windows features on and off menu. Here you’ll find a list of all the features that lie deep within Windows, but don’t necessarily need to be enabled. Scroll down to the Windows Device Application Guard box and toggle it on. If you're running the October 2018 Update, simply navigate to the Settings menu (Settings > Update & Security > Windows Security (AKA Windows Defender) > App & browser control) and then down to "Isolated browsing".
WDAG uses a subset of the Hyper-V virtualization technology that allows you to create virtual machines—self-contained versions of Windows—within Windows 10 Pro. But according to a Microsoft support document, you don’t need to toggle on Hyper-V to use WDAG. WDAG will take care of it itself. After toggling on WDAG and exiting the Features list, Windows will hunt around a bit for the proper software and then ask to reboot the PC. After a small update is applied, your PC will be ready to browse the web with Edge WDAG enabled.
If you're in the Oct. 2018 Update, you'll also be able to choose between some Settigngs options that will add some convenient functionality that is turned off in the earlier version, like the ability to print. Enable them if you feel like it.
Browsing the web with Edge and WDAG
Using WDAG to browse the Web with Edge is about as simple as it’s designed to be. To do so, open Edge, and from the ellipsis (three-dot) menu in the upper right, select New Application Guard window.
Application Guard requires some initialization time as the virtual machine spins up. (It took a minute or so on a Surface Pro 4 as well as a Surface Book 2, so it might be somewhat dependent on whether your laptop includes an SSD.) Fortunately, Edge WDAG doesn’t require that same setup time if you open subsequent WDAG tabs, and launching another session is much quicker, too.
Once the WDAG window is opened, the bright-red Application Guard label in the upper left corner distinguishes it from other Edge windows. (It's black on Oct. 2018 Update builds.) On the taskbar, a small shield icon overlays the task icon, indicating that a WDAG window is in use. Note that you can also open an InPrivate private-browsing window within a WDAG environment, for an additional layer of privacy.
Right now, WDAG is built for security, not speed or (to be honest) even convenience. The Settings menu doesn’t allow much flexibility, with most options grayed out. (Edge itself doesn’t seem to offer any dedicated WDAG controls, either.) Here’s a list of WDAG limitations in the April 2018 Update edition of WDAG, as of press time:
- You can’t import Favorites. Nor can you cut and paste a URL from another, non-WDAG window—or from a WDAG window to anywhere else.
- Most downloads are currently blocked.
- Extensions are disabled.
- WDAG doesn’t offer any way of blocking ads, so there’s still the possibility that you’ll see a deceptive ad, or one that takes you to a website where you’re encouraged to enter personal information. All WDAG does is secure the browser window.
Note that the October 2018 Update allows you to download files, and print, and cut and paste URLs in and out of WDAG, if you enable them via the Settings, above.
Also, if WDAG is enabled in Windows 10 Enterprise, system admins can set a persistence policy, which allows you to navigate to a site within WDAG and add it manually to the Favorites menu. It will then persist until the next session. That capability doesn’t appear in the Windows 10 Pro version. And even though you can “download” something, it doesn’t mean you can actually use it; WDAG’s protected Downloads folder doesn’t seem to be user-accessible. (It is in the Enterprise version, Microsoft points out.)
Your WDAG browser history, though, is preserved until you sign out of your PC. Naturally, you can clear your history from within Edge, or use InPrivate for even more covert browsing.
Still, WDAG performance can be somewhat slow. WDAG is built for one thing: browsing the Web and keeping you secure, and that works best in a text-based environment. If you want to surf a site and download something you probably shouldn’t, though, that probably won’t work either.
While WDAG may protect your browser, however, it can’t do anything to protect you from thinking your browser might have fallen prey to malware. WDAG doesn’t seem to do anything to prevent a webpage from launching another tab, or block pop-up scams from appearing.
A pop-up scam will launch a browser popup with an apocalyptic message, claiming, for example, that your PC will remain infected until you call the number listed in the message. They’re sometimes accompanied by a klaxon, a siren, or an automated voice warning that leaving the website will disable your PC. In my case, one pop-up refused to yield when I tried to close the browser or the taskbar, and I was forced to reboot my machine. That’s the kind of headache a good ad-blocker or script-blocker can help avoid. Edge WDAG doesn’t support these, yet.
So if Edge WDAG is a browser that doesn’t let me download anything, or save Favorites, or protect against the kind of pop-up takeovers that cause relatives to call you in a panic, what good is it?
Right now, WDAG isn’t an ideal solution. To get there, Microsoft needs to add extension support so sites don’t have the power to trigger pop-up takeovers. It would be nice to be able to right-click a link in Edge and open it in a WDAG window. While download capability isn’t essential, it would be nice -- though a security risk, too. Chrome’s sandbox, loaded up with a few script-blocking and ad-blocking extensions, can provide a decent alternative.
This may indicate why Microsoft has been a bit shy about WDAG. Though it noted WDAG’s addition to the Insider builds before the launch of the April 2018 Update, it didn’t exactly trumpet it to the public.
WDAG doesn’t cost a dime, though, and with a little polishing Edge could have an enterprise-class security solution that’s friendly enough for a consumer to use. WDAG’s not a guarantee that your browser won’t be hacked, and it won’t prevent you from carelessly giving up personal information. But it is an added layer of protection, and worth keeping in mind as Microsoft continues developing Edge.
This story was updated at 3:07 PM on Sept. 18, to add details of the version of WDAG found within the Windows 10 Oct. 2018 Update and an explainer video.