This content is part of the Conference Coverage: Microsoft Ignite 2016 conference coverage

Windows 10 Edge browser security gets a hand from virtualization

The upcoming Windows Defender Application Guard feature in Microsoft's Windows 10 Edge browser will help IT departments protect against malware from compromised websites.

ATLANTA -- A new feature in the Microsoft Windows 10 Edge browser could help mitigate one of the biggest threats to an organization's security defenses: its own users.

Windows Defender Application Guard (WDAG) will protect organizations from malware if users visit compromised websites or click malicious links within other content. The feature, based on technology from security software provider Bromium, uses virtualization to prevent malware from spreading to the rest of the device or to the corporate network. 

"It's a good idea for a way to protect us," said Jeremy Malcom, lead analyst at a manufacturing company in Atlanta. "We run the gamut of employees, especially older employees, clicking on links they shouldn't click."

Edge, the default web browser in Windows 10, provides an alternative to Microsoft's more complex legacy browser, Internet Explorer. WDAG, which Microsoft announced at its annual Ignite conference, will be available for Edge in Windows 10 Enterprise next year, the company said.

How Windows Defender Application Guard works

When a user opens the Windows 10 Edge browser, WDAG creates a container that isolates malware at the hardware level. The feature works when users find themselves on a compromised website, and it also protects against phishing attacks. If a user receives and clicks on a malicious link in an email, for instance, WDAG creates a new secure container in the PC as soon as that website opens. The virtual container in WDAG is different from other internet browser security technologies that use sandboxing.                                                          

"It would be a huge tool to prevent viruses," said an IT manager at a small business in Denver. "Emailed links would be protected, and that's a big deal. If it works well ... that would be great."

Required hardware specifications for WDAG

  • 64-bit Windows
  • Unified Extensible Firmware Interface 2.3.1 or greater, with Secure Boot security standard
  • Virtualization extensions such as Intel VT-x, AMD-V and second-level address translation
  • Input/output memory management unit support such as Intel VT-d and AMD-Vi
  • Basic input/output system lockdown

Still, WDAG has a few required hardware specifications, which means some older Windows 10 PCs may not be able to take advantage. Plus, WDAG doesn't eliminate the issue of malicious websites, because there will still be users on other browsers, the IT manager said.

"So many people don't use Edge," he added. "They'll use Google Chrome, Firefox, Explorer and others, so it would be great if it worked for those too."

Bromium, however, supports those browsers, as well as Windows 7, Windows 8 and any Windows 10 PCs that don't have WDAG's required hardware specs. The company's own product also protects against potentially risky documents, email attachments and downloads, in addition to compromised websites.

Why use WDAG for Edge browser security?

The selling point for WDAG is that it comes with Edge as part of Windows 10 Enterprise, whereas organizations would have to purchase Bromium as a separate product. WDAG will eventually be available for other web browsers, Microsoft said.

"There really isn't anything that compares with Application Guard," said Patrick Moorhead, president at Moor Insights & Strategy, a technology analyst firm in Austin, Texas. "It's very unique. Malware can't access the file system or any network resources."

Industries with high security standards will be interested in this tool, including government, healthcare and finance, Moorhead said.

Next Steps

Find out how Edge's Web Notes work

Learn the details of how Edge improves browser security

How to deal with the change in IE support

Dig Deeper on Web browsers and applications