September 27, 2016 9:00 am

Introducing Windows Defender Application Guard for Microsoft Edge

We’re determined to make Microsoft Edge the safest and most secure browser. Over the past two years, we have been continuously innovating, and we’re proud of the progress we’ve made. This quality of engineering is reflected by the reduction of CVEs when comparing Microsoft Edge with Internet Explorer over the past year.

Chart showing total numbers of CVEs for each browser according to the NVD. Edge lists the fewest with 122; Chrome, 233; Firefox, 232.

Browser vulnerabilities (as of September 2016) for Microsoft Edge, Chrome, and Firefox (per the National Vulnerability Database) since Microsoft Edge was released.

While no modern browser—or any complex application—is free of vulnerabilities, the majority of the vulnerabilities for Microsoft Edge have been responsibly reported by professional security researchers who work with the Microsoft Security Response Center (MSRC) and the Microsoft Edge team to ensure customers are protected well before any attacker might use these vulnerabilities in the wild. Even better, there is no evidence that any vulnerabilities have been exploited in the wild as zero-day attacks.

However, many businesses worldwide have come under increasing threat of targeted attacks, where attackers are crafting specialized attacks against a particular business, attempting to take control of corporate networks and data. For the most security-conscience businesses, we are introducing a new layer of defense-in-depth protection: Windows Defender Application Guard for Windows 10 Enterprise. Application Guard provides unprecedented protection against targeted threats using Microsoft’s Hyper-V virtualization technology.

Understanding targeted attacks against large Enterprises

The threat landscape has changed significantly in recent years. Today, over 90% of attacks use a hyperlink to initiate the attack to steal credentials, install malware, or exploit vulnerabilities.

Diagram showing the anatomy of a typical attack; an attacker first enters (via browser or doc exploits, malicious attachments, etc); then establishes (service compromise, exploit or attachment execution, use of stolen credentials); then expands (kernel exploits, kernel-mode malware, etc.). The attacker endgame is business disruption, lost productivity, data theft, espionage, ransom, etc.

This is damaging not only to the business attacked, but also to the thousands, if not millions of users whose accounts and personal data may be stolen. Highly motivated and persistent attackers will often start with a social engineering trick: creating a well-crafted and personal email to known employees of the company. This email, which will often appear to be from a legitimate authority in the company, may ask the employee to click a link to read a supposedly important document. Unfortunately, that link is to a specially crafted malicious web site that may use a previously undisclosed vulnerability to install malware on the user’s machine. Once established on that single computer, the attackers can then steal credentials and start to probe the rest of the network for other vulnerable machines, repeating the process on other computers until they achieve their objective, whether that is stealing data, intellectual property, or disrupting the business.

Breaking the attacker playbook

We’re taking a systematic approach to disrupting these attackers by providing our customers with the tools they need to defend against these vectors of attack. Application Guard is designed to stop attackers from establishing a foothold on the local machine or from expanding out into the rest of the corporate network.

By using our industry leading virtualization technology, potential threats are not only isolated from the network and system, but will be completely removed when the container is closed.

Digging deeper into Application Guard

Application Guard leverages virtualization technology born in the Microsoft Cloud to accomplish this disruption.

When a user browses to a trusted web site, for example an internal accounting system web application, Microsoft Edge operates as it does today. It has access to local storage, can authenticate the user to internal sites with corporate credentials, standard cookies work, the user can save files to the local machine, and in general Windows just works. This mode, outlined in blue in the chart below, is known as the Host version of Windows.

Diagram showing two Windows instances running on the same device, managed by Hyper-V. The "host" operating system runs Edge trusted sites. The Application Guard instance runs a new instance of Windows, including minimum Windows Platform Services and an entirely separate kernel, which has no access to the normal operating environment.

Application Guard isolates untrusted sites in a new instance of Windows at the hardware layer.

However, when an employee browses to a site that is not recognized or trusted by the network administrator, Application Guard steps in to isolate the potential threat. As shown in the mode outlined in red above, Application Guard creates a new instance of Windows at the hardware layer, with an entirely separate copy of the kernel and the minimum Windows Platform Services required to run Microsoft Edge. The underlying hardware enforces that this separate copy of Windows has no access to the user’s normal operating environment.

Application Guard’s enforcement includes completely blocking access to memory, local storage, other installed applications, corporate network endpoints, or any other resources of interest to the attacker. This separate copy of Windows has no access to any credentials, including domain credentials, that may be stored in the permanent credential store.

Most of the time, even untrusted sites are not malicious and perfectly safe to visit, and the user just expects them to work. This isolated environment allows these sites to function essentially as they would if they were running on the host version of Windows. In this case Application Guard does provide the essential features that users would expect to work, even when browsing untrusted sites, such as being able to copy and paste with the Windows clipboard, and being able to print content from those web sites to their work printer. This allows the user to still be productive even while the host is being protected by Application Guard. The enterprise administrator has control over this functionality using Microsoft management tools and policy, and can choose what they are comfortable with based on their own risk assessment.

Defense-in-depth isolation for enterprises

To improve on the security offered by purely software based sandboxes, Microsoft worked with several enterprise and government customers on a hardware based isolation approach to address these concerns. With Application Guard, Microsoft Edge protects your enterprise from advanced attacks that can infiltrate your network and devices via the Internet, creating a safer, worry-free browsing experience for customers.

But what happens when the untrusted site is actually part of an attacker’s malicious plan?  Let’s revisit the attack described above. An attacker sends a well-crafted email to an innocent employee of the company enticing them to visit a link on a site under the attacker’s control. The innocent user, not noticing anything suspicious about the mail, clicks on the link to an untrusted location. In order to proactively keep the user and enterprise resources safe, Application Guard coordinates with Microsoft Edge to open that site in a temporary and isolated copy of Windows. In this case, even if the attacker’s code is successful in attempting to exploit the browser, the attacker finds their code running in a clean environment with no interesting data, no access to any user credentials, and no access to other endpoints on the corporate network. The attack is completely disrupted. As soon as the user is done, whether or not they are even aware of the attack having taken place, this temporary container is thrown away, and any malware is discarded along with it. There is no way for the attacker to persist on that local machine, and even a compromised browser instance has no foothold to mount further attacks against the company’s network. After deletion, a fresh new container is created for future browsing sessions.

Web developers and Application Guard

The good news for web developers is that they do not need to do anything different with their site code – Microsoft Edge renders sites in Application Guard fundamentally the same way it does in the host version of Windows. There is no need to detect when Microsoft Edge is running in this mode, nor any need to account for behavior differences. Since this temporary container is destroyed when the user is done, there is no persistence of any cookies or local storage when the user is finished.

We’re committed to keeping Enterprise users and data safe and secure

Our mission at Microsoft is to empower every person and every organization on the planet to achieve more. With Windows Defender Application Guard, enterprise users can take advantage of the vast power of Internet sites and services while still protecting corporate and personal data. This capability makes Microsoft Edge the most secure browser for the Enterprise.

Windows Defender Application Guard for Microsoft Edge will become available to Windows Insiders in the coming months, and roll out more broadly next year.

― John Hazen, Principal Program Manager, Microsoft Edge
― Chas Jeffries, Principal Program Manager, Application Guard

Updated June 28, 2018 7:29 am

Join the conversation

  1. Awesome,
    When/How can I get this ?
    I want to use this on my Surface Pro 4, as soon as possible,
    I want to share this with my customers/partners/friends.


    • Windows Defender Application Guard for Microsoft Edge will become available to Windows Insiders on Windows 10 Enterprise in the coming months, and roll out more broadly next year.

  2. So what does this mean for IE (which you haven’t mentioned) and non-Enterprise users?

    Edge still only represents about 2% of the hits to our website, suggesting (at least among our largely corporate audience) this isn’t going to address the right audience.

    I’m also a little disappointed at the high number of vulnerabilities found in Edge. Given how much smaller it is than Chrome and Firefox, and that it’s been developed nearly from scratch, with, hopefully, a much higher emphasis on security, shouldn’t it have a considerably lower number of vulnerabilities?

    I personally occasionally use Edge (it’s not the default on any of my Win10 devices) and I’m finding I’m using IE less and less, while Chrome more and more… It just works…

    • If an enterprise is using IE as the default desktop browser, or when users are electing to use IE, the admin can still enable Application Guard and designate a trusted sites list. When the user attempts to open a site that is untrusted, Application Guard will launch Edge in an Application Guard isolated container. – Chas

  3. Nice information.
    Can you make one clarification for me? Does App Guard uses VSM environment (secure VM instance) where Isolated User Mode & Secure Kernel Mode are executed or it uses separate VM for own purposes?

    • Good question. Application Guard is not dependent on Virtual Secure Mode (VSM) and, as you allude to, it uses a separate virtual machine environment to isolate Edge from the host. Our recommendation will be to use Application Guard as well as our VSM technologies to provide the most secure experience for Windows 10 in the enterprise. – Chas

      • Now this is a feature we can enable in Windows 10 Enterprise Insider. Is there any available documentation for it?

  4. So just to be clear, this is basically another sandbox, which starts a private browsing session implicitly for each site and disables the entire password manager?

    • Not quite. While the instance of Edge that is running in Application Guard is isolated from the host, it won’t necessarily be an InPrivate session, unless the user chooses to start InPrivate browsing in the session. Sites are not isolated from each other during the session, so for each new tab the user may open for untrusted sites will be accessible to session, until the isolated container’s session ends. Nothing is saved from session to session, so it’s accurate to say that a password manager used in the isolated session won’t persist to future sessions. Sites that users frequently visit and are deemed trustworthy by the enterprise could be added to the enterprise site list and then tools like password managers would continue to work. – Chas

  5. What does this mean for mixed content sites? (Trusted domains that for some reason end up loading resources from domains that would otherwise be loaded on a Application Guard-ed instances of Edge) Would the whole thing be reloaded under Application Guard? Can the session be transferred to the Application Guard environment? Or would the user have to log-in/navigate/etc again to the previous state?
    What about non-trusted (but otherwise benign sites) that require cookies to ease experience for the user? Do I have to do double-factor authentication every time to use my personal email?

  6. Will the user be able to manually initiate an AG session much like InPrivate? or will it be only controlled through policy? Manual should be an option.

    Ideally, I should be able to create a policy that makes AG the default behavior with white listed exceptions.

    Also, bump for IE support…and really any other app. Maybe right-click, run in AG container.

    Don’t make the mistake of trying to use this great idea as a wedge to push people to use Edge or other modern apps over Win32 apps.

  7. Sounds like a great approach. How about to use classics like Adobe Flash or other browser plug-ins? And is there a Application Guard Management, to clean-up infected Application Guard Sessions?

  8. On Windows Server 2016, Edge does not seem to be available as an app, although edgehtml.dll, the engine is still present. In some preview builds of WS 2016, the use of the Edge engine was available for Internet Explorer 11, but not in the RTM. Any of these are possible: 1. Enable the full Edge GUI; 2. Enable the use of edgehtml.dll instead of mshtml.dll in IE 11; 3. Use another app to browse the web with edgehtml instead of mshtml, a Microsoft or thrid party app ? A third party browser like Firefox or Chrome is not desired, and edgehtml is highly preferable to mshtml .

  9. Will there be any form of this for Windows 10 Home/Pro? Cause there will often be websites that seem sketchy but I wanna try them anyways without creating a whole new virtual machine. I would love this feature SO MUCH

    • Microsoft Hyper-V(which is required by this feature) is only on Windows, and also virtualization is a resource intensive feature, it can’t be done on mobile devices(presently),

      And also, other browsers like- Chrome, firefox etc are not controlled or owned by Microsoft, so they can’t implement that feature in it, or If they want to do so, they would have to do it for all the apps on windows(any feature like- Run this app in sandbox).

      So, you can understand!

  10. Will this feature work with Hyper-V disabled via the bcdedit setting “hypervisorlaunchtype off”?

    To run VMWare Workstation, Hyper-V must, unfortunately, be disabled.

  11. No answers from Microsoft for 4 months now – I hope someone is still watching this thread…
    Is the Trusted Site list for Application Guard a new site list, or is it the same as Edge is using today (1607) already?

  12. Is it possible to deliver this automatically when using InPrivate mode? When browsing to sketchy sites, I always use private browsing.

  13. Nice to see these features being developed, but a shame to see Pro and Home customers (including small businesses!) being treated as second class: why can’t we have these features too?! (As it happens, I’ve pushed Chrome out via GPO and we use that rather than Edge in general anyway – but having to jump through extra hoops to buy via a third party “volume” channel to get all the security features is very irritating, having already paid for the “Pro” version.)