Application Guard runs Microsoft Edge in virtual machine on Windows 10
Microsoft plans to integrate a new security feature called Application Guard in the next feature release of Windows 10 which will be out in 2017.
The main idea behind the first iteration of the feature is to run the web browser Microsoft Edge in a lightweight virtual machine for improved security and protection against attacks.
Attackers who plan on attacking Microsoft Edge on Windows 10 would not only have to find a viable exploit for the browser to work with, but also a way to get through the browser's sandboxing and the new layer by Application Guard.
There are two downsides that need to be mentioned. First, Microsoft plans to make it available in the Enterprise version of Windows 10 only. Second, only Microsoft Edge will benefit from the feature at first.
Application Guard for Windows 10
Microsoft won't make available an API or provide access to other products, at least not at first.
Ars Technica reports that Microsoft is aware that the feature would be welcome by Home users, small businesses and software companies alike as it would improve overall security.
Other web browsers, Firefox or Chrome, and high profile applications such as Microsoft Office would benefit from the added security just like Edge does.
Bringing Application Guard, or a subset of the feature to Home and Pro versions of Windows 10 may not be as easy as it sounds. Virtual environments persist across sessions only which means that mundane things such as cookies won't be available the next time a browser is booted.
This may be acceptable in Enterprise environments, but might confuse Home users who would expect their login to work across sessions according to Microsoft.
Windows 10's Virtualization Based Security (VBS) has technical demands on top of that. Since it requires Hyper-V hypervisor, it requires a cpu that supports hardware virtualization and I/O virtualization.
Additionally, if the solution is enabled on a machine running Windows 10, other virtualization environments may not be used at the same time.
Last but not least, virtualization comes with performance costs. Microsoft did not reveal details about those though. Considering that we are talking about lightweight virtualization, it seems likely that the cost won't be as high as if other virtualization environments are installed on a machine.
The company plans to add a set of policies to Windows 10 Enterprise that allows system administrators to mark sites as trusted or untrusted, and to allow certain operations for untrusted sites such as copying to the clipboard or printing.
The idea to use a lightweight virtualization environment to run high profile applications makes sense. You may do something similarly already using solutions such as Oracle's VM Virtualbox or VMWare Workstation.
It remains to be seen how well the feature works once it gets released. It will be launched for Windows 10 Insider Builds first later in 2016.
Now You: Do you use virtual environments?Advertisement