Occasionally, for whatever reason, we browse parts of the web we know could be dangerous, where malicious pop-ups, ransomware or other malware could infect our PCs. While no (known) solution is totally safe, Microsoft now has a free, specialized version of its Edge browser specifically designed to protect you online: "Windows Device Application Guard, or WDAG."
When a person tries to access a site that is not recognized or trusted, the Application Guard creates a new case of Windows which has the ability to support the running of Microsoft Edge browser. This new case of Windows has no access to the user’s normal operating environment, which means that it has no access to local storage, any domain credentials, installed applications, memory etc.
Windows Defender Application Guard for Windows 10 1803 lets you run Edge in a protected virtualized environment, protecting your PC from malicious code. Even if a malicious website exploited a flaw in Edge, it could not compromise your PC. Notes: With Windows 10 Application Guard is disabled by default.
Starting with the Windows 10 Version 1803 (April 2018 Update), anyone using Windows 10 Professional can now enable Application Guard. Previously, this feature was only available in Windows 10 Enterprise. If you have Windows 10 Home and want Application Guard, you will need to upgrade to Windows 10 Pro.
Note: For this to work your computer will need to have support for "Hyper-V". Most modern computers will support it, but not all processors have the required SLAT virtualization technology. Please note you cannot use WDAG on the Home version of Windows 10. Microsoft also lists other system requirements, including a 64-bit CPU with at least 4 cores, 8 GB of RAM, and 5 GB of free space.
Update: Microsoft has released a Windows Defender Browser Protection extension (add-on) for Google Chrome allowing an additional layer of protection when browsing online. This is Powered by the same trusted intelligence found in the Microsoft Edge browser. The new Chrome extension is available as a free download from the Chrome Web Store. It also comes with a real-time indicator to notify users about potentially unsecured sites.
First, you need an AMD or Intel 64-bit processor that supports Second Level Address Translation (SLAT). SLAT virtualization hardware is included in most modern Intel Core i3, i5 and i7 CPUs. SLAT virtualization is also included in AMD’s Barcelona processor line. Even if your CPU supports virtualization (XP Mode in Windows 7 for example), it might not have SLAT hardware virtualization technology. If you have an Intel Core 2 CPU in your system for example, it does not support the SLAT feature so you will not be able to add the Hyper-V feature.
There are a couple of free utilities that will test your CPU for SLAT capability. Created by Microsoft wiz Mark Russinovich, CoreInfo is a command line utility that will work on both AMD and Intel systems.
Another option for users who have an Intel Processor is a free tool from Intel called the Intel Processor Identification Utility. Just like Coreinfo above, it will tell you if your CPU supports SLAT or not.
The utility will run and check out your system. Click the CPU Technologies tab at the top. If your processor supports SLAT it will display Yes next to Intel VT-x with Extended Page Tables.
To turn it on hit the Windows Key and type: features and choose the Turn Windows features on or off option from the search results.
The Windows Features windows will open and you need to scroll down and check the Windows Defender Application Guard option and click OK. Then you will need to restart your system for it to complete.
Notes: If you don’t see the option in this list, you’re either using a Home version of Windows 10 or you have not upgraded to the Windows 10 April 2018 Update yet.
Windows will apply the change and ask you to restart the system. Click on the “Restart Now” button to continue.
After restarting, launch the Edge browser. To use Edge with Windows Defender Application Guard, open the Settings menu (three horizontal dots) appearing on the top-right corner and select the option “New Application Guard window.”
That opens a new instance of Microsoft Edge with Application Guard enabled. You know it’s running because the first tab and outline of Edge will display in red. Also, you will see a small security shield icon displayed on the Edge icon on the taskbar for each instance of Edge that’s using WDAG.
Notes: WDAG performance can be somewhat slow, however that will soon improve.
Note that Edge is now running in a separate environment so favorites, browsing history, and other settings will not be synced up. This feature can come in handy when you need to browse to untrusted sites and want the extra protection. Your session is using a separate Hyper-V virtualized container and is separate from the rest of your Windows 10 system. If a site were to attempt to deliver malware, your computer and its data will be protected.
The Application Guard window also has a separate taskbar icon from the normal Microsoft Edge browser icon. It features a blue Edge “e” logo with a gray shield icon over it.
Because of the restrictions placed by the Application Guard on the Edge browser, all the extensions will be disabled in the new instance. You will also lose access to features like page pinning, developer tools, casting, read aloud, etc. The normal Edge browser will not be affected, though. That being said, you can still perform basic actions like copy and paste, printing, etc.
If you want to disable Edge Application Guard, open Windows Features just as in the first step, uncheck the checkbox next to “Windows Defender Application Guard” and save the changes.
When you download and open some types of files, Edge may launch document viewers or other types of applications in Application Guard mode. If an application is running in Application Guard mode, you’ll see the same gray shield icon over its taskbar icon.
In Application Guard mode, you cannot use Edge’s Favorites or Reading list features. Any browser history you create will also be deleted when you sign out of your PC. All cookies from the current session will be cleared when you sing out of your PC, too. This means you’ll have to sign back into your websites every time you start using Application Guard mode.
Downloads are also limited. The isolated Edge browser cannot access your normal file system, so you cannot download files to your system or upload files from your normal folders to websites in Application Guard mode. You cannot download and open most types of files in Application Guard mode, including .exe files, although you can view PDFs and other types of documents. Files you download are stored in a special Application Guard file system, and are erased after you sign out of your PC.
Other features, including copy and paste and printing, are also disabled for Application Guard windows.
Microsoft added some options to remove these limitations, if you like, but these are the default settings.
As you might expect, that’s not an easily answered question. Basically, Chrome has existed for years, and has built up its defenses over time—including a new site isolation capability that helps better isolate one tab from another. The new Edge WDAG has not yet built up that same history of comprehensive third-party testing.
Windows Defender Application Guard provides fairly reliable protection when it comes to protecting a Windows 10 machine from Internet threats. It may well be worthwhile to install and use the protection on computers. Microsoft have released a Windows Defender Browser Protection extension (add-on) for Google Chrome. The new Chrome extension is available as a free download from the Chrome Web Store.
WDAG creates a temporary instance of both Windows and Edge - a small version of the OS and the browser - in a virtualization environment built with Windows" HyperVisor. Every line from the temporary environment, the virtual machine, to the real system is closed, so that there is little interaction between the web session and the machine.
This feature is available in Windows 10 editions:
- Windows 10 Enterprise Edition, version 1709 or higher
- Windows 10 Professional Edition, version 1803
When a person tries to access a site that is not recognized or trusted, the Application Guard creates a new case of Windows which has the ability to support the running of Microsoft Edge browser. This new case of Windows has no access to the user’s normal operating environment, which means that it has no access to local storage, any domain credentials, installed applications, memory etc.
Quote: Microsoft has posted a Browser comparison graph to show that Edge browser had "substantially fewer" vulnerabilities since its launch than Chrome and Firefox, explaining that all the security improvements that the company has been making are paying off.
Windows Defender Application Guard for Windows 10 1803 lets you run Edge in a protected virtualized environment, protecting your PC from malicious code. Even if a malicious website exploited a flaw in Edge, it could not compromise your PC. Notes: With Windows 10 Application Guard is disabled by default.
Starting with the Windows 10 Version 1803 (April 2018 Update), anyone using Windows 10 Professional can now enable Application Guard. Previously, this feature was only available in Windows 10 Enterprise. If you have Windows 10 Home and want Application Guard, you will need to upgrade to Windows 10 Pro.
Note: For this to work your computer will need to have support for "Hyper-V". Most modern computers will support it, but not all processors have the required SLAT virtualization technology. Please note you cannot use WDAG on the Home version of Windows 10. Microsoft also lists other system requirements, including a 64-bit CPU with at least 4 cores, 8 GB of RAM, and 5 GB of free space.
Update: Microsoft has released a Windows Defender Browser Protection extension (add-on) for Google Chrome allowing an additional layer of protection when browsing online. This is Powered by the same trusted intelligence found in the Microsoft Edge browser. The new Chrome extension is available as a free download from the Chrome Web Store. It also comes with a real-time indicator to notify users about potentially unsecured sites.
Can My Windows 10 Computer Run Hyper-V?
First, you need an AMD or Intel 64-bit processor that supports Second Level Address Translation (SLAT). SLAT virtualization hardware is included in most modern Intel Core i3, i5 and i7 CPUs. SLAT virtualization is also included in AMD’s Barcelona processor line. Even if your CPU supports virtualization (XP Mode in Windows 7 for example), it might not have SLAT hardware virtualization technology. If you have an Intel Core 2 CPU in your system for example, it does not support the SLAT feature so you will not be able to add the Hyper-V feature.
Test System CPU for SLAT Using CoreInfo
There are a couple of free utilities that will test your CPU for SLAT capability. Created by Microsoft wiz Mark Russinovich, CoreInfo is a command line utility that will work on both AMD and Intel systems.
Intel Processor Identification Utility
Another option for users who have an Intel Processor is a free tool from Intel called the Intel Processor Identification Utility. Just like Coreinfo above, it will tell you if your CPU supports SLAT or not.
The utility will run and check out your system. Click the CPU Technologies tab at the top. If your processor supports SLAT it will display Yes next to Intel VT-x with Extended Page Tables.
Microsoft Edge Application Guard
To turn it on hit the Windows Key and type: features and choose the Turn Windows features on or off option from the search results.
The Windows Features windows will open and you need to scroll down and check the Windows Defender Application Guard option and click OK. Then you will need to restart your system for it to complete.
Notes: If you don’t see the option in this list, you’re either using a Home version of Windows 10 or you have not upgraded to the Windows 10 April 2018 Update yet.
Windows will apply the change and ask you to restart the system. Click on the “Restart Now” button to continue.
After restarting, launch the Edge browser. To use Edge with Windows Defender Application Guard, open the Settings menu (three horizontal dots) appearing on the top-right corner and select the option “New Application Guard window.”
That opens a new instance of Microsoft Edge with Application Guard enabled. You know it’s running because the first tab and outline of Edge will display in red. Also, you will see a small security shield icon displayed on the Edge icon on the taskbar for each instance of Edge that’s using WDAG.
Notes: WDAG performance can be somewhat slow, however that will soon improve.
Note that Edge is now running in a separate environment so favorites, browsing history, and other settings will not be synced up. This feature can come in handy when you need to browse to untrusted sites and want the extra protection. Your session is using a separate Hyper-V virtualized container and is separate from the rest of your Windows 10 system. If a site were to attempt to deliver malware, your computer and its data will be protected.
The Application Guard window also has a separate taskbar icon from the normal Microsoft Edge browser icon. It features a blue Edge “e” logo with a gray shield icon over it.
Because of the restrictions placed by the Application Guard on the Edge browser, all the extensions will be disabled in the new instance. You will also lose access to features like page pinning, developer tools, casting, read aloud, etc. The normal Edge browser will not be affected, though. That being said, you can still perform basic actions like copy and paste, printing, etc.
If you want to disable Edge Application Guard, open Windows Features just as in the first step, uncheck the checkbox next to “Windows Defender Application Guard” and save the changes.
When you download and open some types of files, Edge may launch document viewers or other types of applications in Application Guard mode. If an application is running in Application Guard mode, you’ll see the same gray shield icon over its taskbar icon.
In Application Guard mode, you cannot use Edge’s Favorites or Reading list features. Any browser history you create will also be deleted when you sign out of your PC. All cookies from the current session will be cleared when you sing out of your PC, too. This means you’ll have to sign back into your websites every time you start using Application Guard mode.
Downloads are also limited. The isolated Edge browser cannot access your normal file system, so you cannot download files to your system or upload files from your normal folders to websites in Application Guard mode. You cannot download and open most types of files in Application Guard mode, including .exe files, although you can view PDFs and other types of documents. Files you download are stored in a special Application Guard file system, and are erased after you sign out of your PC.
Other features, including copy and paste and printing, are also disabled for Application Guard windows.
Microsoft added some options to remove these limitations, if you like, but these are the default settings.
Is browsing with Chrome safer than browsing with Edge WDAG?
As you might expect, that’s not an easily answered question. Basically, Chrome has existed for years, and has built up its defenses over time—including a new site isolation capability that helps better isolate one tab from another. The new Edge WDAG has not yet built up that same history of comprehensive third-party testing.
Conclusion
Windows Defender Application Guard provides fairly reliable protection when it comes to protecting a Windows 10 machine from Internet threats. It may well be worthwhile to install and use the protection on computers. Microsoft have released a Windows Defender Browser Protection extension (add-on) for Google Chrome. The new Chrome extension is available as a free download from the Chrome Web Store.
WDAG creates a temporary instance of both Windows and Edge - a small version of the OS and the browser - in a virtualization environment built with Windows" HyperVisor. Every line from the temporary environment, the virtual machine, to the real system is closed, so that there is little interaction between the web session and the machine.