Microsoft locks down Edge with virtualization in Win10 Enterprise

Virtualization is everywhere these days, and your browser might soon be wrapped in it as well. Microsoft has announced that the "next major update" of Windows 10 Enterprise will offer a virtualization option for Microsoft Edge in a bid to thwart most types of web-based attacks.

The new technology is called "Application Guard" and it's part of Microsoft's Secure Productive Enterprise suite. Application Guard uses Windows 10's Virtualization Based Security, a feature that uses Hyper-V for isolating applications from the underlying operating system. According to the company, Windows Defender Application Guard for Microsoft Edge (for that's its full name) "isolates the browser and employee activity using a hardware-based container." System administrators will have the option to have their machines run Edge transparently inside a lightweight VM, deployed and configured by a group policy.

Application Guard comes with a few catches, though. According to ArsTechnica's Peter Bright, the technology requires VT-d support on the client CPU for I/O virtualization purposes. While most recent CPUs support VT-d, that may not be the case with older machines in the field. There are also some software compatibility niggles. Since the client machine will be running Hyper-V, other virtualization software like VMWare Workstation or VirtualBox won't run be able to run at the same time as Application Guard.

Application Guard will only be available with Microsoft Edge for now. Microsoft says that Windows Insiders can get a taste of the new, improved flavor of Edge "in the coming months," and it expects to roll out the feature sometime next year.

Comments closed
    • Krogoth
    • 3 years ago

    This move is just another attempt to get SMB and enterprise types to upgrade from 2008 R2/7 ecology to 2016/10.

    • Pax-UX
    • 3 years ago

    To be honest this is how it should be. Linux kind of has this if you want to use it. And it’s a quick and dirty way to lock down parts of the system in an otherwise very open platform. With browser insecurity and Ads being an attack vector this is a good move.

    I use Virtual Box a lot on my PC to keep things separated. It’s nice to be able to do this without having to load a full OS for each VM

    • Theolendras
    • 3 years ago

    That’s good news, security is ramping up quite a bit with that kind of move. Wonder if this might eventually translate to an Edge browser on other platforms, that might sound crazy, but Microsoft is doing all sorts of crazy stuff these days.

    • hansmuff
    • 3 years ago

    VT-d required, so no to 2600k and 2500k users. I hate that Intel did that.

      • chuckula
      • 3 years ago

      In all seriousness, how many 5 year old desktop K-series Sandy Bridge systems are running Windows 10 [i<]Enterprise[/i<] edition? I think this is much less of a problem than it is being made out to be.

        • derFunkenstein
        • 3 years ago

        Yeah, my work-provided Sandy Bridge Latitude notebook is still runnign Win 7. :p

          • ludi
          • 3 years ago

          Note that the “K” series were multiplier-unlocked, desktop CPUs. All other Sandy Bridge products, desktop or mobile, generally support VT-d.

            • derFunkenstein
            • 3 years ago

            Ah, good point. I’d probably be covered.

            • Voldenuit
            • 3 years ago

            My Haswell 4670K supports VT-x, which accelerates virtual machines, but not VT-d, which allows for virtual machines to directly connect to peripherals such as Ethernet adapters, which is probably why it is required for Edge virtualization.

      • Krogoth
      • 3 years ago

      VT-d support is only axed on “K” series on normal desktop chips and some Pentium chips. *- It looks like Intel started to enabling VT-d on “K” series chips with second-batch Haswell a.k.a Devil Canyon chips and newer.

      On the AMD side, the lower-end “APU” chips don’t have the equivalent (IOMMU).

      It is not really that missed for “K” series primary demographic since VT-D is still a prosumer/professional-tier feature.

    • GatoRat
    • 3 years ago

    Ten years ago I worked on a project to do this with IE. It mostly worked, but had automated configuration problems in the embedded space we were in. In the end, we just super locked down IE (and got the equivalent of a liability waver from clients.)

    (Edit: Just remembered, due to above link, that we tested Sandboxie and liked it, but at the time couldn’t get an acceptable distribution agreement.)

    • chuckula
    • 3 years ago

    Full bore virtualization seems to be overkill for this sort of thing.
    Is there a good containerization system for Windows that could do the job here?

    [Edit: the quote from Microsoft about the “hardware-based container” adds further confusion, but given the hardware requirements and the involvement of Hyper-V this definitely appears to be [i<]virtualization[/i<] and not [i<]containerization[/i<].]

      • Ryu Connor
      • 3 years ago

      It’s virtualization. The host kernel is protected.

      [url<]https://techreport.com/forums/viewtopic.php?f=6&t=118598&view=unread#p1324579[/url<]

        • dyrdak
        • 3 years ago

        The host kernel is protected. Sure, but user’s session is not from prying eyes of MS. It’s living on the Edge after all.

      • meerkt
      • 3 years ago

      Sandboxie?
      [url<]http://www.sandboxie.com/[/url<]

        • GatoRat
        • 3 years ago

        Sandboxie works on the same principle; this is more complete.

      • cygnus1
      • 3 years ago

      Containerization is not fit for this purpose, it still exposes the same kernel to all containers, virtualization does not

        • chuckula
        • 3 years ago

        I suppose if kernel-level exploits via web browser are a serious concern then virtualization adds more protection.

        Then again, if kernel-level exploits exist via the web browser, there are likely a bunch of other ways to exploit them too.

          • cygnus1
          • 3 years ago

          If the web browser sandbox can be broken inside a container, they’re then free to try any kernel exploits for privilege escalation or to move sideways into other containers. Containers just don’t really offer much additional security. As they currently function they are more intended to give the containerized application a clean operating environment and easier distribution/packaging not to protect the parent OS from the application.

          Virtualization layers are much harder to break through, in part because of the hardware features that are used to implement the functionality.

      • The Dark One
      • 3 years ago

      Server 2016 has a couple different forms of containerization built in, include one that leverages Hyper-V!

Pin It on Pinterest

Share This