Microsoft’s Windows Defender Application Guard extensions will offer hardware-based isolation to all Chrome and Firefox users on Windows 10.
Originally created to allow Microsoft Edge to isolate browser-based attacks, it is now available for the other browsers.
“We introduced the container technology in 2017,” said Rona Song of the Windows platform security team in a post. “Since then, we have been evolving the technology and engaging with customers to understand how hardware-based isolation can best help solve their security concerns. We know that many of our customers depend on multi-browser environments to allow enterprise apps to meet various compatibility requirements and enable productivity. And while modern browsers are continuously working to mitigate vulnerabilities, there are still exposures across these complex engines that can lead to irreversible and costly damages.”
The extensions leverage a native application that handles the communication between the browser and the device’s Application Guard settings.
“When users navigate to a site, the extension checks the URL against a list of enterprise sites defined by enterprise administrators. If the site is determined to be untrusted, the user is redirected to an isolated Microsoft Edge session,” Song said. “In the isolated Microsoft Edge session, the user can freely navigate to any site that has not been explicitly defined as enterprise-trusted by their organization without any risk to the rest of system. With our upcoming dynamic switching capability, if the user tries to go to an enterprise site while in an isolated Microsoft Edge session, the user is taken back to the default browser.”
To configure the Application Guard extension under managed mode, admins should ensure the devices meet the necessary requirements, then turn on Windows Defender Application Guard, define network isolation settings, install the companion application from the Microsoft Store and the browser extensions, and then restart the device.