Windows 10 Pro users can use an enterprise-class version of the Edge browser, called Windows Device Application Guard, for secure surfing. Here’s how to use it.
WDAG was originally developed for Windows 10 Enterprise, protecting companies with billions of dollars at stake. Now that same protection has migrated to Windows 10 Pro—sorry, Windows 10 Home users—as an optional feature that you can turn on within Windows, for free. It debuted on Windows 10 Pro as part of the Windows 10 April 2018 Update, and will receive some new features as part of the October 2018 update, too.
You may have heard that Google Chrome works by “sandboxing” your browser, isolating the browser renderer and protecting Windows, other PCs on the network, and other devices from malware. WDAG takes sandboxing a bit further, using your PC’s capability for virtualization to protect against malware escaping from the browser. Essentially, Windows is creating a small “virtual” OS and browser for every untrusted browser session (and not every tab), and isolating it from the rest of your PC. Even if malware manages to crash the browser, the idea is that the rest of your PC will remain untouched.
Is browsing with Chrome safer than browsing in an Edge WDAG tab? As you might expect, that’s not an easily answered question. While security experts seem to think highly of WDAG’s sandbox implementation, WDAG does come with some limitations, which we’ll discuss further.
Microsoft Edge (apparently without WDAG enabled) was hacked several times in the Pwn2Own 2017 hacking competition, while Chrome remained untouched. Edge was also hacked in the March 2018 competition. But the bottom line seems to be that Chrome has existed for years, and has built up its defenses over time—including a new site isolation capability that helps better isolate one tab from another. Edge WDAG doesn’t yet seem to have built up that same history of comprehensive third-party testing — though it doesn’t necessarily mean that it’s any less safe.
Right now, it’s safe to say that browsing with Chrome and a coterie of security plugins is more convenient, though.
Normally, when we review the semi-annual feature updates for Windows 10, we include a “ best hidden features ” companion article—a sort of junior-varsity list of features that hide deep within the OS. WDAG was significant enough to make our review, but it certainly qualifies as hidden. In the October Update, though, it will emerge from the shadows.
WDAG requires two elements to work: Windows 10 Pro (updated to the April 2018 Update or beyond) as well as a 64-bit, Hyper-V capable processor. Generally speaking, most sixth-, seventh- and eight-generation Intel Core chips will include this capability, and many AMD64 chips will as well. Don’t worry too much about researching this information, however—if your PC supports both of these, WDAG will be enabled.
Here’s where you can find the controls to enable the Edge WDAG feature.
It takes a bit of hunting, but WDAG is in the Oct. 2018 update to Windows 10, too. Note that you’ll have to restart your machine to enable it.
If you’re in the Oct. 2018 Update, you’ll also be able to choose between some Settigngs options that will add some convenient functionality that is turned off in the earlier version, like the ability to print. Enable them if you feel like it.
Take a minute and configure WDAG with some added conveniences, if you choose.
Expect to see this when you first spin up Edge WDAG.
Application Guard requires some initialization time as the virtual machine spins up. (It took a minute or so on a Surface Pro 4 as well as a Surface Book 2, so it might be somewhat dependent on whether your laptop includes an SSD.) Fortunately, Edge WDAG doesn’t require that same setup time if you open subsequent WDAG tabs, and launching another session is much quicker, too.
Once the WDAG window is opened, the bright-red Application Guard label in the upper left corner distinguishes it from other Edge windows. (It’s black on Oct. 2018 Update builds.) On the taskbar, a small shield icon overlays the task icon, indicating that a WDAG window is in use. Note that you can also open an InPrivate private-browsing window within a WDAG environment, for an additional layer of privacy.
Right now, WDAG is built for security, not speed or (to be honest) even convenience. The Settings menu doesn’t allow much flexibility, with most options grayed out. (Edge itself doesn’t seem to offer any dedicated WDAG controls, either.) Here’s a list of WDAG limitations in the April 2018 Update edition of WDAG, as of press time:
Note that the October 2018 Update allows you to download files, and print, and cut and paste URLs in and out of WDAG, if you enable them via the Settings, above.
Also, if WDAG is enabled in Windows 10 Enterprise, system admins can set a persistence policy, which allows you to navigate to a site within WDAG and add it manually to the Favorites menu. It will then persist until the next session. That capability doesn’t appear in the Windows 10 Pro version. And even though you can “download” something, it doesn’t mean you can actually use it; WDAG’s protected Downloads folder doesn’t seem to be user-accessible. (It is in the Enterprise version, Microsoft points out.)
The Settings menu within Edge WDAG is essentially useless, with almost all of the options grayed out and unusable.
Your WDAG browser history, though, is preserved until you sign out of your PC. Naturally, you can clear your history from within Edge, or use InPrivate for even more covert browsing.
Still, WDAG performance can be somewhat slow. WDAG is built for one thing: browsing the Web and keeping you secure, and that works best in a text-based environment. If you want to surf a site and download something you probably shouldn’t, though, that probably won’t work either.
A pop-up scam will launch a browser popup with an apocalyptic message, claiming, for example, that your PC will remain infected until you call the number listed in the message. They’re sometimes accompanied by a klaxon, a siren, or an automated voice warning that leaving the website will disable your PC. In my case, one pop-up refused to yield when I tried to close the browser or the taskbar, and I was forced to reboot my machine. That’s the kind of headache a good ad-blocker or script-blocker can help avoid. Edge WDAG doesn’t support these, yet.
So if Edge WDAG is a browser that doesn’t let me download anything, or save Favorites, or protect against the kind of pop-up takeovers that cause relatives to call you in a panic, what good is it?
Right now, WDAG isn’t an ideal solution.
