Microsoft's Edge browser stays secure by acting as a virtual PC

"Application Guard" locks Edge away from the Windows 10 processes.

Microsoft has unveiled Windows Defender Application Guard for Microsoft Edge, a new system that will isolate the browser on Windows 10 Enterprise PCs, making them harder to hack. In a blog, the company wrote that it's "the first operating system to ship this type of technology alongside a browser." Using the Virtualization Based Security (VBS) recently introduced for Windows 10, Edge runs inside a small, virtual "PC," keeping it separate from processes including storage, other apps and, most importantly, the Windows 10 kernel.

Microsoft says that while other browsers are "sandboxed" away from security-sensitive PC areas, they "still provide a pathway for malware and vulnerability exploits." By contrast, Application Guard uses a hardware container to completely isolate Edge from the rest of the PC.

The system is only available on Windows 10 Enterprise for now, so administrators will need to choose sites that do and don't run inside Application Guard. When it's enabled, malware can't penetrate the protective VM "box" around Edge to access the rest of the system. "Even if an untrusted site successfully loads malware, the malware is unable to reach beyond the isolated container to steal data or permanently compromise devices or the network," Microsoft wrote.

Running Edge in a virtual machine will slow it down a bit, but Microsoft says it uses the minimum resources necessary to keep it light. The other hassle is that an Application Guard-enabled session won't save your cookies or other data, because closing the browser completely wipes all memory of the session. Those things mean that, for now, the VM-protected Edge system isn't quite ready for non-enterprise users just yet. However, in an age of constant hacking, a browser that isolates your system from danger seems like an idea whose time has come.