zlacker

>>ploggi+(OP)
I'm very excited that Microsoft is moving in the same direction. The feature Windows Defender Application Guard (WDAG) runs Windows applications, right now only the Edge browser, in a virtualization isolated container[1]. Under the hood it's using what Microsoft calls "Hyper-V Containers", which are lightweight virtual machines that share some host resources such as a read-only filesystem. The closest open source analogues to that are Intel(R) Clear Containers[2] and Qubes.

The closest you can get to Qubes on Windows would be to follow Microsoft's Privileged Access Workstation (PAW) guide, but it requires a lot of additional infrastructure[3]. That infrastructure allows you to do remote attestation of the virtual machines, but makes it costly to deploy in a SMB or homelab environment.

I don't expect it'll be very long before PAW and WDAG are usable at the same time, with colored window borders indicating the origin virtual machine. I hope this is on Microsoft's roadmap.

Video on privileged access workstation use, starting at a demo: https://youtu.be/3v8yQz2GWZw?t=41m48s

Video on privileged access workstation setup: https://www.youtube.com/watch?v=aPhfRTLXk_k

[1] https://docs.microsoft.com/en-us/windows/threat-protection/w...

[2] https://clearlinux.org/features/intel®-clear-containers

[3] https://docs.microsoft.com/en-us/windows-server/identity/sec...

>>AaronF+Gd
I'm only half-excited about this because I worry Microsoft has no intention to do either one of these:

1) Support anything other than Edge/its own apps

2) Allow the feature to be accessed by users of all Windows editions

I understand for now it's still experimental and whatnot, but I'm not getting my hopes up.