‘InPrivate Desktop’ Coming to Windows 10 Enterprise
Earlier this month, BleepingComputer.com ran a report on a new security feature in Windows 10 that was exposed during a bug-bash quest in the Feedback Hub. The new feature is installed as an app from the Microsoft Store. But according to Lawrence Abrams, the app wasn’t available in the Store despite the instructions found in the Feedback Hub.
The text of the quest read: “Microsoft is Developing a Sandboxed “InPrivate Desktop” for Windows 10 Enterprise. InPrivate Desktop (Preview) provides admins a way to launch a throwaway sandbox for secure, one-time execution of untrusted software. This is basically an in-box, speedy VM that is recycled when you close the app!”
The prerequisites were listed as follows:
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
- Windows 10 Enterprise
- Builds 17718+
- Branch: Any
- Hypervisor capabilities enabled in BIOS
- At least 4GB of RAM
- At least 5GB free disk space
- At least 2 CPU cores
I tried to access a link provided in the text, referring to feature limitations, but it requires a Microsoft account associated with the Microsoft tenant. I suspect that this feature was only available for internal testing at the time of the bug bash.
What is InPrivate Desktop for?
While Windows 10 Enterprise users have the right to run one Windows 10 virtual machine, someone needs to set up the VM and potentially maintain it. But InPrivate Desktop looks to provide a readymade environment that users can spin up with no configuration and easily start from scratch each time InPrivate Desktop is launched. I don’t have any new technical details to share, but I think that InPrivate Desktop works like Windows Defender Application Guard (WDAG) and is based on container technology.
WDAG provides Microsoft Edge users with a secure environment where the browser runs in a container that protects the underlying operating system if the browser session is exploited. WDAG was originally only available in the Enterprise SKU but Microsoft recently made it available to Windows 10 Professional users also. For more information on Windows Defender Application Guard, see Protect Users Against Malicious Websites Using Windows 10 Application Guard and Revisiting Application Guard in the Windows 10 April 2018 Update on Petri.
If InPrivate Desktop turns out to work like WDAG, it will be a useful addition to the OS for organizations that want to remove administrative rights from users. One of the biggest issues with removing rights is that users can no longer install software that requires administrator privileges. InPrivate Desktop would give organizations more scope to remove administrative rights but still allow users some freedom to test new software or experiment with settings that aren’t available to standard users.
Developers and system administrators might also find InPrivate Desktop useful when they need to spin up a test environment but don’t want to step through the Windows setup process. Although there’s no word yet if and when InPrivate Desktop will make it into Windows.
Follow Russell on Twitter @smithrussell.