Forum Discussion

Deleted's avatar
Deleted
May 22, 2019

Activate WDAG in Insider Edge

For those who want to try Application Guard in Edge Canary: You must on the May 2019 update in Windows 10(Version 1903) Make sure you have Virtualization turned on in BIOS Make sure WDAG is turne...
HotCakeX's avatar
HotCakeX
MVP
Aug 14, 2019

stesch79 

It's not possible.
the idea behind it is to create a pure environment without any 3rd parties because Microsoft can only guarantee the safety of their own products, not some rouge extension developer who might abuse their Google extension store rights and terms. and it happens VERY often.

 

custom cursor for chrome is just one example to show what happens when someone tries to install extensions in WDAG.

 

 

stesch79's avatar
stesch79
Iron Contributor
Aug 15, 2019

HotCakeX Thanks. This makes totally sense for 99% of the users. But in our environment only 1 extension is allowed that need to be activated when connecting to the internet. So without that extension, no Internet connection is possible and therefore WDAG make no sense.

 

So, we need to recap this solution.

  • stesch79's avatar
    stesch79
    Iron Contributor
    Oct 02, 2019

    David Rubino  Coming back to this questions as the https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard of WDAG still says "Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this."

     

    We need this possibility. Pleeeeeease :cry:

  • David Rubino's avatar
    David Rubino
    Former Employee
    Aug 19, 2019

    stesch79 Sorry about the delay . . . I've referred your question to the experts inside the team and hope to have their perspective soon. 

     

    -David 

  • HotCakeX's avatar
    HotCakeX
    MVP
    Aug 15, 2019
    Some malware inside clients' systems that wanted to connect to Internet?
  • stesch79's avatar
    stesch79
    Iron Contributor
    Aug 15, 2019

    HotCakeXYou may lough, but this little nice feature has already prevented us from some malware that wanted to connect to internet. For sure I understand that it's not the intention having extensions enabled in WDAG.

  • HotCakeX's avatar
    HotCakeX
    MVP
    Aug 15, 2019
    That's very easy to circumvent to be honest, seriously what was that person thinking when he decided that lol. Firefox even has built in option to add a custom user agent string.
    Anyway, if your situation is like this then you should use the normal Edge insider instead, not the WDAG. the same person who decided that custom user string thingy should be able to SECURE the computers of the clients (you) without the need for WDAG.
    Microsoft has proper tools and software for each scenario but if some system admin decides to deploy their own version of things then it's their fault.
    if Microsoft allowed extensions and similar things to be allowed in WDAG environment then it would be a big vulnerability for Everyone.
  • stesch79's avatar
    stesch79
    Iron Contributor
    Aug 15, 2019

    It's just adding a string to the Edge user agent string which is read by the proxy server. And the extension (extension management) is only enabled, if certain security measures are as they should be. So we can make sure that no one is connecting to the internet that uses an unsecure computer. At least it helps to make sure, as this is not the only monitoring we have in place.

     

  • HotCakeX's avatar
    HotCakeX
    MVP
    Aug 15, 2019
    Well that's interesting. may i know what that extension exactly does? is it something like a VPN?