Forum Discussion
Windows Defender Application Guard Standalone mode
Many businesses worldwide have come under increasing threat of targeted attacks, where attackers are crafting specialized attacks against a particular business, attempting to take control of corporate networks and data. For the most security-conscience businesses, we are introducing a new layer of defense-in-depth protection: Windows Defender Application Guard for Windows 10 Enterprise. Application Guard provides unprecedented protection against targeted threats using Microsoft's industry leading Hyper-V virtualization technology. In the upcoming release of Windows, https://blogs.windows.com/msedgedev/2016/09/27/application-guard-microsoft-edge/ that allow users or organizations to launch Microsoft Edge in a Hyper-V virtualized isolated environment. Windows Insiders will be the first to try out these new experience as we roll them out. https://www.youtube.com/watch?v=1iH1fRakvQc is a recent RSA talk on Window Defender Application Guard if you'd like to understand this feature in some more detail. Below are some steps you can take to enable these cutting edge experiences on the latest Windows Insider Preview build.
How to setup and configure your system for Windows Defender Application Guard
Requirements:
- Windows 10 Enterprise SKU only, Build 16188+
- en-us only for the current builds; Full locale support will arrive soon
- PC must support Hyper-V (some older PCs may not support Hyper-V or have this feature disabled in BIOS)
- Windows Defender Application Guard is Off by default, it must be enabled manually or by policy
You can turn on Windows Defender Application Guard using the Turn Windows features on or off dialog. Select the checkbox as shown below for Windows Defender Application Guard.
Click OK and then restart your computer.
How to Use Windows Defender Application Guard
- Open Edge and click on the menu in the top right corner
- Click on "New Application Guard window" as shown below
Windows Defender Application Guard -
You will see the following splash screen after which a new instance of Edge will open with Windows Defender Application Guard enabled.
-
The new instance of Edge will open with Windows Defender Application Guard enabled
- We encourage Windows Insiders to use Windows Defender Application Guard with Microsoft Edge to browse the Web. Your feedback, suggestions, and telemetry will help us to improve this feature.
Feedback Hub link: windows-feedback:?contextid=713
FAQ
- Why don't I see my Favorites in the Application Guard Edge session?
To keep your Application Guard Edge session secure and isolated from the host PC, favorites from the Application Guard Edge session are not copied back to your host PC. Creating and persisting new Favorites within Application Guard Edge Session is coming in a future build. - Why do Cookies and Credentials seem to behave differently in the Application Guard Edge session?
Persisting of cookies and site credentials across Application Guard Edge sessions (i.e. host PC reboot or log-on) is coming in a future build. These artifacts will always be isolated from the host PC. - Can I copy and paste between the host PC and Application Guard Edge session?
Yes, the user can copy/paste Bitmap images/text to and from the Application Guard Edge session. - Why don't I see my Extensions in the Application Guard Edge session?
The current version of Edge in Application Guard will not support Extensions, we are closely monitoring user feedback on this topic. - Can I download documents from the Application Guard Edge session onto my host PC?While it is not possible currently to download files from the isolated Application Guard container to the host PC, you do have the option of using "Print as PDF" or "Print as XPS" and save those files to the host PC.
Known Issues
- In Build 16193 Windows Defender Application Guard will fail to work on touch PC's, showing a solid black window on launch. Non-touch enabled devices should not experience the issue. A temporary workaround if you would like to use WDAG is to go to Device Manager, expand Human Interface Devices and disable the "HID-compliant touch screen" and "Intel Precise Touch Device" if they are present. After a reboot try WDAG again. Re-enable these devices to restore touch.
28 Replies
This feature is puzzling. Why is it touted for Enterpise users? Are you assuming that Enterprise users are the ones who browse dangerous sites the most? Why then this feature is not enabled by default and why it has to be enabled and used this way? Is it hampering browsing in some way, not saving local data, settings, cookies? Then it has a very narrow usage model. Maybe for DoD :D But i'm sure such organizations have other means of blocking their users browsing non-work related sites. It seems that Home users would benefit from such protection the most (i understand that Hyper-V might not be supported on many home PCs, but we live in x64 era already). But it is sold as an added value for Enterprise license, though i don't see much value in it for my organization.
I think perhaps you misunderstand the intent of the feature. I see primarily it as a sandboxed browser session that effectively runs each page in a VM, therefore eliminating any possibility of attacks affecting the core OS. The features about favorites, history etc. they talk about and say they are being implemented in a later release. As for enabling by default, I am sure this will be a Group Policy preference that organisations can set as they need. Some business has VERY critical data that cannot be compromised in any way, so this is a worthwhile feature and it has been, in my experience, the very high-end employees that are most likely to be fooled by website attacks, spoofing etc. so intelligence, age and wisdom are irrelevant with modern IT attacks :-) I do agree it will be a useful addon to the novice home user, or Grandma, but let's help MS get the feature tested and stable, then perhaps the rest will come.
It has nothing to do with stability Local Policy Editor has been there for centuries and Hyper-V for at least a decade
Application Guard feature just like Credential Guard and Device Guard depends on underlying feature called Virtual Secure Mode. Which depends on Hyper-V and is Controlled by Group Policy and all these features are available on Enterprise Edition only. Virtualization extensions might or might not be present on all underlying hardware, though mostly they are present now a days.
Hence the reason for this to be available on Enterprise edition only.
Refer:
https://blogs.windows.com/msedgedev/2016/09/27/application-guard-microsoft-edge/
https://blogs.technet.microsoft.com/ash/2016/03/02/windows-10-device-guard-and-credential-guard-demystified/
Does this that Hyper-V will be removed from Windows 10 Pro in next releases?
I wish to know more detail about this feature. Say will the page in this mode be able to save downloads to folder. If so to which folder(s). And what kind of browser assets (like cookies, or favorites) will it have access to (read/write). Will it block Edge plugins? Or does it also offer all the privacy protection in InPrivate mode?
Such information is useful to evaluate how useful this feature would be to Edge users.
While it is not possible currently to download files from the isolated Application Guard container to the host PC, you do have the option of using "Print as PDF" or "Print as XPS" and save those files to the host PC.
In the current build, your Edge profile and settings that include your cookies, favorites, and browsing history only persist for the life of the container. We are working on enabling Edge profiles and data in Application Guard persist between reboots and user log on sessions. We'll announce that functionality once its available in the future.
The current version of Edge in Application Guard will not support extensions but we are closely monitoring user feedback on this topic.
Finally, you can use InPrivate mode today in Application Guard. Once you have opened Edge in Application Guard, you will see the menu option to start InPrivate and that will stay in isolation.
Please use feedback hub to share feature suggestions or report any issues. Your feedback or votes on existing feedback will immensely help us to further improve the offering.
