Home

Windows Defender Application Guard Standalone mode

Highlighted
Microsoft

Windows Defender Application Guard Standalone mode

[ Edited ]

 

Many businesses worldwide have come under increasing threat of targeted attacks, where attackers are crafting specialized attacks against a particular business, attempting to take control of corporate networks and data. For the most security-conscience businesses, we are introducing a new layer of defense-in-depth protection: Windows Defender Application Guard for Windows 10 Enterprise. Application Guard provides unprecedented protection against targeted threats using Microsoft's industry leading Hyper-V virtualization technology. In the upcoming release of Windows, we have built experiences around the Microsoft Edge browser that allow users or organizations to launch Microsoft Edge in a Hyper-V virtualized isolated environment. Windows Insiders will be the first to try out these new experience as we roll them out. Here is a recent RSA talk on Window Defender Application Guard if you'd like to understand this feature in some more detail. Below are some steps you can take to enable these cutting edge experiences on the latest Windows Insider Preview build.

 

How to setup and configure your system for Windows Defender Application Guard

Requirements:

  • Windows 10 Enterprise SKU only, Build 16188+
  • en-us only for the current builds; Full locale support will arrive soon
  • PC must support Hyper-V (some older PCs may not support Hyper-V or have this feature disabled in BIOS)
  • Windows Defender Application Guard is Off by default, it must be enabled manually or by policy

 

You can turn on Windows Defender Application Guard using the Turn Windows features on or off dialog. Select the checkbox as shown below for Windows Defender Application Guard.

 

WDAG Turn on and off features.png

 

 

Click OK and then restart your computer. 

 

How to Use Windows Defender Application Guard

  1. Open Edge and click on the menu in the top right corner
  2. Click on "New Application Guard window" as shown below

    Edge AG Menu.png

     

  3. You will see a new instance of Edge open with the following splash screen

    delayui.png

     

  4.  The new instance of Edge will open with Windows Defender Application Guard enabled

    AG Edge Window.png

     

  5. We encourage Windows Insiders to use Windows Defender Application Guard with Microsoft Edge to browse the Web. Your feedback, suggestions, and telemetry will help us to improve this feature.

 

Feedback Hub link: Launch Windows Feedback for Microsoft Edge\Application Guard

 

FAQ

  1. Why don't I see my Favorites in the Application Guard Edge session?
    To keep your Application Guard Edge session secure and isolated from the host PC, favorites from the Application Guard Edge session are not copied back to your host PC.  Creating and persisting new Favorites within Application Guard Edge Session is coming in a future build.

  2. Why do Cookies and Credentials seem to behave differently in the Application Guard Edge session? 
    Persisting of cookies and site credentials across Application Guard Edge sessions (i.e. host PC reboot or log-on) is coming in a future build.  These artifacts will always be isolated from the host PC.

  3. Can I copy and paste between the host PC and Application Guard Edge session?
    Yes, the user can copy/paste Bitmap images/text to and from the Application Guard Edge session.
  4. Why don't I see my Extensions in the Application Guard Edge session?
    The current version of Edge in Application Guard will not support Extensions, we are closely monitoring user feedback on this topic.
  5. Can I download documents from the Application Guard Edge session onto my host PC?While it is not possible currently to download files from the isolated Application Guard container to the host PC, you do have the option of using "Print as PDF" or "Print as XPS" and save those files to the host PC.

Known Issues

  1. In Build 16193 Windows Defender Application Guard will fail to work on touch PC's, showing a solid black window on launch. Non-touch enabled devices should not experience the issue. A temporary workaround if you would like to use WDAG is to go to Device Manager, expand Human Interface Devices and disable the "HID-compliant touch screen" and "Intel Precise Touch Device" if they are present. After a reboot try WDAG again. Re-enable these devices to restore touch.
 
5 Replies

Re: Windows Defender Application Guard Standalone mode

I wish to know more detail about this feature. Say will the page in this mode be able to save downloads to folder. If so to which folder(s). And what kind of browser assets (like cookies, or favorites) will it have access to (read/write). Will it block Edge plugins? Or does it also offer all the privacy protection in InPrivate mode?

 

Such information is useful to evaluate how useful this feature would be to Edge users.

Re: Windows Defender Application Guard Standalone mode

This feature is puzzling. Why is it touted for Enterpise users? Are you assuming that Enterprise users are the ones who browse dangerous sites the most? Why then this feature is not enabled by default and why it has to be enabled and used this way? Is it hampering browsing in some way, not saving local data, settings, cookies? Then it has a very narrow usage model. Maybe for DoD :D But i'm sure such organizations have other means of blocking their users browsing non-work related sites. It seems that Home users would benefit from such protection the most (i understand that Hyper-V might not be supported on many home PCs, but we live in x64 era already). But it is sold as an added value for Enterprise license, though i don't see much value in it for my organization.

Re: Windows Defender Application Guard Standalone mode

While it is not possible currently to download files from the isolated Application Guard container to the host PC, you do have the option of using "Print as PDF" or "Print as XPS" and save those files to the host PC. 

In the current build, your Edge profile and settings that include your cookies, favorites, and browsing history only persist for the life of the container. We are working on enabling Edge profiles and data in Application Guard persist between reboots and user log on sessions. We'll announce that functionality once its available in the future.

The current version of Edge in Application Guard will not support extensions but we are closely monitoring user feedback on this topic. 

Finally, you can use InPrivate mode today in Application Guard.  Once you have opened Edge in Application Guard, you will see the menu option to start InPrivate and that will stay in isolation.

 

Please use feedback hub to share feature suggestions or report any issues. Your feedback or votes on existing feedback will immensely help us to further improve the offering.

Re: Windows Defender Application Guard Standalone mode

Application Guard feature just like Credential Guard and Device Guard depends on underlying feature called Virtual Secure Mode. Which depends on Hyper-V and is Controlled by Group Policy and all these features are available on Enterprise Edition only. Virtualization extensions might or might not be present on all underlying hardware, though mostly they are present now a days.

 

Hence the reason for this to be available on Enterprise edition only.

 

 

Refer:

application-guard-microsoft-edge

credential-device-guard

 

Re: Windows Defender Application Guard Standalone mode

Indeed. Even for users who have hardware support for Hyper-V, they may choose not to install it because lots of Android emulator (or I would say, all emulators people commonly used to play and stream Android gameplay) won't work with Hyper-V component installed.