Windows 10 - All Things About Application Guard

Published Jun 16 2021 01:56 PM 6,488 Views
Microsoft

WDAG3.gif

 

Hi IT Professionals,

While working on a Customers ‘requests on Windows Defender Application Guard related to Microsoft Endpoint Manager – Attack Surface Reduction Policies, I could not find an up-to-date and detailed document from internet search. I have ended up digging more on the topic and combining the WDAG information.

Today we would discuss about all things related to Windows Defender Application Guard included features, advantages, installation, configuration, testing and troubleshooting.

 

Application Guard features could be applied to both Edge browser and Office 365 applications.

  • For Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites from trusted web sites, cloud resources, and internal networks defined by administrator’s configured list. Everything not on the lists is considered to be untrusted. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, then Microsoft Edge is kicked in and Edge opens the site in an isolated Hyper-V-enabled container.

TanTran_0-1623901371118.png

 

  • For Microsoft Office, Application Guard helps prevents untrusted Word, PowerPoint and Excel files from accessing trusted resources. Application Guard opens untrusted files in an isolated Hyper-V-enabled container. The isolated Hyper-V container is separate from the host operating system. This container isolation means that if the untrusted site or file turns out to be malicious, the host device is protected, and the attacker can't get to your enterprise data.

Application Guard Prerequisite for Windows 10 systems:

  • For Edge Browser
    • 64 bit CPU with 4 cores
    • CPU supported for virtualization, Intel VT-x or AMD-V
    • 8GB of RAM or more.
    • 5GB of HD free space for Edge
    • Input/Output Memory Management Unit (IOMMU) is not required but strongly recommended.
    • Windows 10 Ent version 1709 or higher, Windows 10 Pro version 1803 or higher, Windows 10 Pro Education version 1803 or higher, Windows 10 Edu version 1903 or higher.
    • Office: Office Current Channel and Monthly Enterprise Channel, Build version 2011 16.0.13530.10000 or later
    • Intune or any other 3rd party mobile device management (MDM) solutions are not supported with WDAG for Professional editions.
  • For Office
    • CPU and RAM same as Application Guard for Edge Browser.
    • 10GB of HD free space.
    • Office: Office Current Channel and Monthly Enterprise Channel, Build version 2011 16.0.13530.10000 or later.
    • Windows 10 Enterprise edition, Client Build version 2004 (20H1) build 19041 or later
    • security update KB4571756

Application Guard Installation

On Client Windows 10 devices, the Application Guard Feature is turned off by default.

§  To enable Application Guard by using the Control Panel-features

             > Open the Control Panel, click Programs, and then click Turn Windows features on or off.

TanTran_24-1623875932543.png

              > Restart device.

§  To enable Application Guard by using PowerShell

                > Run Windows PowerShell as administrator

                > Type the command:  

                    Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-                                  ApplicationGuard

               > Restart the device.

Deploy Application Guard Profile by using (Intune) Endpoint Manager

  1. Go to https://endpoint.microsoft.com and sign in.
  2. Choose Enpoint security > Attack surface reduction > + Create profile, and do the following:
    1. In the Platform list, select Windows 10 and later.
    2. In the Profile list, select App and browser isolation.
    3. Choose Create.

    4.  

      TanTran_25-1623876227455.png

       

  3. Specify the following settings for the profile:
    1. Name and Description
    2. In the Select a category to configure settings section, choose Microsoft Defender Application Guard.
    3. In the Application Guard list, choose: “Enable for Edge” or “Enable for isolated Windows environment” or  “Enable for Edge AND isolated Windows environment”

TanTran_4-1623874094793.png

 

     4.  Choose your preferences for print options

TanTran_27-1623876432893.png

 

         5.  Define Network boundaries: internal network IP ranges, Cloud Resources IP ranges or FQDNs, Network Domains, Proxy Server IP                  addresses and Neutral resources ( e.g Azure signin URLs)

  •   Internal network IP range example:

 

TanTran_28-1623876595436.png

  •  Cloud Resources example:

TanTran_7-1623874094799.png

 

  • Network Domains example:

TanTran_22-1623875146361.png

 

 

  • Neutral resources example:

TanTran_21-1623875068083.png 

 

  1. Review and Save
    1. TanTran_20-1623874935494.png
  2. Save, Next.
  3. Scope Tags, … Next
  4. Choose Assignments, and then do the following:
    1. On the Include tab, in the Assign to list, choose an option.
    2. If you have any devices or users you want to exclude from this endpoint protection profile, specify those on the Exclude tab.
    3. Click Save, Create.

After the profile is created, and applied to Windows 10 mobile systems, users might have to restart their devices in order for protection to be in place.

 

Deploy Application Guard Configuration Settings by using GPO

Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage the following settings:

Computer Configuration\Administrative Templates\Network\Network Isolation, wildcard “.” could be used

 

TanTran_11-1623874094835.png

 

  • Application Guard settings (clipboard copying, printing, non-enterprise web content in IE and Edge, Allowed persistent container,  download file to OS Host, Allow Extension in Container, Allow Favorite sync, …)

Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard

  

TanTran_0-1624431655153.png

 

 

After the profile is created, and applied to client systems, users might have to restart their devices in order for protection to be in place.

 

Testing Application Guard Deployment

 

  • Testing WDAG on Office application.

You could refer to techblog article named “Microsoft Defender Application Guard for Office” of John Barbe for the great information and testing steps.

  • Testing WDAG on Edge Browser.

You could test application guard on Standard mode for home users or Enterprise mode for domain users. We are focusing on Enterprise mode testing:

  1. Start Microsoft Edge and type https://www.microsoft.com.

After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you've marked as trusted and shows the site directly on the host PC instead of in Application Guard.

 

TanTran_13-1623874094904.png

 

  1. In the same Microsoft Edge browser, type any URL that isn't part of your trusted or neutral site lists.

After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment.

 

TanTran_14-1623874094975.png

 

Tips:

  • To reset (clean up) a container and clear persistent data inside the container:
    • 1.  Open a command-line program and navigate to Windows/System32.
      2. Type wdagtool.exe cleanup. The container environment is reset, retaining only the employee-generated data.
      3. Type wdagtool.exe cleanup RESET_PERSISTENCE_LAYER. The container environment is reset, including discarding all employee-generated data.
  • Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However, subsequent starts should occur without any perceivable delays.
  • Make sure to enable “Allow auditing events” for Application Guard if you want to collect Event Viewer log and report log to Microsoft Defender for Endpoint

TanTran_0-1624431974234.png

 

  • Configure network proxy (IP-Literal Addresses) for Application Guard:

Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as 192.168.1.4:81 can be annotated as itproxy:81 or using a record such as P19216810010 for a proxy with an IP address of 192.168.100.10. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune.

 

Application Guard Extension for third-party web browsers

The Application Guard Extension available for Chrome and Firefox allows Application Guard to protect users even when they are running a web browser other than Microsoft Edge or Internet Explorer.

Once a user has the extension and its companion app installed on their enterprise device, you can run through the following scenarios.

  1. Open either Firefox or Chrome — whichever browser you have the extension installed on.
  2. Navigate to an enterprise website, i.e. an internal website maintained by your organization. You might see this evaluation page for an instant before the site is full loaded. 

 

TanTran_16-1623874095000.png

  1. Navigate to a non-enterprise, external website site, such as www.bing.com. The site should be redirected to Microsoft Defender Application Guard Edge.

More detail on Extension for Chrome and Firefox browser is here: Microsoft Defender Application Guard Extension - Windows security | Microsoft Docs

 

Troubleshooting and Limitation of Windows Defender Application Guard

The Application Guard known issues are listed in the following table:

 

Error message

Root Cause and Solution

0x80070013 ERROR_WRITE_PROTECT

An encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work because of disk mount failure.

ERROR_VIRTUAL_DISK_LIMITATION

Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume.

ERR_NAME_NOT_RESOLVED

 

Firewall blocks DHCP UDP communication

You need to create 2 Firewall rules for DHCP Server and Clients, detail is here

 

Can not launch Application Guard when Exploit Guard is enabled

if you change the Exploit Protection settings for CFG (Control Flow Guard) and possibly others, hvsimgr cannot launch. To mitigate this issue,

> go to Windows Security

> App and Browser control

> Exploit Protection Setting, and then switch CFG to use default.

 

Application Guard Container could not load due to Device Control Policy for USB disk

Allow installation of devices that match any of the following device IDs:

·         SCSI\DiskMsft____Virtual_Disk____

·         {8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba

·         VMS_VSF

·         root\Vpcivsp

·         root\VMBus

·         vms_mp

·         VMS_VSP

·         ROOT\VKRNLINTVSP

·         ROOT\VID

·         root\storvsp

·         vms_vsmp

·         VMS_PP

 

Could not view favorites in the Application Guard Edge session.

Favorites Sync is turned off

Enable Favorite Sync for Application Guard from host to virtual container, need Edge version 91 or later.

Could not see Extension in the Application Guard Edge session.

Enable the extensions policy on your Application Guard configuration

Some lingual keyboard may not work with Application Guard

The following keyboard currently not supported:

·         Vietnam Telex keyboard

·         Vietnam number key-based keyboard

·         Hindi phonetic keyboard

·         Bangla phonetic keyboard

·         Marathi phonetic keyboard

·         Telugu phonetic keyboard

·         Tamil phonetic keyboard

·         Kannada phonetic keyboard

·         Malayalam phonetic keyboard

·         Gujarati phonetic keyboard

·         Odia phonetic keyboard

·         Punjabi phonetic keyboard

 

Could not run Application Guard in Enterprise mode

When using Windows Pro you have access to Standalone Mode.

However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode or Standalone Mode.

 

I would hope the information provided in this article is useful.

Until next time.

 

Reference:

 

Co-Authors
Version history
Last update:
‎Jun 23 2021 12:08 AM
Updated by: