Hi IT Professionals,
While working on a Customers ‘requests on Windows Defender Application Guard related to Microsoft Endpoint Manager – Attack Surface Reduction Policies, I could not find an up-to-date and detailed document from internet search. I have ended up digging more on the topic and combining the WDAG information.
Today we would discuss about all things related to Windows Defender Application Guard included features, advantages, installation, configuration, testing and troubleshooting.
Application Guard features could be applied to both Edge browser and Office 365 applications.
Application Guard Installation
On Client Windows 10 devices, the Application Guard Feature is turned off by default.
> Open the Control Panel, click Programs, and then click Turn Windows features on or off.
> Run Windows PowerShell as administrator
> Type the command:
Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender- ApplicationGuard
> Restart the device.
4. Choose your preferences for print options,
5. Define Network boundaries: internal network IP ranges, Cloud Resources IP ranges or FQDNs, Network Domains, Proxy Server IP addresses and Neutral resources ( e.g Azure signin URLs)
After the profile is created, and applied to Windows 10 mobile systems, users might have to restart their devices in order for protection to be in place.
Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage the following settings:
Computer Configuration\Administrative Templates\Network\Network Isolation, wildcard “.” could be used
Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard
After the profile is created, and applied to client systems, users might have to restart their devices in order for protection to be in place.
Testing Application Guard Deployment
You could refer to techblog article named “Microsoft Defender Application Guard for Office” of John Barbe for the great information and testing steps.
You could test application guard on Standard mode for home users or Enterprise mode for domain users. We are focusing on Enterprise mode testing:
After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you've marked as trusted and shows the site directly on the host PC instead of in Application Guard.
After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment.
Tips:
Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as 192.168.1.4:81 can be annotated as itproxy:81 or using a record such as P19216810010 for a proxy with an IP address of 192.168.100.10. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune.
The Application Guard Extension available for Chrome and Firefox allows Application Guard to protect users even when they are running a web browser other than Microsoft Edge or Internet Explorer.
Once a user has the extension and its companion app installed on their enterprise device, you can run through the following scenarios.
More detail on Extension for Chrome and Firefox browser is here: Microsoft Defender Application Guard Extension - Windows security | Microsoft Docs
Troubleshooting and Limitation of Windows Defender Application Guard
Error message |
Root Cause and Solution |
0x80070013 ERROR_WRITE_PROTECT |
An encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work because of disk mount failure. |
ERROR_VIRTUAL_DISK_LIMITATION |
Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume. |
ERR_NAME_NOT_RESOLVED
|
Firewall blocks DHCP UDP communication You need to create 2 Firewall rules for DHCP Server and Clients, detail is here
|
Can not launch Application Guard when Exploit Guard is enabled |
if you change the Exploit Protection settings for CFG (Control Flow Guard) and possibly others, hvsimgr cannot launch. To mitigate this issue, > go to Windows Security > App and Browser control > Exploit Protection Setting, and then switch CFG to use default.
|
Application Guard Container could not load due to Device Control Policy for USB disk |
Allow installation of devices that match any of the following device IDs: · SCSI\DiskMsft____Virtual_Disk____ · {8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba · VMS_VSF · root\Vpcivsp · root\VMBus · vms_mp · VMS_VSP · ROOT\VKRNLINTVSP · ROOT\VID · root\storvsp · vms_vsmp · VMS_PP
|
Could not view favorites in the Application Guard Edge session. |
Favorites Sync is turned off Enable Favorite Sync for Application Guard from host to virtual container, need Edge version 91 or later. |
Could not see Extension in the Application Guard Edge session. |
Enable the extensions policy on your Application Guard configuration |
Some lingual keyboard may not work with Application Guard |
The following keyboard currently not supported: · Vietnam Telex keyboard · Vietnam number key-based keyboard · Hindi phonetic keyboard · Bangla phonetic keyboard · Marathi phonetic keyboard · Telugu phonetic keyboard · Tamil phonetic keyboard · Kannada phonetic keyboard · Malayalam phonetic keyboard · Gujarati phonetic keyboard · Odia phonetic keyboard · Punjabi phonetic keyboard
|
Could not run Application Guard in Enterprise mode |
When using Windows Pro you have access to Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode or Standalone Mode. |
I would hope the information provided in this article is useful.
Until next time.
Reference:
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.