Activate WDAG in Insider Edge

Deleted
Not applicable

For those who want to try Application Guard in Edge Canary:

  1. You must on the May 2019 update in Windows 10(Version 1903)
  2. Make sure you have Virtualization turned on in BIOS
  3. Make sure WDAG is turned on in Windows Features(Control Panel\All Control Panel Items\Programs and Features).
  4. Make sure it works in "Classic Edge"
  5. When it works there go to edge://flags/#edge-application-guard and enable it.Image 007.png

 

17 Replies

@Deleted  A side note:  WDAG, which is dependent on Hyper-V, is available for Windows 10 Pro and Windows 10 Enterprise users.  It is not, to my best knowledge, available for Windows 10 Home users, even for users running 1903.

 

In Windows 10 Pro, you must have both Hyper-V and Windows Defender Application Guard enabled (Control Panel, Programs and Features, Turn Windows features on or off, click the boxes for both Hyper-V and Windows Defender Application Guard), restart and then follow Cliff S's instructions to enable the extension.

@tomscharbach You're right.

The actual idea of the post is, though, if one does already have WDAG activated, it can be used now in Insider Edge (big)if one has updated to Windows 10 version 1903.

 

I just posted the short version on how to get in case some one hasn't used it yet.

 

I saw a few other posts where members were asking when it would be available, and I had seen a week or two ago at Bleeping(dot)com that it was already available, but couldn't get it.

Last night when I updated to 1903, and then checked, low & behold it was there8)

 

 

@Deleted  "The actual idea of the post is, though, if one does already have WDAG activated, it can be used now in Insider Edge (big)if one has updated to Windows 10 version 1903."

 

We aren't in conflict.  I just wanted to alert Windows 10 Home users that WDAG is not available for that edition of Windows.  The hope is that the alert will head off "I can't find WDAG ..." comments from Windows 10 Home users.

@tomscharbach I understand that.:thumbs_up:

@Deleted  Thanks for the information.  I just enabled the WDAG extension on the two W10 Pro computers I'm using to test Edge Chromium, and I'm going to test drive it.  I wouldn't have been aware that it was available without your post.

 

WDAG is an important security tool.  I'd like to see Microsoft enable WDAG on Windows 10 Home edition, but that is a topic for another forum.

Is it possible to enable extensions in WDAG like for "Allow in InPrivate"?

 

An I noticed that the proxy settings are not recognized. So isn't it possible to run WDAG behind a proxy server?

 

@David Rubino David, could you may have a look into this request and let me know an answer?

Using that flag is no longer needed.
also don't need people to check if it works in the old Edge first. the new Microsoft Edge is like Google Chrome, totally different. there might be times when it works on Edge but doesn't on the new Edge.

@stesch79 

It's not possible.
the idea behind it is to create a pure environment without any 3rd parties because Microsoft can only guarantee the safety of their own products, not some rouge extension developer who might abuse their Google extension store rights and terms. and it happens VERY often.

 

custom cursor for chrome is just one example to show what happens when someone tries to install extensions in WDAG.

 

Annotation 2019-08-15 105255.png

 

@HotCakeX Thanks. This makes totally sense for 99% of the users. But in our environment only 1 extension is allowed that need to be activated when connecting to the internet. So without that extension, no Internet connection is possible and therefore WDAG make no sense.

 

So, we need to recap this solution.

Well that's interesting. may i know what that extension exactly does? is it something like a VPN?

It's just adding a string to the Edge user agent string which is read by the proxy server. And the extension (extension management) is only enabled, if certain security measures are as they should be. So we can make sure that no one is connecting to the internet that uses an unsecure computer. At least it helps to make sure, as this is not the only monitoring we have in place.

 

That's very easy to circumvent to be honest, seriously what was that person thinking when he decided that lol. Firefox even has built in option to add a custom user agent string.
Anyway, if your situation is like this then you should use the normal Edge insider instead, not the WDAG. the same person who decided that custom user string thingy should be able to SECURE the computers of the clients (you) without the need for WDAG.
Microsoft has proper tools and software for each scenario but if some system admin decides to deploy their own version of things then it's their fault.
if Microsoft allowed extensions and similar things to be allowed in WDAG environment then it would be a big vulnerability for Everyone.

@HotCakeXYou may lough, but this little nice feature has already prevented us from some malware that wanted to connect to internet. For sure I understand that it's not the intention having extensions enabled in WDAG.

Some malware inside clients' systems that wanted to connect to Internet?

@stesch79 Sorry about the delay . . . I've referred your question to the experts inside the team and hope to have their perspective soon. 

 

-David 

@David Rubino  Coming back to this questions as the FAQ of WDAG still says "Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this."

 

We need this possibility. Pleeeeeease :cry: