SOLVED

Extensions are remembered in Application Guard mode after fully closing it and the Edge browser

MVP

Version 81.0.410.0 (Official build) canary (64-bit)

 

I went to WDAG mode window, installed an extension from Microsoft add-on store, continued browsing the web for few minutes, then i closed the Application Guard window and closed Edge.

waited approx 1 or 2 minutes, launched Edge canary again and started a new Application Guard window, then I noticed the extension that I had installed is still in there!

 

that was absolutely not what I expected, the Application Guard window should flush itself and clear all of user data once closed.

 

DSDA.png

 

 

6 Replies

@HotCakeX - Thanx for the feedback. Currently the functionality is when "Allow Data persistence For ..." policy is enabled on the device. The Application Guard will persist the previous state. If this policy is turned off the state is flushed on container startup. 

Hi @Arunesh_Chandra 

that wasn't it though in my case, turns out this feature is the culprit

which is a flag and apparently enabled by default?

Application Guard Prelaunch

If enabled, Microsoft Edge Application Guard will be prelaunched in the background when recently used. – Windows

#edge-wdag-prelaunch

 

when the prelaunch happens and i can see it happen in the task manager, so when it happens, the data is not flushed, it is retained until a specific time is past and then Edge flushes it.

I don't know how many minutes or hours it takes, no information available about it.

 

but i'm sure it wasn't a policy, this is my own personal system and i never set anything like that.

The Prelaunch feature is to improve the performance of Application Guard. This may hold the container running for 15 mins longer if the host instance is running but the state of the container will be flushed when the container restarts.
  • I'm on Windows 10 insider fast ring build 19559 x64.
  • I didn't set any policies manually.
  • I don't know where that policy is exactly, it's Not here: Computer Configuration > Administrative Templates > Windows Components > Windows Defender Application Guard

based on this post

 

  • I only have "Windows Defender SmartScreen" policy in there.

 

  • This is my Windows Defender settings (I don't use 3rd party AV)

 

trtete.png

 

 

  • Edge Application Guard data is not flushed (the extension is still installed), I even waited 30 minutes and then opened Application Guard in Edge again, the extension was still there.
  • the only way to flush it is a system restart.
  • Microsoft Edge canary Version 82.0.421.0 (Official build) canary (64-bit)
  • The flag "Application Guard Prelaunch" had no effect. I tried enabling/disabling it, I got the same result every time.
  • Not sure if it's relevant but I have Windows Sandbox and Hyper-V features enabled on my Windows PC.

Hope this info help solve the issue

 

best response confirmed by HotCakeX (MVP)
Solution

@HotCakeX This all sounds as expected behavior. With persistence disabled, the extensions (and other settings/data) will persist as long as the container VM exists (it will be destroyed when the host shuts down). The container VM might be destroyed before that -- you can force the issue by restarting the hvsics service for example.

 

You can see if you have persistence policy on/off at edge://application-guard-internals/#host (look for "container persistence" in the "Policies" section).

 

It would be unexpected for the extension settings to outlive the container (when persistence is disabled) -- that they are going away with a restart indicates this is all working.

 

Tying the profile (settings) lifetime to the browser lifetime (instead of the container lifetime) is something we are discussing internally.

 

Thank you very much for the explanation,

"Tying the profile (settings) lifetime to the browser lifetime (instead of the container lifetime) is something we are discussing internally."

That was exactly what I was expecting to happen. because I see how Windows Sandbox (container?) works (closing it flushes everything) and I thought Windows Defender Application Guard container would have the same behavior but now I see they have different behaviors.
1 best response

Accepted Solutions
best response confirmed by HotCakeX (MVP)
Solution

@HotCakeX This all sounds as expected behavior. With persistence disabled, the extensions (and other settings/data) will persist as long as the container VM exists (it will be destroyed when the host shuts down). The container VM might be destroyed before that -- you can force the issue by restarting the hvsics service for example.

 

You can see if you have persistence policy on/off at edge://application-guard-internals/#host (look for "container persistence" in the "Policies" section).

 

It would be unexpected for the extension settings to outlive the container (when persistence is disabled) -- that they are going away with a restart indicates this is all working.

 

Tying the profile (settings) lifetime to the browser lifetime (instead of the container lifetime) is something we are discussing internally.

 

View solution in original post