Identify network traffic originating from App Guard containers at the proxy level

Diamond Contributor



Microsoft Edge Version 91.0.834.0 (Official build) canary (64-bit)

The newly added flag for this feature: edge://flags/#edge-wdag-traffic-identification


If enabled, Application Guard traffic will be tagged with a X-MS-ApplicationGuard-Initiated header

– Windows


By the way, if any user or developer is reading this, can you help me understand how exactly we should monitor WDAG connections?

There are some difficulties I've been trying to solve in the past few hours.



Fiddler cannot work with Application Guard because of a small incompatibility.

The Microsoft FAQ about Application Guard has this section:

How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Ad...

Microsoft Defender Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as can be annotated as itproxy:81 or using a record such as P19216810010 for a proxy with an IP address of This applies to Windows 10 Enterprise edition 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune.

If you start Fiddler and go to Settings > Network & Internet > Proxy, you will see under "Manual proxy setup" that:

  • The setting "Use a proxy server" has turned itself to On
  • Address has become http=;https=

The problem here is that Application Guard does not accept such a URL, as it requires the proxy to be identified by name and not by IP address.

If you now try to change that URL to https=localhost:8888 so as to give it a name, and then click the Save button, Fiddler will immediately turn Capture to Off, and will put up a large notice in yellow saying: "The system proxy was changed. Click to reenable capturing". And if you click the yellow header ... the proxy's URL in Settings returns to http=;https= (!).

As far as I can see, the situation is unsolvable: The two applications are mutually incompatible. This might perhaps be by design.



I have tried the new Fiddler and Charles proxy too, unfortunately they all set Windows proxy settings to, so only a debugger that uses named proxy would help here.



1 Reply


You can use header inspection on your proxy (be aware, ssl deep inspection must be enabled) to use this header to identify the traffic as source.


Btw to your fiddler problem, you can use a local fiddler if you open up the port in the firewall and use the clientname as proxy connection (just set in the gpo for edge application guard the local computer as proxy)


My problem is....i dont have this flag in edge 100 -.-