May 03 2017 02:59 PM - edited Jun 11 2017 10:24 PM
May 03 2017 02:59 PM - edited Jun 11 2017 10:24 PM
Many businesses worldwide have come under increasing threat of targeted attacks, where attackers are crafting specialized attacks against a particular business, attempting to take control of corporate networks and data. For the most security-conscience businesses, we are introducing a new layer of defense-in-depth protection: Windows Defender Application Guard for Windows 10 Enterprise. Application Guard provides unprecedented protection against targeted threats using Microsoft's industry leading Hyper-V virtualization technology. In the upcoming release of Windows, we have built experiences around the Microsoft Edge browser that allow users or organizations to launch Microsoft Edge in a Hyper-V virtualized isolated environment. Windows Insiders will be the first to try out these new experience as we roll them out. Here is a recent RSA talk on Window Defender Application Guard if you'd like to understand this feature in some more detail. Below are some steps you can take to enable these cutting edge experiences on the latest Windows Insider Preview build.
You can turn on Windows Defender Application Guard using the Turn Windows features on or off dialog. Select the checkbox as shown below for Windows Defender Application Guard.
Click OK and then restart your computer.
You will see the following splash screen after which a new instance of Edge will open with Windows Defender Application Guard enabled.
The new instance of Edge will open with Windows Defender Application Guard enabled
Feedback Hub link: Launch Windows Feedback for Microsoft Edge\Application Guard
May 04 2017 07:20 PM
I wish to know more detail about this feature. Say will the page in this mode be able to save downloads to folder. If so to which folder(s). And what kind of browser assets (like cookies, or favorites) will it have access to (read/write). Will it block Edge plugins? Or does it also offer all the privacy protection in InPrivate mode?
Such information is useful to evaluate how useful this feature would be to Edge users.
May 06 2017 12:38 AM
This feature is puzzling. Why is it touted for Enterpise users? Are you assuming that Enterprise users are the ones who browse dangerous sites the most? Why then this feature is not enabled by default and why it has to be enabled and used this way? Is it hampering browsing in some way, not saving local data, settings, cookies? Then it has a very narrow usage model. Maybe for DoD :D But i'm sure such organizations have other means of blocking their users browsing non-work related sites. It seems that Home users would benefit from such protection the most (i understand that Hyper-V might not be supported on many home PCs, but we live in x64 era already). But it is sold as an added value for Enterprise license, though i don't see much value in it for my organization.
May 06 2017 08:14 AM
While it is not possible currently to download files from the isolated Application Guard container to the host PC, you do have the option of using "Print as PDF" or "Print as XPS" and save those files to the host PC.
In the current build, your Edge profile and settings that include your cookies, favorites, and browsing history only persist for the life of the container. We are working on enabling Edge profiles and data in Application Guard persist between reboots and user log on sessions. We'll announce that functionality once its available in the future.
The current version of Edge in Application Guard will not support extensions but we are closely monitoring user feedback on this topic.
Finally, you can use InPrivate mode today in Application Guard. Once you have opened Edge in Application Guard, you will see the menu option to start InPrivate and that will stay in isolation.
Please use feedback hub to share feature suggestions or report any issues. Your feedback or votes on existing feedback will immensely help us to further improve the offering.
May 06 2017 10:37 AM
Application Guard feature just like Credential Guard and Device Guard depends on underlying feature called Virtual Secure Mode. Which depends on Hyper-V and is Controlled by Group Policy and all these features are available on Enterprise Edition only. Virtualization extensions might or might not be present on all underlying hardware, though mostly they are present now a days.
Hence the reason for this to be available on Enterprise edition only.
May 08 2017 01:12 AM
Jun 02 2017 11:52 AM
Jun 03 2017 02:11 AM
I had Windows 10 Home Edition on my new computer purchased 12/2016 for my new business just started and his was a computer just to tie me over. It was destroyed this Memorial Day weekend by a hacker who used "the Microsoft's Industry leading Hyper-V virtualization technology" as MX puts it. It was put on my computer(how I don't know since I read it is incompadible with my edition). But I had at any one time 25 users using my computer as a host.They put a password on my BIOS and UEFI so I could not redo the BIOS or reinstall anything. I found a fill and printed a 17 page direction list of how they broke in and everything step by step to compromise and reder my computer helpless eventually after I dscovered all of these Hyper-V files. I am not a developer, I'm a soap maker, and it has taken me a long time to track this all down, but when I get developer emails for the Microsoft Insider roll out programs I know that that is were this person is coming from. I am in a program for the disabled to go back to work and destroying that computer has really set me back. Why and how can they install thing on your computer if your directions say that you can't and why is all of this in the hands of hackers!I'm just starting our and the money I spent on that computer is now gone and they have and probably are still stealling our internet, and no one is responsible or can stop them. How can Microsoft keep putting out all of this software to make it so easy for hackers to steal and ruin peoples lives and their businesses? attatched is a picture represnting what is on the computer in the home office it to is running a windows home edt Thank you for your time.
Jun 04 2017 04:12 PM
Jun 04 2017 11:06 PM
I think perhaps you misunderstand the intent of the feature. I see primarily it as a sandboxed browser session that effectively runs each page in a VM, therefore eliminating any possibility of attacks affecting the core OS. The features about favorites, history etc. they talk about and say they are being implemented in a later release. As for enabling by default, I am sure this will be a Group Policy preference that organisations can set as they need. Some business has VERY critical data that cannot be compromised in any way, so this is a worthwhile feature and it has been, in my experience, the very high-end employees that are most likely to be fooled by website attacks, spoofing etc. so intelligence, age and wisdom are irrelevant with modern IT attacks :) I do agree it will be a useful addon to the novice home user, or Grandma, but let's help MS get the feature tested and stable, then perhaps the rest will come.
Jun 13 2017 04:39 PM
Jun 21 2017 10:14 AM
Technology wise there are similarities and our story is one of better together. In our next release we will protect Microsoft Edge using hardware based isolation. For those customers that want to do the same for other applications Bromium can be used in concert.
Aug 29 2017 08:36 AM
It has nothing to do with stability Local Policy Editor has been there for centuries and Hyper-V for at least a decade
Aug 29 2017 10:30 AM
No. If you download a Windows Insider build you'll see Hyper-V is in Windows 10 Pro as well.
Nov 18 2017 02:27 AM
Nov 18 2017 02:27 AM
I have a question about the Defender Application Guard. Windows 10 Enterprise and Eudcation are the same. I setup a new Latop with all the requirements for the Application Guard with a fresh 1709 and I can not setup the Application Guard with the educational version. The Windows Feature menu is grey. I can not select it. I also have an insider VM with the same OS Version which I setup up under 16xx and there I can setup the Application Guard but can not use it because of the requirement. Do I have the chance to use it under the educational version?