Many businesses worldwide have come under increasing threat of targeted attacks, where attackers are crafting specialized attacks against a particular business, attempting to take control of corporate networks and data. For the most security-conscience businesses, we are introducing a new layer of defense-in-depth protection: Windows Defender Application Guard for Windows 10 Enterprise. Application Guard provides unprecedented protection against targeted threats using Microsoft's industry leading Hyper-V virtualization technology. In the upcoming release of Windows, we have built experiences around the Microsoft Edge browser that allow users or organizations to launch Microsoft Edge in a Hyper-V virtualized isolated environment. Windows Insiders will be the first to try out these new experience as we roll them out. Here is a recent RSA talk on Window Defender Application Guard if you'd like to understand this feature in some more detail. Below are some steps you can take to enable these cutting edge experiences on the latest Windows Insider Preview build. How to setup and configure your system for Windows Defender Application Guard Requirements: Windows 10 Enterprise SKU only, Build 16188+ en-us only for the current builds; Full locale support will arrive soon PC must support Hyper-V (some older PCs may not support Hyper-V or have this feature disabled in BIOS) Windows Defender Application Guard is Off by default, it must be enabled manually or by policy You can turn on Windows Defender Application Guard using the Turn Windows features on or off dialog. Select the checkbox as shown below for Windows Defender Application Guard. Click OK and then restart your computer. How to Use Windows Defender Application Guard Open Edge and click on the menu in the top right corner Click on "New Application Guard window" as shown belowWindows Defender Application Guard You will see the following splash screen after which a new instance of Edge will open with Windows Defender Application Guard enabled. The new instance of Edge will open with Windows Defender Application Guard enabled We encourage Windows Insiders to use Windows Defender Application Guard with Microsoft Edge to browse the Web. Your feedback, suggestions, and telemetry will help us to improve this feature. Feedback Hub link: Launch Windows Feedback for Microsoft Edge\Application Guard FAQ Why don't I see my Favorites in the Application Guard Edge session?To keep your Application Guard Edge session secure and isolated from the host PC, favorites from the Application Guard Edge session are not copied back to your host PC. Creating and persisting new Favorites within Application Guard Edge Session is coming in a future build. Why do Cookies and Credentials seem to behave differently in the Application Guard Edge session? Persisting of cookies and site credentials across Application Guard Edge sessions (i.e. host PC reboot or log-on) is coming in a future build. These artifacts will always be isolated from the host PC. Can I copy and paste between the host PC and Application Guard Edge session?Yes, the user can copy/paste Bitmap images/text to and from the Application Guard Edge session. Why don't I see my Extensions in the Application Guard Edge session?The current version of Edge in Application Guard will not support Extensions, we are closely monitoring user feedback on this topic. Can I download documents from the Application Guard Edge session onto my host PC?While it is not possible currently to download files from the isolated Application Guard container to the host PC, you do have the option of using "Print as PDF" or "Print as XPS" and save those files to the host PC. Known Issues In Build 16193 Windows Defender Application Guard will fail to work on touch PC's, showing a solid black window on launch. Non-touch enabled devices should not experience the issue. A temporary workaround if you would like to use WDAG is to go to Device Manager, expand Human Interface Devices and disable the "HID-compliant touch screen" and "Intel Precise Touch Device" if they are present. After a reboot try WDAG again. Re-enable these devices to restore touch.

While it is not possible currently to download files from the isolated Application Guard container to the host PC, you do have the option of using "Print as PDF" or "Print as XPS" and save those files to the host PC. In the current build, your Edge profile and settings that include your cookies, favorites, and browsing history only persist for the life of the container. We are working on enabling Edge profiles and data in Application Guard persist between reboots and user log on sessions. We'll announce that functionality once its available in the future. The current version of Edge in Application Guard will not support extensions but we are closely monitoring user feedback on this topic. Finally, you can use InPrivate mode today in Application Guard. Once you have opened Edge in Application Guard, you will see the menu option to start InPrivate and that will stay in isolation. Please use feedback hub to share feature suggestions or report any issues. Your feedback or votes on existing feedback will immensely help us to further improve the offering.

I wish to know more detail about this feature. Say will the page in this mode be able to save downloads to folder. If so to which folder(s). And what kind of browser assets (like cookies, or favorites) will it have access to (read/write). Will it block Edge plugins? Or does it also offer all the privacy protection in InPrivate mode? Such information is useful to evaluate how useful this feature would be to Edge users.

This feature is puzzling. Why is it touted for Enterpise users? Are you assuming that Enterprise users are the ones who browse dangerous sites the most? Why then this feature is not enabled by default and why it has to be enabled and used this way? Is it hampering browsing in some way, not saving local data, settings, cookies? Then it has a very narrow usage model. Maybe for DoD :D But i'm sure such organizations have other means of blocking their users browsing non-work related sites. It seems that Home users would benefit from such protection the most (i understand that Hyper-V might not be supported on many home PCs, but we live in x64 era already). But it is sold as an added value for Enterprise license, though i don't see much value in it for my organization.

we plan to disable SMB1 by default in an upcoming Windows 10 Feature Update

click the CC/Closed Caption button in YouTube https://www.youtube.com/watch?v=1iH1fRakvQc

Forum Discussion

Yolando Pereira

Microsoft

May 03, 2017

Windows Defender Application Guard Standalone mode

Many businesses worldwide have come under increasing threat of targeted attacks, where attackers are crafting specialized attacks against a particular business, attempting to take control of corporate networks and data. For the most security-conscience businesses, we are introducing a new layer of defense-in-depth protection: Windows Defender Application Guard for Windows 10 Enterprise. Application Guard provides unprecedented protection against targeted threats using Microsoft's industry leading Hyper-V virtualization technology. In the upcoming release of Windows, we have built experiences around the Microsoft Edge browser that allow users or organizations to launch Microsoft Edge in a Hyper-V virtualized isolated environment. Windows Insiders will be the first to try out these new experience as we roll them out. Here is a recent RSA talk on Window Defender Application Guard if you'd like to understand this feature in some more detail. Below are some steps you can take to enable these cutting edge experiences on the latest Windows Insider Preview build.

How to setup and configure your system for Windows Defender Application Guard

Requirements:

Windows 10 Enterprise SKU only, Build 16188+
en-us only for the current builds; Full locale support will arrive soon
PC must support Hyper-V (some older PCs may not support Hyper-V or have this feature disabled in BIOS)
Windows Defender Application Guard is Off by default, it must be enabled manually or by policy

You can turn on Windows Defender Application Guard using the Turn Windows features on or off dialog. Select the checkbox as shown below for Windows Defender Application Guard.

Click OK and then restart your computer.

How to Use Windows Defender Application Guard

Open Edge and click on the menu in the top right corner
Click on "New Application Guard window" as shown below

Windows Defender Application Guard
You will see the following splash screen after which a new instance of Edge will open with Windows Defender Application Guard enabled.
The new instance of Edge will open with Windows Defender Application Guard enabled
We encourage Windows Insiders to use Windows Defender Application Guard with Microsoft Edge to browse the Web. Your feedback, suggestions, and telemetry will help us to improve this feature.

Feedback Hub link: Launch Windows Feedback for Microsoft Edge\Application Guard

FAQ

Why don't I see my Favorites in the Application Guard Edge session?
To keep your Application Guard Edge session secure and isolated from the host PC, favorites from the Application Guard Edge session are not copied back to your host PC. Creating and persisting new Favorites within Application Guard Edge Session is coming in a future build.
Why do Cookies and Credentials seem to behave differently in the Application Guard Edge session?
Persisting of cookies and site credentials across Application Guard Edge sessions (i.e. host PC reboot or log-on) is coming in a future build. These artifacts will always be isolated from the host PC.
Can I copy and paste between the host PC and Application Guard Edge session?
Yes, the user can copy/paste Bitmap images/text to and from the Application Guard Edge session.
Why don't I see my Extensions in the Application Guard Edge session?
The current version of Edge in Application Guard will not support Extensions, we are closely monitoring user feedback on this topic.
Can I download documents from the Application Guard Edge session onto my host PC?While it is not possible currently to download files from the isolated Application Guard container to the host PC, you do have the option of using "Print as PDF" or "Print as XPS" and save those files to the host PC.

Known Issues

In Build 16193 Windows Defender Application Guard will fail to work on touch PC's, showing a solid black window on launch. Non-touch enabled devices should not experience the issue. A temporary workaround if you would like to use WDAG is to go to Device Manager, expand Human Interface Devices and disable the "HID-compliant touch screen" and "Intel Precise Touch Device" if they are present. After a reboot try WDAG again. Re-enable these devices to restore touch.

dipendas1979
Brass Contributor
Sep 25, 2022
I have deployed WDAG in standalone mode but one website always tries to open in AG Window. How do I prevent this website from opening in AG mode.
Alex Melching
Copper Contributor
Jun 03, 2018
Hello,

Has anyone experienced this? Running Windows 10 Enterprise 1803. After enabling Application Guard, regular Edge breaks. Opens then closes. Unable to resolve this issue.

https://techcommunity.microsoft.com/t5/Windows-10-security/Microsoft-Edge-Opens-and-then-Closes-after-enabling-Application/td-p/194106
- Derek Nathan
  Copper Contributor
  Jun 14, 2018
  Same issue for me, I am still researching. Would be good if you indicated if you had a resolution.
  - Alex Melching
    Copper Contributor
    Jun 23, 2018
    Nope. Even worked with Microsoft Support. Could not determine the issue. So I had to refresh again and not enroll the device.
Deleted
Mar 30, 2018
Hello,

Now RS 4 will be released in the near future. WDAG will then be available for Windows Pro. Why I can not use it under Windows 10 EDU which is a branch of Windows Enterprise? I am using 17133 on a Surface device and activated it with Windows PowerShell but there is no new menu in Edge. Hyper-V is activate too.

Would be nice if some official Microsoft employee could answer here is this community.
- Joe Rolando
  Copper Contributor
  Apr 05, 2018
  Same here running rs4 1803 hyper-v enabled WDAG enabled through PowerShell no WDAG option in edge
Deleted
Mar 12, 2018
Build 17115 - I have installed it but it doesn't display the button on EDGE. I noticed that I didn't have hyper v but I installed it and restarted and still no WDAG.

What's wrong ?
Deleted
Nov 18, 2017
Hello,

I have a question about the Defender Application Guard. Windows 10 Enterprise and Eudcation are the same. I setup a new Latop with all the requirements for the Application Guard with a fresh 1709 and I can not setup the Application Guard with the educational version. The Windows Feature menu is grey. I can not select it. I also have an insider VM with the same OS Version which I setup up under 16xx and there I can setup the Application Guard but can not use it because of the requirement. Do I have the chance to use it under the educational version?
Mark Albin
Copper Contributor
Sep 18, 2017
Hmmmmm very interesting feature. Not sure it is any good?
Terence Lim
Microsoft
Jun 21, 2017
Amazing feature! Could you share a little on how this compares with Bromium?
- Chris Hallum
  Microsoft
  Jun 21, 2017
  Technology wise there are similarities and our story is one of better together. In our next release we will protect Microsoft Edge using hardware based isolation. For those customers that want to do the same for other applications Bromium can be used in concert.
Mark Walt
Copper Contributor
Jun 07, 2017
Is there a transcript of the RSA talk available?
- Nathan Mercer
  Steel Contributor
  Jun 13, 2017
  click the CC/Closed Caption button in YouTube https://www.youtube.com/watch?v=1iH1fRakvQc
Darryl Wiltzen
Copper Contributor
Jun 04, 2017
Enterprises users are a high risk of fast spreading malware inside the enterprise, where beg=hine fire walls there are little interuser guards. Standalone user less risk of spreading to others. My IT guys shipped some harsh warnings this week on opening realistic dangerous emails because it could spread rapidly interiorly,
Shon Miles
Copper Contributor
Jun 02, 2017
I know your screenshot could be old, but you still have SMB v1 enabled after Shadow Brokers release, you should disable that.
- Nathan Mercer
  Steel Contributor
  Jun 02, 2017
  we plan to disable SMB1 by default in an upcoming Windows 10 Feature Update
  - Tammy Pierce
    Copper Contributor
    Jun 03, 2017
    I had Windows 10 Home Edition on my new computer purchased 12/2016 for my new business just started and his was a computer just to tie me over. It was destroyed this Memorial Day weekend by a hacker who used "the Microsoft's Industry leading Hyper-V virtualization technology" as MX puts it. It was put on my computer(how I don't know since I read it is incompadible with my edition). But I had at any one time 25 users using my computer as a host.They put a password on my BIOS and UEFI so I could not redo the BIOS or reinstall anything. I found a fill and printed a 17 page direction list of how they broke in and everything step by step to compromise and reder my computer helpless eventually after I dscovered all of these Hyper-V files. I am not a developer, I'm a soap maker, and it has taken me a long time to track this all down, but when I get developer emails for the Microsoft Insider roll out programs I know that that is were this person is coming from. I am in a program for the disabled to go back to work and destroying that computer has really set me back. Why and how can they install thing on your computer if your directions say that you can't and why is all of this in the hands of hackers!I'm just starting our and the money I spent on that computer is now gone and they have and probably are still stealling our internet, and no one is responsible or can stop them. How can Microsoft keep putting out all of this software to make it so easy for hackers to steal and ruin peoples lives and their businesses? attatched is a picture represnting what is on the computer in the home office it to is running a windows home edt Thank you for your time.