- Apr 24, 2016
- 7,284
You don't have to use group policy for enabling keeping data with Edge Application Guard. Settings are available in Windows security:
Windows Defender Application Guard inside Windows Security App | Microsoft Community Hub
Windows Defender Application Guard is designed to prevent attacks on local machines and from expanding malicious activity throughout a corporate...
techcommunity.microsoft.com
Also, it's not recommend storing data in Application Guard
The biggest advantage is that data get cleared after closing session.
The biggest advantage is that data get cleared after closing session.
Amahl Farouk
Level 1
- Jan 11, 2021
- 34
I really like the idea of Edge WDAG, but I have several issues with it that make me doubt it's usefulness outside of an Enterpise managed environment.
The idea of a completely disposable sandbox for more secure browsing is great, however, from what I can tell the sandbox only gets completely flushed on system restart.
Extensions don't persist, so you have to rely group policy to install them at each recreation of the sandbox or just go naked with pretty much the "Strict" security settings on Edge and hope for the best.
Windows 10 Pro users don't have the Managed policy option which would make the separation from secure/insecure environment less tedious...so phishing and other crappy links will still open in your non-WDAG version of Edge by default. You can set some policies up so that when you are in WDAG and navigate to a whitelisted website, it will open in your non-WDAG Edge, but not the reverse...which makes is pretty useless for me.
P.S. Of course, enabling HW acceleration or data persistence opens you up to a whole new level of insecurity so that's a no-go for me. The most painful being software acceleration which makes websites feel sluggish at best.
@Amahl Farouk
WDAG isn't designed for extensions and you can block stuff over DNS anyway.
I also wouldn't shop at WDAG, for that i use my Banking profile in normal Edge.
The most powerful feature is a very secure environment without leaving any traces and a completely stock Edge. That's the reason WDAG is recommend for visit insecure & untrusted sites
WDAG isn't designed for extensions and you can block stuff over DNS anyway.
I also wouldn't shop at WDAG, for that i use my Banking profile in normal Edge.
The most powerful feature is a very secure environment without leaving any traces and a completely stock Edge. That's the reason WDAG is recommend for visit insecure & untrusted sites
- Oct 1, 2019
- 1,120
See GPO documentation link, with allow persistence enabled, you can use WDGA-Edge like a normal profile because all data persists (settings, extensions, etc).
What happens to the different profiles if the browser gets corrupted and cannot open? Won't having different browsers running different uses be better?
Don't put all the eggs in the same basket is safer
Don't put all the eggs in the same basket is safer
Last edited:
Your files are safe as profiles use own subfolders.
Different browsers increase attack surface and maintenance.
Amahl Farouk
Level 1
- Jan 11, 2021
- 34
Yes, but I just want persistence for my extensions, not for user data in general (cache, cookies, etc.) As I said, if I enable this group policy it makes the whole auto-purging sandbox thing useless as malware could persist until I manually flush via powershell.
- Oct 1, 2019
- 1,120
Sandbox is separated from real system in VM including the data on your disk. Edge has an option to auto delete all browsing session data (including cache, cookies, etc).So session data is flushed everytime you close Edge, while your settings and extensions persist over sessions and reboots. Application Guard Window only 'sees' the OS-drive (C in my case). It can't even read from other data partitions (in my case F for office files, M for Media files, R for Reserve (image and office files data backup).Yes, but I just want persistence for my extensions, not for user data in general (cache, cookies, etc.) As I said, if I enable this group policy it makes the whole auto-purging sandbox thing useless as malware could persist until I manually flush via powershell.
Better read the documentation.
Last edited:
- Oct 1, 2019
- 1,120
You are confusing Edge with Firefox. Chromium based browsers (except Opera) have a much lower profile corruption frequency than Firefox
So yes when your primary browser is Firefox or Opera it is better to have a second browser. To be fair a second browser is always more reliable than two profiles at the same browser. Simply because they don't share program code the chance of corrupting them both at the same time is near zero.
Last edited:
It's time for a big update! (the first one this year)
Why?
What's new?
What remains the same?
Result in comparison to Edge's default settings:
Happy browsing
Why?
- easier
- better hiding in the masses - keyword fingerprinting
What's new?
- data is no longer deleted when Edge is terminated
- extensions are no longer used by default. NextDNS is recommend as "blocker"
- fewer changes under "website permissions"
- "flags" are no longer used
- the privacy slider in Edge goes back to default for "Default" & "Banking" - at the same time "Strict" is enforced for InPrivate windows
- the use of encrypted DNS is recommended
- under "Settings - default browser" the option "Allow websites to reload in Internet Explorer mode" is disabled
- under "Privacy, search and services" the option "allow websites to check if you have saved payment methods" is disabled
- under "Profiles - Passwords" the option "show warnings when passwords are found in an online data leak" is enabled
What remains the same?
- block third party cookies in Edge settings
- block payment provider in Edge settings
- DNT header in Edge settings
- in Edge permissions -> JavaScript: enable + add http://* to block list
- in Edge permissions -> Popups and redirection add http://* to block list
- no website navigation error help in Edge settings
- PUP & SmartScreen enabled in Edge settings
Result in comparison to Edge's default settings:
- block payment provider in Edge settings
- block third party cookies in Edge settings
- DNT header in Edge settings
- in Edge permissions -> JavaScript: enable + add http://* to block list
- in Edge permissions -> Popups and redirection add http://* to block list
- NextDNS is recommend as "blocker" in encrypted DNS settings
- no website navigation error help in Edge settings
- PUP & SmartScreen enabled in Edge settings
- "Strict" Tracking protection is enforced for InPrivate windows
- under "Privacy, search and services" the option "allow websites to check if you have saved payment methods" is disabled
- under "Profiles - Passwords" the option "show warnings when passwords are found in an online data leak" is enabled
- under "Settings - default browser" the option "Allow websites to reload in Internet Explorer mode" is disabled
- block third party cookies in Edge settings
- DNT header in Edge settings
- in Edge permissions -> JavaScript: enable + add http://* to block list
- in Edge permissions -> Popups and redirection add http://* to block list
- NextDNS is recommend as "blocker" in encrypted DNS settings
- no website navigation error help in Edge settings
- PUP & SmartScreen enabled in Edge settings
- "Strict" Tracking protection is enforced for InPrivate windows
- under "Privacy, search and services" the option "allow websites to check if you have saved payment methods" is disabled
- under "Profiles - Passwords" the option "show warnings when passwords are found in an online data leak" is enabled
- under "Settings - default browser" the option "Allow websites to reload in Internet Explorer mode" is disabled
- block third party cookies in Edge settings
- DNT header in Edge settings
- in Edge permissions -> JavaScript: enable + add http://* to block list
- in Edge permissions -> Popups and redirection add http://* to block list
- NextDNS is recommend as "blocker" in encrypted DNS settings
- no website navigation error help in Edge settings
- PUP & SmartScreen enabled in Edge settings
- "Strict" Tracking protection is enforced for InPrivate windows
- under "Profiles - Passwords" the option "show warnings when passwords are found in an online data leak" is enabled
- under "Settings - default browser" the option "Allow websites to reload in Internet Explorer mode" is disabled
- DNT header in Edge settings
- in Edge permissions -> JavaScript: enable + add http://* to block list
- in Edge permissions -> Popups and redirection add http://* to block list
- NextDNS is recommend as "blocker" in encrypted DNS settings
- no website navigation error help in Edge settings
- PUP & SmartScreen enabled in Edge settings
- "Strict" Tracking protection is enforced for InPrivate windows
- under "Profiles - Passwords" the option "show warnings when passwords are found in an online data leak" is enabled
- under "Settings - default browser" the option "Allow websites to reload in Internet Explorer mode" is disabled
- block payment provider in Edge settings
- block third party cookies in Edge settings
- DNT header in Edge settings
- no website navigation error help in Edge settings
- PUP & SmartScreen enabled in Edge settings
- Strict Privacy in Edge settings
- under "Privacy, search and services" the option "allow websites to check if you have saved payment methods" is disabled
- under "Settings - default browser" the option "Allow websites to reload in Internet Explorer mode" is disabled
- block third party cookies in Edge settings
- DNT header in Edge settings
- no website navigation error help in Edge settings
- PUP & SmartScreen enabled in Edge settings
- Strict Privacy in Edge settings
- under "Privacy, search and services" the option "allow websites to check if you have saved payment methods" is disabled
- under "Settings - default browser" the option "Allow websites to reload in Internet Explorer mode" is disabled
Happy browsing
Similar threads
- Steve Clarke, Editor
- Microsoft Edge
