Battle Edge Application Guard, who uses it and how do you have it configured?

[Lenny_Fox]

I am curious which Windows 10 Pro and higher owners use Edge Application Guard and what policies you have set.

When NO - please post why

When YES - please post which policies you have enabled.

 

[Lenny_Fox]

I have "Allow data persistence for Microsoft Application Guard" enabled and the clipboard configured to copy TEXT from the host to the isolated environment.

 

[Lenny_Fox]

not much members seem to use it, I am wondering why (because it is such an excellent and easy to setup safe browsing sandbox)

I noticed an awkward similarity between the forum members which seem to use: they either have an animal in their (user) name or in their avatar

 

[WhiteMouse]

I have this option on, everything at default but rarely use it. It might be useful for open office files, not so much for browser.

I noticed an awkward similarity between the forum members which seem to use: they either have an animal in their (user) name or in their avatar

 

[ForgottenSeer 85179]

not much members seem to use it, I am wondering why (because it is such an excellent and easy to setup safe browsing sandbox)

This thread is open for less than one day. This can't be used for any statistic about usage.
Wait at least one week.

I use Application Guard and highly recommend it.
"Enhanced Graphic" is the only setting i use and i wouldn't recommend other's, as they reduce the security and privacy.

 

[Ink]

Windows 10 Pro user, voting No.

Overview for Application Guard.

Microsoft Defender Application Guard - Windows Security

Learn about Microsoft Defender Application Guard and how it helps combat malicious content and malware out on the Internet.

docs.microsoft.com

It might be useful for open office files, not so much for browser.

The good news, it's available.
The bad news, for Enterprise only.

Application Guard for Office for admins

Get the latest in hardware-based isolation. Prevent current and emerging attacks like exploits or malicious links from disrupting employee productivity and enterprise security.

docs.microsoft.com

 

[ErzCrz]

I've got the Windows 10 Home version so sadly no proper application guard.

Exploit wise, II still use @oldschool 's setup he got from @umbra originally:

Exploit Protection settings for browsers (thanks to @Umbra). These have broken anything yet, e.g. extensions crashing.
- for Brave, Edge and Firefox:

Block low integrity images - ON
Block remote images - ON
Block untrusted fonts - ON
Control flow guard (CFG) - ON
Data execution prevention (DEP) - ON + Enable thunk emulation - CHECKED
Disable extension points - ON
Force randomization for images (Mandatory ASLR) - ON + Do not allow stripped images - CHECKED
Randomize memory allocations (Bottom-up ASLR) - ON
Validate exception chains (SEHOP) - ON
Validate handle usage - ON
Validate heap integrity - ON
Validate image dependency integrity - ON

ADD for Edge Chromium only: Code integrity guard - ON (with or without Also allow images signed by M$ Store CHECKED)
________________________________

Mind you, I've been tinkering with other setups and testing out CIS with Firefox and Thunderbird rather than using everything Microsoft tells me to do. I'd love to see some recommended exploint tweaks done via Hard_configurator.

 

[Lenny_Fox]

Only downside of Edge Application Guard IMO is that it is impossible to start it directly from explorer or with shortcut, I always have to start Edge first and next open an Application Guard window to start the sandboxed browser.