- Jul 26, 2015
- 263
Hello to all,
been looking in the Forum for a Guide on Application Guard and have just found bits and peaces of information here and there.
Do I need Windows Defender Active?
No - Application Guard is its own feature and resides in the Security Center for easy access. (Un-managed Mode only!)
So what is this about?
To have a guide that can be used for all (Administrators and Users alike)
What is Application Guard?
It is normally a Virtual Environment for the Edge/Edge Chromium Browser for "un-trusted" Websites. Were malicious code "should" not be able to escape! I write "should" because nothing is perfect.
Additionally: By default Application Guard deletes its Instance at Sign-Out / Restart / Shutdown of the System!
In Managed and Unmanaged - Mode except it has been setup for data persistence:
Cmon I want to set it up how?
First a few prerequisites need to be fulfilled:
For the Administrators - Something to Manage:
If that is all out of the way can we start now?
"YES you can" - On a current Windows 10 1909 Build (You can find that out when you type in "winver" after you pressed the "Start" logo.
Then Go to:
Are we done now?
YES and NO... What we still need to do is how we want to use Application Guard and that can be tricky if you want to automate things or not and if other Browsers need that extra protection.
Lets get the Easy stuff out of the way:
Windows Defender Application Guard Companion [To manage the Virtual Environment and send applications to Application Guard] - UWP App (Microsoft Store) Free -> Get Windows Defender Application Guard Companion - Microsoft Store
Windows Defender Application Guard Extension -> Chromium Based Browsers <- -> Mozilla Firefox Browser
Now if nothing else is needed we are almost done -> Settings for the Application Guard can be found at the Security Center (Shield Logo at Tray) -> App and Browser Control -> Isolated browsing - ^^
[WARNING 6MB Gif Video]
And you are done!
Administrators and Power Users
If you need more control and want to automate/manage Application Guard there is allot more to do and it is Group Policy oriented. (WARNING - I do not go thru all settings but the essential ones are covered!)
Lets get started:
Important Paths for Application Guard Features and Functions in Group Policy.
First Application Guard needs to be switched to Managed Mode like this Group Policy takes effect!
Path:
This can be done by setting -> Turn on Windows Defender Application Guard in Managed Mode = Enabled
Other settings here are more of a preference on how Application Guard instances are handled by the system. Very easy to understand on what every function does!
OK OK Syntax for domains has a different meaning what does that mean?
Now the little tricky part what is trusted and what is needed?
Enterprise resource domain hosted in the cloud is equal to the Internet Explorer "Trusted" Security Zone - For example: I work allot with Microsoft products like Azure and Office - But the syntax for that is with a "pipe" "|" -> .microsoft.com|.office.com|.example.net
The other one is, Domains categorized as both work and personal that do not need a Application Guard Instance. The Domain Syntax remains the same but are comma separated "," -> .malwaretips.com,.example.net,..moreexample.net,www.news.com
Everything else that is not in those lists even transfer Domains are getting a Application Guard Instance!
Then there is the troubleshooting phase best tool for that is I think is Fiddler -> Fiddler - Free Web Debugging Proxy - Telerik
Did allot of research and consolidated information to have it all in one place for all. Feedback and Criticism is gladly appreciated.
Sources List:
Microsoft -> Windows Defender Application Guard
Microsoft -> System requirements
Microsoft -> Install Windows Defender Application Guard
Microsoft -> Configure Windows Defender Application Guard policies
Microsoft -> Test scenarios
Microsoft -> Windows Defender Application Guard FAQ
Sincerely
Val.
been looking in the Forum for a Guide on Application Guard and have just found bits and peaces of information here and there.
Do I need Windows Defender Active?
No - Application Guard is its own feature and resides in the Security Center for easy access. (Un-managed Mode only!)
So what is this about?
To have a guide that can be used for all (Administrators and Users alike)
What is Application Guard?
It is normally a Virtual Environment for the Edge/Edge Chromium Browser for "un-trusted" Websites. Were malicious code "should" not be able to escape! I write "should" because nothing is perfect.
Additionally: By default Application Guard deletes its Instance at Sign-Out / Restart / Shutdown of the System!
In Managed and Unmanaged - Mode except it has been setup for data persistence:
Security Center -> App & browser control -> Isolated Browsing -> "Save Data" |
OR [Group Policy] |
Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Application Guard |
Allow data persistence for Windows Defender Application Guard "Enabled" |
Cmon I want to set it up how?
First a few prerequisites need to be fulfilled:
64bit CPU |
CPU Virtualization VT-x (Intel) or AMD-V [Feature needs to be ENABLED in BIOS] |
Minimum of 8 GB RAM |
5 GB of free space (SSD Recommended) |
Windows 10 Pro 1803 or higher / Windows 10 Ent. 1709 or higher |
For the Administrators - Something to Manage:
Microsoft Intune |
OR |
Microsoft Endpoint Configuration Manager |
OR |
Group Policy (Domain) |
OR |
3rd Party MDM Solutions |
OR |
Local Group Policy (For Admin. or User alike) gpedit.msc -> Group Policy Manager |
If that is all out of the way can we start now?
"YES you can" - On a current Windows 10 1909 Build (You can find that out when you type in "winver" after you pressed the "Start" logo.
Then Go to:
Control Panel (appwiz.cpl) |
Select at the left side -> "Turn Windows features on or off" -> and -> Set a check-mark on "Windows Defender Application Guard" |
For the Admin. or Advanced User there is a Powershell Command:
Code:
|
Restart Computer |
Are we done now?
YES and NO... What we still need to do is how we want to use Application Guard and that can be tricky if you want to automate things or not and if other Browsers need that extra protection.
Lets get the Easy stuff out of the way:
Windows Defender Application Guard Companion [To manage the Virtual Environment and send applications to Application Guard] - UWP App (Microsoft Store) Free -> Get Windows Defender Application Guard Companion - Microsoft Store
Windows Defender Application Guard Extension -> Chromium Based Browsers <- -> Mozilla Firefox Browser
[INFORMATION] If Application Guard runs in MANAGED Mode - None of the above is needed! (Tested on Microsoft Edge Chromium Stable/Dev. builds) |
Now if nothing else is needed we are almost done -> Settings for the Application Guard can be found at the Security Center (Shield Logo at Tray) -> App and Browser Control -> Isolated browsing - ^^
[WARNING 6MB Gif Video]
And you are done!
Administrators and Power Users
If you need more control and want to automate/manage Application Guard there is allot more to do and it is Group Policy oriented. (WARNING - I do not go thru all settings but the essential ones are covered!)
Lets get started:
Important Paths for Application Guard Features and Functions in Group Policy.
First Application Guard needs to be switched to Managed Mode like this Group Policy takes effect!
Path:
Code:
Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Application GuardThis can be done by setting -> Turn on Windows Defender Application Guard in Managed Mode = Enabled
Other settings here are more of a preference on how Application Guard instances are handled by the system. Very easy to understand on what every function does!
Code:
Computer Configuration -> Administrative Templates -> Network -> Network IsolationOK OK Syntax for domains has a different meaning what does that mean?
| example.net | Just trust that literally |
| www.example.net | Just trust that literally |
| .example.net | Trust all before the DOT from example.net, mail.example.net portal.example.net and www.example.net |
| ..example.net | Trust all levels even deeper double DOT example.net, mail.example.net, de.mail.example.net and www.de.mail.example.net |
Now the little tricky part what is trusted and what is needed?
Enterprise resource domain hosted in the cloud is equal to the Internet Explorer "Trusted" Security Zone - For example: I work allot with Microsoft products like Azure and Office - But the syntax for that is with a "pipe" "|" -> .microsoft.com|.office.com|.example.net
The other one is, Domains categorized as both work and personal that do not need a Application Guard Instance. The Domain Syntax remains the same but are comma separated "," -> .malwaretips.com,.example.net,..moreexample.net,www.news.com
Everything else that is not in those lists even transfer Domains are getting a Application Guard Instance!
Then there is the troubleshooting phase best tool for that is I think is Fiddler -> Fiddler - Free Web Debugging Proxy - Telerik
Did allot of research and consolidated information to have it all in one place for all. Feedback and Criticism is gladly appreciated.
Sources List:
Microsoft -> Windows Defender Application Guard
Microsoft -> System requirements
Microsoft -> Install Windows Defender Application Guard
Microsoft -> Configure Windows Defender Application Guard policies
Microsoft -> Test scenarios
Microsoft -> Windows Defender Application Guard FAQ
Sincerely
Val.
Attachments
Last edited:
