valvaris

Level 3
Verified
Hello to all,

been looking in the Forum for a Guide on Application Guard and have just found bits and peaces of information here and there.

Do I need Windows Defender Active?
No - Application Guard is its own feature and resides in the Security Center for easy access. (Un-managed Mode only!)

So what is this about?
To have a guide that can be used for all (Administrators and Users alike)

What is Application Guard?
It is normally a Virtual Environment for the Edge/Edge Chromium Browser for "un-trusted" Websites. Were malicious code "should" not be able to escape! I write "should" because nothing is perfect. ;)

Additionally: By default Application Guard deletes its Instance at Sign-Out / Restart / Shutdown of the System!
In Managed and Unmanaged - Mode except it has been setup for data persistence:

Security Center -> App & browser control -> Isolated Browsing -> "Save Data"
OR [Group Policy]
Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Application Guard​
Allow data persistence for Windows Defender Application Guard "Enabled"

Cmon I want to set it up how?
First a few prerequisites need to be fulfilled:

64bit CPU​
CPU Virtualization VT-x (Intel) or AMD-V [Feature needs to be ENABLED in BIOS]
Minimum of 8 GB RAM​
5 GB of free space (SSD Recommended)​
Windows 10 Pro 1803 or higher / Windows 10 Ent. 1709 or higher​

For the Administrators - Something to Manage:
Microsoft Intune​
OR​
Microsoft Endpoint Configuration Manager​
OR​
Group Policy (Domain)​
OR​
3rd Party MDM Solutions​
OR​
Local Group Policy (For Admin. or User alike) gpedit.msc -> Group Policy Manager​

If that is all out of the way can we start now?
"YES you can" - On a current Windows 10 1909 Build (You can find that out when you type in "winver" after you pressed the "Start" logo.
Then Go to:

Control Panel (appwiz.cpl)​
Select at the left side -> "Turn Windows features on or off" -> and -> Set a check-mark on "Windows Defender Application Guard"
For the Admin. or Advanced User there is a Powershell Command:
Code:
Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard
Restart Computer​

Are we done now?
YES and NO... What we still need to do is how we want to use Application Guard and that can be tricky if you want to automate things or not and if other Browsers need that extra protection.

Lets get the Easy stuff out of the way:
Windows Defender Application Guard Companion [To manage the Virtual Environment and send applications to Application Guard] - UWP App (Microsoft Store) Free -> Get Windows Defender Application Guard Companion - Microsoft Store
Windows Defender Application Guard Extension -> Chromium Based Browsers <- -> Mozilla Firefox Browser

[INFORMATION]
If Application Guard runs in MANAGED Mode - None of the above is needed! (Tested on Microsoft Edge Chromium Stable/Dev. builds)​

Now if nothing else is needed we are almost done -> Settings for the Application Guard can be found at the Security Center (Shield Logo at Tray) -> App and Browser Control -> Isolated browsing - ^^
[WARNING 6MB Gif Video]

And you are done! :D

Administrators and Power Users
If you need more control and want to automate/manage Application Guard there is allot more to do and it is Group Policy oriented. (WARNING - I do not go thru all settings but the essential ones are covered!)

Lets get started:
Important Paths for Application Guard Features and Functions in Group Policy.


First Application Guard needs to be switched to Managed Mode like this Group Policy takes effect!
Path:
Code:
Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Application Guard
app1.png


This can be done by setting -> Turn on Windows Defender Application Guard in Managed Mode = Enabled
Other settings here are more of a preference on how Application Guard instances are handled by the system. Very easy to understand on what every function does!

Code:
Computer Configuration -> Administrative Templates -> Network -> Network Isolation
app2.png


OK OK Syntax for domains has a different meaning what does that mean?
example.netJust trust that literally
www.example.netJust trust that literally
.example.netTrust all before the DOT from example.net, mail.example.net portal.example.net and www.example.net
..example.netTrust all levels even deeper double DOT example.net, mail.example.net, de.mail.example.net and www.de.mail.example.net

Now the little tricky part what is trusted and what is needed?
Enterprise resource domain hosted in the cloud is equal to the Internet Explorer "Trusted" Security Zone - For example: I work allot with Microsoft products like Azure and Office - But the syntax for that is with a "pipe" "|" -> .microsoft.com|.office.com|.example.net

The other one is, Domains categorized as both work and personal that do not need a Application Guard Instance. The Domain Syntax remains the same but are comma separated "," -> .malwaretips.com,.example.net,..moreexample.net,www.news.com

Everything else that is not in those lists even transfer Domains are getting a Application Guard Instance!

Then there is the troubleshooting phase best tool for that is I think is Fiddler -> Fiddler - Free Web Debugging Proxy - Telerik

Did allot of research and consolidated information to have it all in one place for all. Feedback and Criticism is gladly appreciated. :D

Sources List:
Microsoft -> Windows Defender Application Guard
Microsoft -> System requirements
Microsoft -> Install Windows Defender Application Guard
Microsoft -> Configure Windows Defender Application Guard policies
Microsoft -> Test scenarios
Microsoft -> Windows Defender Application Guard FAQ

Sincerely
Val.
 

Attachments

Last edited:

valvaris

Level 3
Verified
But to use it i just need to open a "New Application Guard Window" right? if so, then man! This feature utilize a lot of memory.
That is true! It runs a Virtual Machine in the background. ;)
But if the PC System fits the minimum requirements it should not be noticeable...

I do not set my system as an example because not everyone has such hardware to use and in a corp. environment I notice that ppl start to go with 8-16GB of memory with current gen processors. The transition is slow but an alternative if ppl or corp. do not want to spend money it is build in and free to use. :D

That is the reason why this Guide came to be. To show how it could be implemented at home or in a corp. environment.

Sincerely
Val.
 

valvaris

Level 3
Verified
So if you are not using WD and/or Edge/Edge Chromium browser then Application Guard is of no use, right?

Thanks
Wrong there is also a Firefox Extension and Application Guard is a separate feature (Not WD Dependent) it just larks in the security center another point make sure the Application Guard Companion app is installed.

Windows Defender Application Guard Extension -> Chromium Based Browsers <- -> Mozilla Firefox Browser
OR
View Guide -> Are we done now?

Best regards
Val.
 

Freki123

Level 7
Verified
You may laugh but maybe stress the point that :"CPU Virtualization VT-x (Intel) or AMD-V" has to be activated in the bios and not only that the cpu is able to do it. When I first installed Windows 10 I totally over read the amd setting which got a cryptic name in my bios like nvm or svm or so.
Thanks for the nice guide :)
 

HarborFront

Level 53
Verified
Content Creator
Wrong there is also a Firefox Extension and Application Guard is a separate feature (Not WD Dependent) it just larks in the security center another point make sure the Application Guard Companion app is installed.


OR
View Guide -> Are we done now?

Best regards
Val.
So without using Edge/ Edge Chromium browser is the Application Guard still useful? And if Application Guard is not in use then what's the point in having its extension?
 

valvaris

Level 3
Verified
Not rly depends what you mean right now?!

If you use Firefox get the Application Guard Extension for that.

If you have a Chromium based Browser get the Application Gaurd Extension for that.

It is in the Guide m8 ^^
 

HarborFront

Level 53
Verified
Content Creator
Not rly depends what you mean right now?!

If you use Firefox get the Application Guard Extension for that.

If you have a Chromium based Browser get the Application Gaurd Extension for that.

It is in the Guide m8 ^^
According to the below article and comments the WDAG don't look great for home users

 

valvaris

Level 3
Verified
According to the below article and comments the WDAG don't look great for home users

Not to sound like a fanboy - but that article is from March 2019 - Like "Rick" from Rick&Morty sez: Dont be sheep! - make your own opinion and try it out. Maybe it is something you like or not ^^ But the effect is still the same more knowledge and experience. :D

Sincerely
Val.
 

HarborFront

Level 53
Verified
Content Creator
Not to sound like a fanboy - but that article is from March 2019 - Like "Rick" from Rick&Morty sez: Dont be sheep! - make your own opinion and try it out. Maybe it is something you like or not ^^ But the effect is still the same more knowledge and experience. :D

Sincerely
Val.
BTW is this included in @Andy Ful 's Hard Configurator to harden Windows Security? Unlikely to use WDAG anyway
 

valvaris

Level 3
Verified
On that part I would suggest go to @Andy Ful - Topic about Hard_Configurator


Or the Official Homepage


Best regards
Val.
 

valvaris

Level 3
Verified
Hello @SumTingWong
how is Application Guard obsolete?
From my understanding it is even more robust then a container. Since the application guard instance can not make any system calls plus it has the added advantage on office products that unknown urls and docs are forwarded to application guard. (Managed Mode only) Even more... view application guard docs at Microsoft.
Best regards
Val.
 
Last edited:

Tiamati

Level 8
Verified
Administrators and Power Users
If you need more control and want to automate/manage Application Guard there is allot more to do and it is Group Policy oriented. (WARNING - I do not go thru all settings but the essential ones are covered!)
The purpose of this section (and beyond) would be to automate the use of ApG in every site except for the ones listed? I didn't fully understand that part
 

valvaris

Level 3
Verified
The purpose of this section (and beyond) would be to automate the use of ApG in every site except for the ones listed? I didn't fully understand that part
Yes that is correct!

Sites defined under those lists -> [GUIDE] Point -> Now the little tricky part what is trusted and what is needed?

What I mean to say is that what is "not" set gets a Application Guard instance. ;)

Best regards
Val.
 
Top