[Guide] - Windows 10 Application Guard Setup and Configuration

F

ForgottenSeer 823865

When I click new application guard window nothing happens. Anyone got any ideas?


Exploit Protection
Because of reported compatibility issues with the Exploit Protection settings that we began incorporating with the Windows 10 v1709 baselines, we have elected to remove the settings from the baseline and to provide a script for removing the settings from machines that have had those settings applied. (See Remove-EPBaselineSettings.ps1 in the download package’s Scripts folder.)
 

Shiz

Level 2
Verified
Nov 16, 2018
53
Umbra i tried running that script but i get an error "Cannot invoke method. Method invocation is supported only on core types in this language mode.". i looked at the xml file its pulling and manually remove those expoit rules but I'm still having those issues. I dont get why this doesn't work. I can open windows sandbox fine if that helps.
 
F

ForgottenSeer 823865

Exploit Protection as many built-in security features are non-user friendly at best, or half-baked at worst. One must be really adept to figure out all intricacies.
If you have average skills and knowledge, you better go with a 3rd party tool like HMPA.
 

polishpatriot

Level 2
Feb 4, 2020
86
Umbra i tried running that script but i get an error "Cannot invoke method. Method invocation is supported only on core types in this language mode.". i looked at the xml file its pulling and manually remove those expoit rules but I'm still having those issues. I dont get why this doesn't work. I can open windows sandbox fine if that helps.

just upgrade windows 10 to 1909 and the rules will be taken care of for you by Microsoft
 

polishpatriot

Level 2
Feb 4, 2020
86
If you plan on using VMWare or VirtualBox, then you cannot simultaneously use WDAC.

None of us can figure out what Microsoft was thinking when it developed WDAC, the sandbox and core isolation when most of the IT working world uses a non-Windows virtualization product on their systems.
 
  • Like
Reactions: valvaris

Shiz

Level 2
Verified
Nov 16, 2018
53
If you plan on using VMWare or VirtualBox, then you cannot simultaneously use WDAC.

None of us can figure out what Microsoft was thinking when it developed WDAC, the sandbox and core isolation when most of the IT working world uses a non-Windows virtualization product on their systems.
VMware has a technical release of their hyper v base version.
 

polishpatriot

Level 2
Feb 4, 2020
86
VMware has a technical release of their hyper v base version.

It should not be VMWare's responsibility to accommodate Microsoft.

Besides, most people don't want to use Hyper-V. It is notorious for not working properly on older hardware whereas VMWare and VBox work just fine.
 

valvaris

Level 6
Thread author
Verified
Well-known
Jul 26, 2015
263
Hello @Shiz

I have to confirm what @polishpatriot sez never mix and match Hyper-V with VMware. Those two simply hate each other under the same translation level of the OS. Both are a Type 2 Hypervisor's even Application Guard has Hyper-V at hart like that it uses a Type 2 Hypervisor.

Here a link that explains the technical part from it: What Is A Hypervisor? Types Of Hypervisors 1 & 2

--------------- Quality of Life -----------
Even for me that uses Application Guard in Managed Mode - Sometimes wants to reset the container!

But how?

I created a shortcut on my desktop with the following command in it-> wdagtool.exe cleanup <- If you use a Persistant Layer in Application Guard you can use -> wdagtool.exe cleanup RESET_PERSISTENCE_LAYER <-

Just need to have a nice Symbol and Done! :D

Best regards
Val.
 
Last edited:

polishpatriot

Level 2
Feb 4, 2020
86
Hello @Shiz

I have to confirm what @polishpatriot sez never mix and match Hyper-V with VMware. Those two simply hate each other under the same translation level of the OS. Both are a Type 2 Hypervisor's even Application Guard has Hyper-V at hart like that it uses a Type 2 Hypervisor.

Here a link that explains the technical part from it: How to Implement Validation for Restful Services with Spring

--------------- Quality of Life -----------
Even for me that uses Application Guard in Managed Mode - Sometimes wants to reset the container!

But how?

I created a shortcut on my desktop with the following command in it-> wdagtool.exe cleanup <- If you use a Persistant Layer in Application Guard you can use -> wdagtool.exe cleanup RESET_PERSISTENCE_LAYER <-

Just need to have a nice Symbol and Done! :D

Best regards
Val.

Thank you for the confirmation.

And another instance of Microsoft releasing features with zero common sense documentation... users have to discover what is what the hard way.
Code:
as usual
 
  • Like
Reactions: valvaris

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
Yesterday I helped an uncle to setup his new laptop. While waiting for the data to copy from his desktop, I played with Application Guard Window. When enabling the edge flag "Application guard Prelaunch" and the Group Policy setting to pre-load Edge, this virtualized browser loads really fast (a lot faster than sandboxie on my old laptop :) )

I discovered that there is group policy setting (thanks to this guide (y)) to enable persistent data. This does not flush the sandbox, so my browser settings, bookmarks and extensions survive reboot. I could not find a way not the info on the web to create a shortcut which launches Edge in a virtualized windows (as is possible with inPrivate mode).

Any tips welcome to start Edge in this mode (using a shortcut or switch). Anyone knows??????
 
F

ForgottenSeer 85179

Any tips welcome to start Edge in this mode (using a shortcut or switch). Anyone knows??????
From guide:

[INFORMATION]
If Application Guard runs in MANAGED Mode - None of the above (manually stuff) is needed! (Tested on Microsoft Edge Chromium Stable/Dev. builds)
 
  • Like
Reactions: Gandalf_The_Grey

Lenny_Fox

Level 22
Verified
Top Poster
Well-known
Oct 1, 2019
1,120
From guide:

[INFORMATION]
If Application Guard runs in MANAGED Mode - None of the above (manually stuff) is needed! (Tested on Microsoft Edge Chromium Stable/Dev. builds)
So when you start Edge it runs in application guard window? Please explain
 

Jan Willy

Level 13
Verified
Top Poster
Well-known
Jul 5, 2019
607
In WDAG-mode of Edge the number keys didn't work well when I typed a number in the adress/search bar. Typing from the numberpad (numlock) was o.k.
Solution:
Go to task manager. Than go to the details tab and find "ctfmon.exe ". Change UAC virtualization to enable mode and restart explorer.

1594574439676.png
 

Jan Willy

Level 13
Verified
Top Poster
Well-known
Jul 5, 2019
607
In WDAG-mode of Edge the number keys didn't work well when I typed a number in the adress/search bar. Typing from the numberpad (numlock) was o.k.
Solution:
Go to task manager. Than go to the details tab and find "ctfmon.exe ". Change UAC virtualization to enable mode and restart explorer.

View attachment 244205
When I wrote this message, it was a coincidence that I had SpyShelter disabled (which I usually do when I update drivers). Now I know that the keystrokes encryption from SpyShelter is the real culprit in mutilation the top row numbers of the keyboard. I have added 'hvsirpcd.exe' to the excluded processes of the keystrokes encryption.
 
F

ForgottenSeer 85179

When I wrote this message, it was a coincidence that I had SpyShelter disabled (which I usually do when I update drivers). Now I know that the keystrokes encryption from SpyShelter is the real culprit in mutilation the top row numbers of the keyboard. I have added 'hvsirpcd.exe' to the excluded processes of the keystrokes encryption.
Or just don't use that program then ;)
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top