Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
Operating Systems
Windows 10
[Guide] - Windows 10 Application Guard Setup and Configuration
Message
<blockquote data-quote="valvaris" data-source="post: 857380" data-attributes="member: 38787"><p>Hello to all,</p><p></p><p>been looking in the Forum for a Guide on Application Guard and have just found bits and peaces of information here and there.</p><p></p><p><span style="font-size: 18px"><strong>Do I need Windows Defender Active?</strong></span></p><p>No - Application Guard is its own feature and resides in the Security Center for easy access. (Un-managed Mode only!)</p><p></p><p><strong><span style="font-size: 18px">So what is this about?</span></strong></p><p>To have a guide that can be used for all (Administrators and Users alike)</p><p></p><p><strong><span style="font-size: 18px">What is Application Guard?</span></strong></p><p>It is normally a Virtual Environment for the Edge/Edge Chromium Browser for "un-trusted" Websites. Were malicious code "should" not be able to escape! I write "should" because nothing is perfect. <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite110" alt=";)" title="Wink ;)" loading="lazy" data-shortname=";)" /></p><p></p><p><strong><span style="font-size: 15px">Additionally: By default Application Guard deletes its Instance at Sign-Out / Restart / Shutdown of the System! </span></strong></p><p><span style="font-size: 15px"><strong>In Managed and Unmanaged - Mode except it has been setup for data </strong>persistence:</span></p><p></p><table style='width: 100%'><tr><td><p style="text-align: center">Security Center -> App & browser control -> Isolated Browsing -> <span style="color: rgb(184, 49, 47)">"Save Data"</span></p> </td></tr><tr><td><p style="text-align: center">OR <strong><span style="color: rgb(184, 49, 47)">[Group Policy]</span></strong></p> </td></tr><tr><td><p style="text-align: center">Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Application Guard</p> </td></tr><tr><td><p style="text-align: center">Allow data persistence for Windows Defender Application Guard <span style="color: rgb(184, 49, 47)">"Enabled"</span></p> </td></tr></table><p></p><p><strong><span style="font-size: 18px">Cmon I want to set it up how?</span></strong></p><p>First a few prerequisites need to be fulfilled:</p><p></p><table style='width: 100%'><tr><td><p style="text-align: center">64bit CPU</p> </td></tr><tr><td><p style="text-align: center">CPU Virtualization VT-x (Intel) or AMD-V <strong><span style="color: rgb(184, 49, 47)">[Feature needs to be ENABLED in BIOS]</span></strong></p> </td></tr><tr><td><p style="text-align: center">Minimum of 8 GB RAM</p> </td></tr><tr><td><p style="text-align: center">5 GB of free space (SSD Recommended)</p> </td></tr><tr><td><p style="text-align: center">Windows 10 Pro 1803 or higher / Windows 10 Ent. 1709 or higher</p> </td></tr></table><p></p><p>For the Administrators - Something to Manage:</p><table style='width: 100%'><tr><td><p style="text-align: center">Microsoft Intune</p> </td></tr><tr><td><p style="text-align: center">OR</p> </td></tr><tr><td><p style="text-align: center">Microsoft Endpoint Configuration Manager</p> </td></tr><tr><td><p style="text-align: center">OR</p> </td></tr><tr><td><p style="text-align: center">Group Policy (Domain)</p> </td></tr><tr><td><p style="text-align: center">OR</p> </td></tr><tr><td><p style="text-align: center">3rd Party MDM Solutions</p> </td></tr><tr><td><p style="text-align: center">OR</p> </td></tr><tr><td><p style="text-align: center">Local Group Policy (For Admin. or User alike) gpedit.msc -> Group Policy Manager</p> </td></tr></table><p></p><p><strong><span style="font-size: 18px">If that is all out of the way can we start now?</span></strong></p><p>"YES you can" - On a current Windows 10 1909 Build (You can find that out when you type in "winver" after you pressed the "Start" logo.</p><p>Then Go to:</p><p></p><table style='width: 100%'><tr><td><p style="text-align: center">Control Panel (appwiz.cpl)</p> </td></tr><tr><td><p style="text-align: center">Select at the left side -> <em>"Turn Windows features on or off"</em> -> and -> Set a check-mark on <em>"Windows Defender Application Guard"</em></p> </td></tr><tr><td><p style="text-align: center"><em>For the Admin. or Advanced User there is a Powershell Command:</em><br /> [Code]Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard[/Code]</p> </td></tr><tr><td><p style="text-align: center">Restart Computer</p> </td></tr></table><p></p><p><strong><span style="font-size: 18px">Are we done now?</span></strong></p><p>YES and NO... What we still need to do is how we want to use Application Guard and that can be tricky if you want to automate things or not and if other Browsers need that extra protection.</p><p></p><p>Lets get the Easy stuff out of the way:</p><p>Windows Defender Application Guard Companion [To manage the Virtual Environment and send applications to Application Guard] - UWP App (Microsoft Store) Free -> <a href="https://www.microsoft.com/en-us/p/windows-defender-application-guard-companion/9n8gnlc8z9c8?activetab=pivot:overviewtab" target="_blank">Get Windows Defender Application Guard Companion - Microsoft Store</a></p><p>Windows Defender Application Guard Extension -> <a href="https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj" target="_blank">Chromium Based Browsers</a> <- -> <a href="https://wdage.azurewebsites.net/" target="_blank">Mozilla Firefox Browser</a></p><p></p><table style='width: 100%'><tr><td><p style="text-align: center"><strong><span style="font-size: 15px">[INFORMATION]</span></strong></p> <p style="text-align: left">If Application Guard runs in MANAGED Mode - None of the above is needed! (Tested on Microsoft Edge Chromium Stable/Dev. builds)</p> </td></tr></table><p></p><p>Now if nothing else is needed we are almost done -> Settings for the Application Guard can be found at the Security Center (Shield Logo at Tray) -> App and Browser Control -> Isolated browsing - ^^</p><p>[WARNING 6MB Gif Video]</p><p>[Spoiler]</p><p><img src="https://abload.de/img/wapsettings9ojtm.gif" alt="" class="fr-fic fr-dii fr-draggable " style="" /></p><p>[/Spoiler]</p><p></p><p>And you are done! <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite116" alt=":D" title="Big grin :D" loading="lazy" data-shortname=":D" /></p><p></p><p><span style="font-size: 18px"><strong>Administrators and Power Users</strong></span></p><p>If you need more control and want to automate/manage Application Guard there is allot more to do and it is Group Policy oriented. (WARNING - I do not go thru all settings but the essential ones are covered!)</p><p></p><p>Lets get started:</p><p>Important Paths for Application Guard Features and Functions in Group Policy.</p><p></p><p></p><p>First Application Guard needs to be switched to Managed Mode like this Group Policy takes effect!</p><p>Path:</p><p>[code]Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Application Guard[/code]</p><p>[ATTACH=full]233158[/ATTACH]</p><p></p><p>This can be done by setting -> Turn on Windows Defender Application Guard in Managed Mode = Enabled</p><p>Other settings here are more of a preference on how Application Guard instances are handled by the system. Very easy to understand on what every function does!</p><p></p><p>[code]Computer Configuration -> Administrative Templates -> Network -> Network Isolation[/code]</p><p>[ATTACH=full]233159[/ATTACH]</p><p></p><p><strong>OK OK Syntax for domains has a different meaning what does that mean?</strong></p><table style='width: 100%'><tr><td>example.net</td><td>Just trust that literally</td></tr><tr><td><a href="http://www.example.net" target="_blank">www.example.net</a></td><td>Just trust that literally</td></tr><tr><td>.example.net</td><td>Trust all before the DOT from example.net, mail.example.net portal.example.net and <a href="http://www.example.net" target="_blank">www.example.net</a></td></tr><tr><td>..example.net</td><td>Trust all levels even deeper double DOT example.net, mail.example.net, de.mail.example.net and <a href="http://www.de.mail.example.net" target="_blank">www.de.mail.example.net</a></td></tr></table><p></p><p><strong>Now the little tricky part what is trusted and what is needed?</strong></p><p><em>Enterprise resource domain hosted in the cloud</em> is equal to the Internet Explorer "Trusted" Security Zone - For example: I work allot with Microsoft products like Azure and Office - But the syntax for that is with a "pipe" "|" -> .microsoft.com|.office.com|.example.net</p><p></p><p>The other one is, <em>Domains categorized as both work and personal</em> that do not need a Application Guard Instance. The Domain Syntax remains the same but are comma separated "," -> .malwaretips.com,.example.net,..moreexample.net,<a href="http://www.news.com" target="_blank">www.news.com</a></p><p></p><p><strong><span style="font-size: 18px">Everything else that is not in those lists even transfer Domains are getting a Application Guard Instance!</span></strong></p><p></p><p>Then there is the troubleshooting phase best tool for that is I think is Fiddler -> <a href="https://www.telerik.com/fiddler" target="_blank">Fiddler - Free Web Debugging Proxy - Telerik</a></p><p></p><p>Did allot of research and consolidated information to have it all in one place for all. Feedback and Criticism is gladly appreciated. <img src="data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7" class="smilie smilie--sprite smilie--sprite116" alt=":D" title="Big grin :D" loading="lazy" data-shortname=":D" /></p><p></p><p><strong>Sources List:</strong></p><p>Microsoft -> <a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview" target="_blank">Windows Defender Application Guard</a></p><p>Microsoft -> <a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard" target="_blank">System requirements</a></p><p>Microsoft -> <a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard" target="_blank">Install Windows Defender Application Guard</a></p><p>Microsoft -> <a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard" target="_blank">Configure Windows Defender Application Guard policies</a></p><p>Microsoft -> <a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard" target="_blank">Test scenarios</a></p><p>Microsoft -> <a href="https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard" target="_blank">Windows Defender Application Guard FAQ</a></p><p></p><p>Sincerely</p><p>Val.</p></blockquote><p></p>
[QUOTE="valvaris, post: 857380, member: 38787"] Hello to all, been looking in the Forum for a Guide on Application Guard and have just found bits and peaces of information here and there. [SIZE=5][B]Do I need Windows Defender Active?[/B][/SIZE] No - Application Guard is its own feature and resides in the Security Center for easy access. (Un-managed Mode only!) [B][SIZE=5]So what is this about?[/SIZE][/B] To have a guide that can be used for all (Administrators and Users alike) [B][SIZE=5]What is Application Guard?[/SIZE][/B] It is normally a Virtual Environment for the Edge/Edge Chromium Browser for "un-trusted" Websites. Were malicious code "should" not be able to escape! I write "should" because nothing is perfect. ;) [B][SIZE=4]Additionally: By default Application Guard deletes its Instance at Sign-Out / Restart / Shutdown of the System! [/SIZE][/B] [SIZE=4][B]In Managed and Unmanaged - Mode except it has been setup for data [/B]persistence:[/SIZE] [TABLE] [TR] [TD][CENTER]Security Center -> App & browser control -> Isolated Browsing -> [COLOR=rgb(184, 49, 47)]"Save Data"[/COLOR][/CENTER][/TD] [/TR] [TR] [TD][CENTER]OR [B][COLOR=rgb(184, 49, 47)][Group Policy][/COLOR][/B][/CENTER][/TD] [/TR] [TR] [TD][CENTER]Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Application Guard[/CENTER][/TD] [/TR] [TR] [TD][CENTER]Allow data persistence for Windows Defender Application Guard [COLOR=rgb(184, 49, 47)]"Enabled"[/COLOR][/CENTER][/TD] [/TR] [/TABLE] [B][SIZE=5]Cmon I want to set it up how?[/SIZE][/B] First a few prerequisites need to be fulfilled: [TABLE] [TR] [TD][CENTER]64bit CPU[/CENTER][/TD] [/TR] [TR] [TD][CENTER]CPU Virtualization VT-x (Intel) or AMD-V [B][COLOR=rgb(184, 49, 47)][Feature needs to be ENABLED in BIOS][/COLOR][/B][/CENTER][/TD] [/TR] [TR] [TD][CENTER]Minimum of 8 GB RAM[/CENTER][/TD] [/TR] [TR] [TD][CENTER]5 GB of free space (SSD Recommended)[/CENTER][/TD] [/TR] [TR] [TD][CENTER]Windows 10 Pro 1803 or higher / Windows 10 Ent. 1709 or higher[/CENTER][/TD] [/TR] [/TABLE] For the Administrators - Something to Manage: [TABLE] [TR] [TD][CENTER]Microsoft Intune[/CENTER][/TD] [/TR] [TR] [TD][CENTER]OR[/CENTER][/TD] [/TR] [TR] [TD][CENTER]Microsoft Endpoint Configuration Manager[/CENTER][/TD] [/TR] [TR] [TD][CENTER]OR[/CENTER][/TD] [/TR] [TR] [TD][CENTER]Group Policy (Domain)[/CENTER][/TD] [/TR] [TR] [TD][CENTER]OR[/CENTER][/TD] [/TR] [TR] [TD][CENTER]3rd Party MDM Solutions[/CENTER][/TD] [/TR] [TR] [TD][CENTER]OR[/CENTER][/TD] [/TR] [TR] [TD][CENTER]Local Group Policy (For Admin. or User alike) gpedit.msc -> Group Policy Manager[/CENTER][/TD] [/TR] [/TABLE] [B][SIZE=5]If that is all out of the way can we start now?[/SIZE][/B] "YES you can" - On a current Windows 10 1909 Build (You can find that out when you type in "winver" after you pressed the "Start" logo. Then Go to: [TABLE] [TR] [TD][CENTER]Control Panel (appwiz.cpl)[/CENTER][/TD] [/TR] [TR] [TD][CENTER]Select at the left side -> [I]"Turn Windows features on or off"[/I] -> and -> Set a check-mark on [I]"Windows Defender Application Guard"[/I][/CENTER][/TD] [/TR] [TR] [TD][CENTER][I]For the Admin. or Advanced User there is a Powershell Command:[/I] [Code]Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard[/Code][/CENTER][/TD] [/TR] [TR] [TD][CENTER]Restart Computer[/CENTER][/TD] [/TR] [/TABLE] [B][SIZE=5]Are we done now?[/SIZE][/B] YES and NO... What we still need to do is how we want to use Application Guard and that can be tricky if you want to automate things or not and if other Browsers need that extra protection. Lets get the Easy stuff out of the way: Windows Defender Application Guard Companion [To manage the Virtual Environment and send applications to Application Guard] - UWP App (Microsoft Store) Free -> [URL='https://www.microsoft.com/en-us/p/windows-defender-application-guard-companion/9n8gnlc8z9c8?activetab=pivot:overviewtab']Get Windows Defender Application Guard Companion - Microsoft Store[/URL] Windows Defender Application Guard Extension -> [URL='https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj']Chromium Based Browsers[/URL] <- -> [URL='https://wdage.azurewebsites.net/']Mozilla Firefox Browser[/URL] [TABLE] [TR] [TD][CENTER][B][SIZE=4][INFORMATION][/SIZE][/B][/CENTER] [LEFT]If Application Guard runs in MANAGED Mode - None of the above is needed! (Tested on Microsoft Edge Chromium Stable/Dev. builds)[/LEFT][/TD] [/TR] [/TABLE] Now if nothing else is needed we are almost done -> Settings for the Application Guard can be found at the Security Center (Shield Logo at Tray) -> App and Browser Control -> Isolated browsing - ^^ [WARNING 6MB Gif Video] [Spoiler] [IMG]https://abload.de/img/wapsettings9ojtm.gif[/IMG] [/Spoiler] And you are done! :D [SIZE=5][B]Administrators and Power Users[/B][/SIZE] If you need more control and want to automate/manage Application Guard there is allot more to do and it is Group Policy oriented. (WARNING - I do not go thru all settings but the essential ones are covered!) Lets get started: Important Paths for Application Guard Features and Functions in Group Policy. First Application Guard needs to be switched to Managed Mode like this Group Policy takes effect! Path: [code]Computer Configuration -> Administrative Templates -> Windows Components -> Windows Defender Application Guard[/code] [ATTACH type="full" alt="app1.png"]233158[/ATTACH] This can be done by setting -> Turn on Windows Defender Application Guard in Managed Mode = Enabled Other settings here are more of a preference on how Application Guard instances are handled by the system. Very easy to understand on what every function does! [code]Computer Configuration -> Administrative Templates -> Network -> Network Isolation[/code] [ATTACH type="full" alt="app2.png"]233159[/ATTACH] [B]OK OK Syntax for domains has a different meaning what does that mean?[/B] [TABLE] [TR] [TD]example.net[/TD] [TD]Just trust that literally[/TD] [/TR] [TR] [TD][URL="http://www.example.net"]www.example.net[/URL][/TD] [TD]Just trust that literally[/TD] [/TR] [TR] [TD].example.net[/TD] [TD]Trust all before the DOT from example.net, mail.example.net portal.example.net and [URL="http://www.example.net"]www.example.net[/URL][/TD] [/TR] [TR] [TD]..example.net[/TD] [TD]Trust all levels even deeper double DOT example.net, mail.example.net, de.mail.example.net and [URL="http://www.de.mail.example.net"]www.de.mail.example.net[/URL][/TD] [/TR] [/TABLE] [B]Now the little tricky part what is trusted and what is needed?[/B] [I]Enterprise resource domain hosted in the cloud[/I] is equal to the Internet Explorer "Trusted" Security Zone - For example: I work allot with Microsoft products like Azure and Office - But the syntax for that is with a "pipe" "|" -> .microsoft.com|.office.com|.example.net The other one is, [I]Domains categorized as both work and personal[/I] that do not need a Application Guard Instance. The Domain Syntax remains the same but are comma separated "," -> .malwaretips.com,.example.net,..moreexample.net,[URL="http://www.news.com"]www.news.com[/URL] [B][SIZE=5]Everything else that is not in those lists even transfer Domains are getting a Application Guard Instance![/SIZE][/B] Then there is the troubleshooting phase best tool for that is I think is Fiddler -> [URL='https://www.telerik.com/fiddler']Fiddler - Free Web Debugging Proxy - Telerik[/URL] Did allot of research and consolidated information to have it all in one place for all. Feedback and Criticism is gladly appreciated. :D [B]Sources List:[/B] Microsoft -> [URL='https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview']Windows Defender Application Guard[/URL] Microsoft -> [URL='https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard']System requirements[/URL] Microsoft -> [URL='https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard']Install Windows Defender Application Guard[/URL] Microsoft -> [URL='https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard']Configure Windows Defender Application Guard policies[/URL] Microsoft -> [URL='https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard']Test scenarios[/URL] Microsoft -> [URL='https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard']Windows Defender Application Guard FAQ[/URL] Sincerely Val. [/QUOTE]
Insert quotes…
Verification
Post reply
Top