WHAT IS DEFENDER APPLICATION GUARD:
Application Guard is a fantastic option to run programs in a very secure space that is separated from the host operating system, thereby eliminating many potential hacks. For instance if you ran the WannaCry cryptolocker program from a website running with Application Guard, it would fail to encrypt your hard drive.
Microsoft introduced Windows Defender Application Guard (WDAG) in September 2016 and renamed it Microsoft Defender Application Guard (MDAG) in 2019. We refer to it as Application Guard for simplicity. As of summer 2020, only the Microsoft Edge Brower (both old and new CrEdge) make use of Application Guard although the Windows Sandbox uses the same technology but it is packaged differently.
Put simply, Application Guard requires a PC manufactured after 2015 with Windows 10 Pro, Enterprise, or Education v1803 or newer. It does not function on Windows 10 Home Editions. Here are the actual minimum specs:
- At least a 4 core 64Bit CPU from Intel or AMD capable of virtualization
- 8GB RAM
- 5GB Disk space
DOES APPLICATION GUARD FUNCTION DIFFERENTLY ON WINDOWS 10 PRO vs ENTERPRISE:
In a word, yes. In eight words, it is nearly useless on Windows 10 Pro. This is because Defender Application Guard can only be started manually in Windows 10 Pro. Windows 10 Enterprise, on the other hand allows admins to use SCCM or InTune or Group Policy to define can kick off Application Guard automatically for sites you have not pre-approved via GPO, SCCM or InTune/EndPoint Manager.
HOW TO INSTALL DEFENDER APPLICATION GUARD:
Installing Application Guard is simple:
- Right click on the START button and select APPS AND FEATURES
- Click the PROGRAMS AND FEATURES link (link in top right corner OR at the bottom of the page)
- Click on WINDOWS DEFENDER APPLICATION GUARD or MICROSOFT DEFENDER APPLICATION GUARD
- Click OK
- Wait a minute for it to install and then reboot
Alternately, you can install Application Guard using a PowerShell command:
Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard
Defender Application Guard can even be installed using what used to be called InTune and is now Microsoft Endpoint Manager:
- Surf to endpoint.microsoft.com and sign in
- Expand Devices > Configuration profiles > + Create profile
- In Platform list, select Windows 10 and later
- In Profile list, select Endpoint protection and click Create
- Complete the profile:
- Name and Description
- In Select a category to configure settings section, choose Microsoft Defender Application Guard.
- In Application Guard list, choose Enabled for Edge
- Set your preferences for Clipboard behavior, External content, and the remaining settings
- Click OK, and then OK again
- Review your settings and then click Create
- Click Assignments:
- On the Include tab (in the Assign to list) click an option
- If you have any devices or users you want to exclude from this endpoint protection profile, specify those on the Exclude tab
- Click Save
WHAT ARE THE GPO SETTINGS FOR APPLICATION GUARD:
As mentioned above, these only apply to Window 10 Enterprise and will have no effect on Pro machines. The GPO’s are found at:
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Application Guard
|Configure Microsoft Defender Application Guard clipboard settings||Determines whether Application Guard can use the clipboard functionality.|
|Configure Microsoft Defender Application Guard print settings||Determines whether Application Guard can use the print functionality.|
|Block enterprise websites to load non-enterprise content in IE and Edge||Determines whether to allow Internet access for apps not included on the Allowed Apps list.|
|Allow Persistence||Determines whether data persists across different sessions in Microsoft Defender Application Guard.|
|1. Open a command-line program and navigate to Windows/System32. 2. Type wdagtool.exe cleanup. The container environment is reset, retaining only the employee-generated data. 3. Type wdagtool.exe cleanup RESET_PERSISTENCE_LAYER. The container environment is reset, including discarding all employee-generated data.|
|Turn on Microsoft Defender Application Guard in Managed Mode||Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|
|Allow files to download to host operating system||Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|
|Allow hardware-accelerated rendering for Microsoft Defender Application Guard||Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|
|Allow camera and microphone access in Microsoft Defender Application Guard||Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|
|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user’s device||Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|
|Allow users to trust files that open in Microsoft Defender Application Guard||Determines whether users are able to manually trust untrusted files to open them on the host.|
For more details on these settings see THIS Microsoft article.
HOW DOES APPLICATION GUARD WORK:
We have a separate article explaining the details of Application Guard including many images which you can read HERE, but put simply it uses Microsoft’s most secure “container” level. The container is just like a virtual machine but instead of sharing the hardware, it is sharing the operating system.
App Guard starts as an 18MB container then copies files FROM the base operating system when it needs them. It never copies things back to the base operating system and that keeps you safe.
Once the container is called, it is displayed on the desktop using a very thin custom built RDP client that is very restricted to keep you safe.
Don’t worry about your default settings from the original software you launched Application Guard from (i.e. Edge Browser), because when the container is built it copies your source settings into itself.
HOW TO USE APPLICATION GUARD WITH GOOGLE CHROME OR FIREFOX:
If you want to use Defender Application Guard with Firefox or Chrome, you just need to download the extension
HOW TO USE APPLICATION GUARD WITH INTERNET EXPLORER:
That is a good question we are still trying to figure out.