Application Guard is a fantastic option to run programs in a very secure space that is separated from the host operating system, thereby eliminating many potential hacks. For instance if you ran the WannaCry cryptolocker program from a website running with Application Guard, it would fail to encrypt your hard drive.
Microsoft introduced Windows Defender Application Guard (WDAG) in September 2016 and renamed it Microsoft Defender Application Guard (MDAG) in 2019. We refer to it as Application Guard for simplicity. As of summer 2020, only the Microsoft Edge Brower (both old and new CrEdge) make use of Application Guard although the Windows Sandbox uses the same technology but it is packaged differently.
Put simply, Application Guard requires a PC manufactured after 2015 with Windows 10 Pro, Enterprise, or Education v1803 or newer. It does not function on Windows 10 Home Editions. Here are the actual minimum specs:
In a word, yes. In eight words, it is nearly useless on Windows 10 Pro. This is because Defender Application Guard can only be started manually in Windows 10 Pro. Windows 10 Enterprise, on the other hand allows admins to use SCCM or InTune or Group Policy to define can kick off Application Guard automatically for sites you have not pre-approved via GPO, SCCM or InTune/EndPoint Manager.
Installing Application Guard is simple:
Alternately, you can install Application Guard using a PowerShell command:
Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard
Defender Application Guard can even be installed using what used to be called InTune and is now Microsoft Endpoint Manager:
As mentioned above, these only apply to Window 10 Enterprise and will have no effect on Pro machines. The GPO’s are found at:
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Application Guard
| Name | Description |
| Configure Microsoft Defender Application Guard clipboard settings | Determines whether Application Guard can use the clipboard functionality. |
| Configure Microsoft Defender Application Guard print settings | Determines whether Application Guard can use the print functionality. |
| Block enterprise websites to load non-enterprise content in IE and Edge | Determines whether to allow Internet access for apps not included on the Allowed Apps list. |
| Allow Persistence | Determines whether data persists across different sessions in Microsoft Defender Application Guard. |
| 1. Open a command-line program and navigate to Windows/System32. 2. Type wdagtool.exe cleanup. The container environment is reset, retaining only the employee-generated data. 3. Type wdagtool.exe cleanup RESET_PERSISTENCE_LAYER. The container environment is reset, including discarding all employee-generated data. | |
| Turn on Microsoft Defender Application Guard in Managed Mode | Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office. |
| Allow files to download to host operating system | Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container. |
| Allow hardware-accelerated rendering for Microsoft Defender Application Guard | Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration. |
| Allow camera and microphone access in Microsoft Defender Application Guard | Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard. |
| Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user’s device | Determines whether Root Certificates are shared with Microsoft Defender Application Guard. |
| Allow users to trust files that open in Microsoft Defender Application Guard | Determines whether users are able to manually trust untrusted files to open them on the host. |
For more details on these settings see THIS Microsoft article.
We have a separate article explaining the details of Application Guard including many images which you can read HERE, but put simply it uses Microsoft’s most secure “container” level. The container is just like a virtual machine but instead of sharing the hardware, it is sharing the operating system.
App Guard starts as an 18MB container then copies files FROM the base operating system when it needs them. It never copies things back to the base operating system and that keeps you safe.
Once the container is called, it is displayed on the desktop using a very thin custom built RDP client that is very restricted to keep you safe.
Don’t worry about your default settings from the original software you launched Application Guard from (i.e. Edge Browser), because when the container is built it copies your source settings into itself.
If you want to use Defender Application Guard with Firefox or Chrome, you just need to download the extension
That is a good question we are still trying to figure out.
This website uses cookies.
View Comments