What Is Windows Defender Application Guard
Windows Defender Application Guard is a new security feature of the Windows 10 operating system that Microsoft revealed back in 2016.
The company revealed back then that it would integrate the feature in a future Windows Insider build before shipping it with the new feature update of Windows, the Windows 10 Creators Update.
It appears that the time has come, as information about the feature is now included in Microsoft Edge and Internet Explorer already on Windows 10 Enterprise systems.
Microsoft announced recently that it will bring Windows Defender Application Guard to Windows 10 Professional systems in Spring 2018.
When you load about:applicationguard right now in the latest Microsoft Edge Insider Build version, you are taken to a welcome screen that highlights the feature to you.
Windows Defender Application Guard
The Welcome Screen reads: Welcome to Windows Defender Application Guard. Windows Defender Application Guard is a lightweight virtual machine that helps isolate potentially malicious website activity from reaching your operating system, apps, and data.
Below that are the three core features of Windows Defender Application Guard:
- Isolated Browsing -- Windows Defender Application Guard uses the latest virtualization technology to help protect your operating system by creating an isolated environment for your Microsoft Edge session.
- Help Safeguard your PC -- Windows Defender Application Guard starts up every time you visit a non-work-related site to help keep potentially malicious attacks away from your PC.
- Malware Removal -- Any websites you visit, files you download, or settings you change while in this isolated environment are deleted when you sign out of Windows, wiping out any potential malware.
Microsoft's introduction of the feature back in 2016 reveals the underlying technology used to power the feature. According to the article -- linked in the first paragraph -- it uses Microsoft's Hyper-V virtualization technology to create a new layer of defense around Microsoft Edge.
This is a sandbox more or less that Edge processes run in if they are not in the list of trusted sites. Trusted sites work exactly like they do right now in the current stable version of Edge. Sites and services have access to local storage, may read and write cookies, and do all the other things they have permission for either automatically or on user request.
The following happens if a site or service is not in the trusted sites list.
Application Guard’s enforcement includes completely blocking access to memory, local storage, other installed applications, corporate network endpoints, or any other resources of interest to the attacker
Microsoft notes that this sandboxed copy has no access to credentials, including domain credentials. Strict no access to anything rules would break sites or services that rely on these features. Application Guard does provide access to "essential features", and some can be configured via the Grop Policy or other management tools.
System requirements
Windows Defender Application Guard has the following system requirements:
- 64-bit processor with a minimum of 4 cores.
- Support for extended page tables and either VT-x (Intel) or AMD-V (AMD).
- 8 Gigabytes of RAM recommended.
- 5 Gigabytes of free disk space. SSD recommended.
- Windows 10 Enterprise version 1709 or newer, or Windows 10 Professional version 1803 or newer.
- Works only in Microsoft Edge or Internet Explorer.
Managing Application Guard
If you open the Group Policy editor for instance, you find eight application guard specific entries under Computer Configuration > Administrative Templates >Â Windows Components > Windows Defender Application Guard:
- Turn On/Off Windows Defender Application Guard.
- Allow data persistence for Windows Defender Application Guard.
- Allow hardware accelerated rendering.
- Allow auditing events.
- Protect enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer.
- Configure Windows Defender Application Guard clipboard settings.
- Configure Windows Defender Application Guard print settings.
- Allow files to download and save to the host operating system.
You can enable the feature using the Windows Features dialog as well. Open the Settings application with the shortcut Windows-I, type add feature, and select the result. This should load the Windows Features program that lets you add or remove features.
Locate Windows Defender Application Guard and check the feature to enable it on the device.
Closing Words
Since Microsoft mentions Internet Explorer in the Group Policy, it seems that at least some of the security feature's functionality is protecting Internet Explorer users as well.
It remains to be seen how effective Windows Defender Application Guard is in protecting user systems, and how restrictive it is for users to work with.
Microsoft has not revealed yet if Application Guard will be made available to all editions of Windows 10. Also, it is unclear whether the company plans to expand the use of the feature to other applications on the system.
Now You: What's your take on Application Guard?
What mental age of reader are you targeting with the first sentence? 10?
Why not write an article on how to *avoid* upgrading from W10 to W11. Analogous to those like me who avoided upgrading from 7 to 10 for as long as possible.
If your paymaster Microsoft permits it, of course.
5. Rufus
6. Ventoy
PS. I hate reading these “SEO optimized” articles.
I used Rufus to create an installer for a 6th gen intel i5 that had MBR. It upgraded using Setup. No issues except for Win 11 always prompting me to replace my local account. Still using Win 10 Pro on all my other PCs to avoid the bullying.
bit pointless to upgrade for the sake of upgrading as you never know when you’ll get locked out because ms might suddenly not provide updates to unsupported systems.
ps…. time travelling?
written. Jan 15, 2023
Updated • Jan 13, 2023
This happens when you schedule a post in WordPress and update it before setting the publication date.
Anyone willing to downgrade to this awful OS must like inflicting themselves with harm.
I have become convinced now that anybody who has no qualms with using Windows 11/10 must fit into one of the following brackets:
1) Too young to remember a time before W10 and W11 (doesn’t know better)
2) Wants to play the latest games on their PC above anything else (or deeply needs some software which already dropped W7 support)
3) Doesn’t know too much about how computers work, worried that they’d be absolutely lost and in trouble without the “”latest security””
4) Microsoft apologist that tries to justify that the latest “features” and “changes” are actually a good thing, that improve Windows
5) Uses their computer to do a bare minimum of like 3 different things, browse web, check emails, etc, so really doesn’t fuss
Obviously that doesn’t cover everyone, there’s also the category that:
6) Actually liked W7 more than 10, and held out as long as possible before switching, begrudgingly uses 10 now
Have I missed any group off this list?
You have missed in this group just about any professional user that uses business software like CAD programs or ERP Programs which are 99% of all professional users from this list.
Linux doesn’t help anyone who is not a linux kid and apple is just a fancy facebook machine.
Microsoft has removed KB5029351 update
only from windows update though
KB5029351 is still available from the ms update catalog site
1. This update is labaled as PREVIEW if it causes issues to unintelligent people, then they shouldn’t have allowed Preview updates ot install.
2. I have installed it in a 11 years old computer, and no problems at all.
3. Making a big drama over a bluescreen for an updated labeled as preview is ridiculous.
This is probably another BS internet drama where people ran programs and scripts that modified the registry until they broke Windows, just for removing stuff that they weren’t even using just for the sake of it.
Maybe people should stop playing geeks and actually either use Windows 10 or Windows 11, but don’t try to modify things just for the sake of it.
Sometimes removing or stopping things (like defender is a perfect example) only need intelligence, not scripts or 3rd party programs that might mess with windows.
Windows 11 was a pointless release, it was just created because some of the Windows team wanted to boost sales with some sort of new and improved Windows 10. Instead, Microsoft cannot support one version well let alone two.
Windows 11 is the worst ugly shame by Microsoft ever. They should release with every new W11 version a complete free version of Starallback inside just to make this sh** OS functionally again.
motherboard maker MSI has recently released a statement regarding the “unsupported processor” blue screen error for their boards using Intel 600/700 series chipsets & to avoid the KB5029351 Win11 update:
https://www.msi.com/news/detail/MSI-On–UNSUPPORTED-PROCESSOR–Error-Message-of-Windows-11-Update-KB5029351-Preview-142215
check out the following recent articles:
Neowin – Microsoft puts little blame on its Windows update after UNSUPPORTED PROCESSOR BSOD bug:
https://www.neowin.net/news/microsoft-puts-little-blame-on-its-windows-update-after-unsupported-processor-bsod-bug/
BleepingComputer – Microsoft blames ‘unsupported processor’ blue screens on OEM vendors:
https://www.bleepingcomputer.com/news/microsoft/microsoft-blames-unsupported-processor-blue-screens-on-oem-vendors/
While there may be changes or updates to the Windows 10 Store for Business and Education in the future, it is premature to conclude that it will be discontinued based solely on rumors.
My advice, I left win 15 years ago. Now I’m a happy linux user (linuxmint) but there is Centos, Fedora, Ubuntu depending on your needs.
motherboard maker MSI has recently released new BIOS/firmware updates for their Intel 600 & 700 series motherboards to fix the “UNSUPPORTED_PROCESSOR” problem (Sept. 6):
https://www.msi.com/news/detail/Updated-BIOS-fixes-Error-Message–UNSUPPORTED-PROCESSOR–caused-BSOD-on-MSI-s-Intel-700-and-600-Series-Motherboards-142277