What Is Windows Defender Application Guard

microsoft edge application guard
Martin Brinkmann
Feb 20, 2017
Updated • Dec 21, 2017
Windows
|
11

Windows Defender Application Guard is a new security feature of the Windows 10 operating system that Microsoft revealed back in 2016.

The company revealed back then that it would integrate the feature in a future Windows Insider build before shipping it with the new feature update of Windows, the Windows 10 Creators Update.

It appears that the time has come, as information about the feature is now included in Microsoft Edge and Internet Explorer already on Windows 10 Enterprise systems.

Microsoft announced recently that it will bring Windows Defender Application Guard to Windows 10 Professional systems in Spring 2018.

ADVERTISEMENT

When you load about:applicationguard right now in the latest Microsoft Edge Insider Build version, you are taken to a welcome screen that highlights the feature to you.

Windows Defender Application Guard

microsoft edge application guard

The Welcome Screen reads: Welcome to Windows Defender Application Guard. Windows Defender Application Guard is a lightweight virtual machine that helps isolate potentially malicious website activity from reaching your operating system, apps, and data.

Below that are the three core features of Windows Defender Application Guard:

  • Isolated Browsing -- Windows Defender Application Guard uses the latest virtualization technology to help protect your operating system by creating an isolated environment for your Microsoft Edge session.
  • Help Safeguard your PC -- Windows Defender Application Guard starts up every time you visit a non-work-related site to help keep potentially malicious attacks away from your PC.
  • Malware Removal -- Any websites you visit, files you download, or settings you change while in this isolated environment are deleted when you sign out of Windows, wiping out any potential malware.

Microsoft's introduction of the feature back in 2016 reveals the underlying technology used to power the feature. According to the article -- linked in the first paragraph -- it uses Microsoft's Hyper-V virtualization technology to create a new layer of defense around Microsoft Edge.

This is a sandbox more or less that Edge processes run in if they are not in the list of trusted sites. Trusted sites work exactly like they do right now in the current stable version of Edge. Sites and services have access to local storage, may read and write cookies, and do all the other things they have permission for either automatically or on user request.

The following happens if a site or service is not in the trusted sites list.

Application Guard’s enforcement includes completely blocking access to memory, local storage, other installed applications, corporate network endpoints, or any other resources of interest to the attacker

Microsoft notes that this sandboxed copy has no access to credentials, including domain credentials. Strict no access to anything rules would break sites or services that rely on these features. Application Guard does provide access to "essential features", and some can be configured via the Grop Policy or other management tools.

System requirements

Windows Defender Application Guard has the following system requirements:

  • 64-bit processor with a minimum of 4 cores.
  • Support for extended page tables and either VT-x (Intel) or AMD-V (AMD).
  • 8 Gigabytes of RAM recommended.
  • 5 Gigabytes of free disk space. SSD recommended.
  • Windows 10 Enterprise version 1709 or newer, or Windows 10 Professional version 1803 or newer.
  • Works only in Microsoft Edge or Internet Explorer.

Managing Application Guard

windows application guard group policy

If you open the Group Policy editor for instance, you find eight application guard specific entries under Computer Configuration > Administrative Templates >  Windows Components > Windows Defender Application Guard:

  1. Turn On/Off Windows Defender Application Guard.
  2. Allow data persistence for Windows Defender Application Guard.
  3. Allow hardware accelerated rendering.
  4. Allow auditing events.
  5. Protect enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer.
  6. Configure Windows Defender Application Guard clipboard settings.
  7. Configure Windows Defender Application Guard print settings.
  8. Allow files to download and save to the host operating system.

You can enable the feature using the Windows Features dialog as well. Open the Settings application with the shortcut Windows-I, type add feature, and select the result. This should load the Windows Features program that lets you add or remove features.

windows-defender-application guard windows 10 pro

Locate Windows Defender Application Guard and check the feature to enable it on the device.

Closing Words

Since Microsoft mentions Internet Explorer in the Group Policy, it seems that at least some of the security feature's functionality is protecting Internet Explorer users as well.

It remains to be seen how effective Windows Defender Application Guard is in protecting user systems, and how restrictive it is for users to work with.

Microsoft has not revealed yet if Application Guard will be made available to all editions of Windows 10. Also, it is unclear whether the company plans to expand the use of the feature to other applications on the system.

Now You: What's your take on Application Guard?

Summary
What Is Windows Defender Application Guard
Article Name
What Is Windows Defender Application Guard
Description
Windows Defender Application Guard is a new security feature of the Windows 10 operating system that Microsoft revealed back in 2016.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Related content

How to fix The app you're trying to install isn't a Microsoft-verified app on Windows

You may soon install apps and games directly from Windows Search results

Windows 11: Microsoft rolls out Start Menu Promotions

Microsoft may be working on a modern version of Windows (again)
windows 12

Could these be some of Windows 12's system requirements?
How To Check If Your Device Meets Windows 11 System Requirements

How To Check If Your Device Meets Windows 11 System Requirements

Previous Post: «
Next Post: «

Comments

  1. Larry said on February 20, 2017 at 7:05 pm
    Reply

    I use Sandboxie. According to the description, Windows Defender Application Guard is similar but only works with the Edge browser, whereas Sandboxie works with most popular browsers and allows one to “trial” new software without messing up your registry and files.

    1. seeprime said on February 20, 2017 at 8:25 pm
      Reply

      Sandboxie is great. I use the premium version on six PC’s. Great product.

    2. Solidstate said on February 21, 2017 at 3:06 am
      Reply

      “According to the description, Windows Defender Application Guard is similar”

      Not even close. Sandboxie doesn’t wrap anything using a hypervisor to virtualize the entire application. This goes far beyond anything else that Windows already does with APIs like UWP – and it certainly goes farther than Sandboxie.

  2. Tony said on February 21, 2017 at 12:15 am
    Reply

    “Microsoft has not revealed yet if Application Guard will be made available to all editions of Windows 10.”

    In which editions is it known to be available?

    1. Jeff said on February 21, 2017 at 5:13 am
      Reply

      1. It has performance impact as every time you open Edge, a VM is started
      2. VirtualBox and VMware no longer work with it enabled
      3. It is Edge-only. Who wants to use that shit just to use this feature?
      4. App Guard will reset cookies and saved logins every time
      5. Enterprise edition only

    2. Martin Brinkmann said on February 21, 2017 at 5:35 am
      Reply

      Enterprise. The policies are also available in Pro, so some of it may land in Pro as well.

      1. Tony said on February 21, 2017 at 11:22 am
        Reply

        Thanks Martin :)

    3. Ryan said on February 23, 2017 at 5:15 pm
      Reply

      Most likely just like credential and device guard. Will only be available in Enterprise and Educational editions

  3. kopija said on February 21, 2017 at 4:57 pm
    Reply

    Is there a similar application not limited to Edge and Enterprise edition?
    Thanks.

  4. Ryan said on February 23, 2017 at 7:09 pm
    Reply

    Any luck getting this enabled? Says you need to define enterprise trusted sites using network isolation policy. Not seeing this within the network isolation policy settings within GPEDIT. Maybe not fully implemented yet.

  5. Peter said on March 19, 2019 at 1:01 am
    Reply

    Beware! This application uses Hyper-V which is not compatible with VirtualBox or probably other VM software.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.

Advertisement

Spread the Word

Ghacks Newsletter Sign Up

Please click on the following link to open the newsletter signup page: Ghacks Newsletter Sign up

Advertisement

Hot Discussions

Advertisement

Recently Updated

Advertisement

About gHacks

Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.

The name and logo of Ghacks are copyrights or trademarks of SOFTONIC INTERNATIONAL S.A.
Copyright SOFTONIC INTERNATIONAL S.A. © 2005- 2023 - All rights reserved