Windows Defender Application Guard is a new security feature of the Windows 10 operating system that Microsoft revealed back in 2016.
The company revealed back then that it would integrate the feature in a future Windows Insider build before shipping it with the new feature update of Windows, the Windows 10 Creators Update.
It appears that the time has come, as information about the feature is now included in Microsoft Edge and Internet Explorer already on Windows 10 Enterprise systems.
Microsoft announced recently that it will bring Windows Defender Application Guard to Windows 10 Professional systems in Spring 2018.
When you load about:applicationguard right now in the latest Microsoft Edge Insider Build version, you are taken to a welcome screen that highlights the feature to you.
The Welcome Screen reads: Welcome to Windows Defender Application Guard. Windows Defender Application Guard is a lightweight virtual machine that helps isolate potentially malicious website activity from reaching your operating system, apps, and data.
Below that are the three core features of Windows Defender Application Guard:
Microsoft's introduction of the feature back in 2016 reveals the underlying technology used to power the feature. According to the article -- linked in the first paragraph -- it uses Microsoft's Hyper-V virtualization technology to create a new layer of defense around Microsoft Edge.
This is a sandbox more or less that Edge processes run in if they are not in the list of trusted sites. Trusted sites work exactly like they do right now in the current stable version of Edge. Sites and services have access to local storage, may read and write cookies, and do all the other things they have permission for either automatically or on user request.
The following happens if a site or service is not in the trusted sites list.
Application Guard’s enforcement includes completely blocking access to memory, local storage, other installed applications, corporate network endpoints, or any other resources of interest to the attacker
Microsoft notes that this sandboxed copy has no access to credentials, including domain credentials. Strict no access to anything rules would break sites or services that rely on these features. Application Guard does provide access to "essential features", and some can be configured via the Grop Policy or other management tools.
Windows Defender Application Guard has the following system requirements:
If you open the Group Policy editor for instance, you find eight application guard specific entries under Computer Configuration > Administrative Templates > Windows Components > Windows Defender Application Guard:
You can enable the feature using the Windows Features dialog as well. Open the Settings application with the shortcut Windows-I, type add feature, and select the result. This should load the Windows Features program that lets you add or remove features.
Locate Windows Defender Application Guard and check the feature to enable it on the device.
Since Microsoft mentions Internet Explorer in the Group Policy, it seems that at least some of the security feature's functionality is protecting Internet Explorer users as well.
It remains to be seen how effective Windows Defender Application Guard is in protecting user systems, and how restrictive it is for users to work with.
Microsoft has not revealed yet if Application Guard will be made available to all editions of Windows 10. Also, it is unclear whether the company plans to expand the use of the feature to other applications on the system.
Now You: What's your take on Application Guard?
If you like our content, and would like to help, please consider making a contribution: