A look at Windows Defender Application Guard extension for Firefox and Chrome
Microsoft released the extension Windows Defender Application Guard for Google Chrome and Mozilla Firefox recently.
Windows Defender Application Guard is a security feature designed to load untrusted sites and services in a lightweight virtual machine. It requires Windows 10 Professional or Enterprise at the time of writing, and works in standalone and Enterprise-managed modes. It requires at least Windows 10 version 1803.
The new browser extension brings Application Guard functionality to the third-party browsers Google Chrome and Mozilla Firefox.
Windows Defender Application Guard extension
Installation is slightly more complicated than installing another browser extension. The main reason for that is that you need to make sure that Application Guard is turned on as a feature on the device, and that you have installed the Microsoft Store companion app as well.
In other words: you may need to install three different applications before you can make use of it.
The following steps are required:
- Enable Windows Defender Application Guard on the device if it is not turned on already. Make sure the system meets the hardware and software requirements.
- Install the Windows Defender Application Guard companion application from the Microsoft Store.
- Install the Google Chrome extension or the Mozilla Firefox add-on.
- Enterprise-only: Define network isolation settings to define a list of trusted sites that you may access using Chrome or Firefox.
- Restart the device.
Using the extension
The extension highlights if all requirements are met after installation. You should see three green lights indicating that the device is compatible, that the companion app is installed, and that Application Guard is turned on.
How the extension is used depends largely on the edition of Windows 10.
Note: You may want to turn off diagnostic data collecting that is enabled by default. Just click on the extension icon and toggle "Allow Microsoft to collect diagnostic data" to do so.
Standalone mode
Windows 10 Pro users and Enterprise users who choose standalone mode get very little out of the extension as it does not work automatically in that mode.
All you can do, really, is to click on the extension icon and there on the "New application guard window" button to start a new Application Guard instance of Microsoft Edge.
More comfortable than having to launch Application Guard instances from Microsoft Edge manually, but not by much and probably not worth the hassle of installing the extension and Microsoft Store application.
Enterprise-managed mode
Enterprise administrators have additional configuration options that automate the experience. All that is required for that is to set up network isolation settings; these define trusted sites, e.g. an IP address range, that users may access using the third-party browsers the extension is installed in.
Any site not on the trust list is automatically redirected to the Microsoft Edge Application Guard instance.
When users navigate to a site, the extension checks the URL against a list of trusted sites defined by enterprise administrators. If the site is determined to be untrusted, the user is redirected to an isolated Microsoft Edge session. In the isolated Microsoft Edge session, the user can freely navigate to any site that has not been explicitly defined as trusted by their organization without any risk to the rest of system.
Microsoft plans to extend the functionality by loading trusted sites opened in the Application Guard instance in the third-party browser.
With our upcoming dynamic switching capability, if the user tries to go to a trusted site while in an isolated Microsoft Edge session, the user is taken back to the default browser.
Closing Words
The Windows Defender Application Guard extension is a useful browser extension for Enterprise environments in which supported third-party browsers are permitted. It seems less likely that it will see a lot of traction on Pro devices though due to the limitations.
Now You: Do you use Application Guard or other browsing virtualization services?
We need your help
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Previous Post: « Making Ctrl, Shift, and Cmd clicks on Link work all the time
Next Post: Block Helpdesk and Chat popups in your browser »
I tried this when it came out for Edge exclusively and even with Edge was a bit sluggish and especially with scrolling. I just felt SmartScreen did a lot of pre scanning anyway so this was just overkill. Adding a extension to Chrome or Firefox but then opening a Edge Window to isolate a site seems so overly complicated and confusing. Sort of feel this is a afterthought that doesn’t really work.
I’m sure this won’t report all ur’s you viist to Microsoft.
It does by default. You’re opted in from the start, but you can go to settings, and turn it off.
So Microsoft found a way to get me to login to the Microsoft account using a foreign browser. No thanks.
Why would you do so? This is not required for installing apps from Microsoft Store.
PS
You should consider stopping using Windows. It is made by evil Microsoft.
Caution, last time I tried, it destroyed Opera profile
Chrome has this build in for any version of Windows.
I have to downgrade to W10, to improve my security…
Now, THAT is funny.
It ain’t gonna happen.
I know, right? Windows 7 is more secure and more function and you don’t even need to use any antivirus protection other than the one called “Common Sense”.
Adding the requirement of the store is a steel toe in the starfish hole, I fucking hate the new Microsoft.
WDAG runs cmimageworker.exe which uses >80% of my CPU in Windows 10 Pro 1809, so I disabled WDAG again.
It is falsely seen as a cryptominer/virus, but it does cause trouble on 1809 and 19H1.
https://techdows.com/2018/12/cmiimageworker-exe-on-windows-10-19h1-build-using-high-cpu-is-a-bug-not-a-virus-says-microsoft.html
The MS store links opens a 3rd party website.
Thank you, corrected the link!