Search This Blog

Monday, February 18, 2019

Windows Defender Application Guard

This time let’s give Windows Defender Application Guard a very simple test:

You can test this on a physical client or a Hyper-v client, take a look here for the requirements:

Testing Windows Defender Application Guard on a VM

The test will be done in an enterprise Active Directory domain (Enterprise-managed mode).

First lets create a Group policy (GPO) for Windows Defender Application Guard and apply it to the OU holding our clients.

Go to the following setting:

Computer Configuration\Policies\Administrative Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud

In the Enterprise cloud resources you can enter a pipe-separated (|) list of domain cloud resources (Trusted domains).

The domains you enter here will be rendered using Microsoft Edge (or Internet Explorer) and won't be accessible from the Application Guard environment.

You can use a leading "." as a wildcard character to trust subdomains. Configuring .mindcore.dk will automatically trust subdomain1.mindcore.dk and subdomain2.mindcore.dk etc.

image

Next go to:

Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender Application Guard\Turn on Windows Defender Application Guard in Enterprise Mode

Enable Windows Defender Application Guard for Microsoft Edge by setting the option 1:

image

Update group policies on the client by running gpupdate /force

image

Lets open Edge and go to https://www.mindcore.dk, since this is a trusted domain the site will open directly on the host PC instead of in Windows Defender Application Guard.

image

Now let try a site not in the trusted list like https://www.microsoft.com this time we will be redirected to the hardware-isolated Edge environment, shown with the icon in the upper left hand corner:

image

Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load and show you this message. However, subsequent starts should occur without delays.

image

Now lets try the same in Internet Explorer, https://www.mindcore.dk still opens directly in Internet Explorer:

image

www.microsoft.com will again be redirected to the hardware-isolated Edge environment:

image

If you try to copy to or from the Windows Defender Application Guard Edge browser you will see the message:

Your admin doesn’t allow you to copy and paste this content between Application Guard and other apps.

image

Stay tuned on till next time, were we will test some more Windows Defender Application Guard settings.

No comments:

Post a Comment