Search This Blog

Monday, February 18, 2019

Windows Defender Application Guard

This time let’s give Windows Defender Application Guard a very simple test:

You can test this on a physical client or a Hyper-v client, take a look here for the requirements:

Testing Windows Defender Application Guard on a VM

The test will be done in an enterprise Active Directory domain (Enterprise-managed mode).

First lets create a Group policy (GPO) for Windows Defender Application Guard and apply it to the OU holding our clients.

Go to the following setting:

Computer Configuration\Policies\Administrative Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud

In the Enterprise cloud resources you can enter a pipe-separated (|) list of domain cloud resources (Trusted domains).

The domains you enter here will be rendered using Microsoft Edge (or Internet Explorer) and won't be accessible from the Application Guard environment.

You can use a leading "." as a wildcard character to trust subdomains. Configuring will automatically trust and etc.


Next go to:

Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender Application Guard\Turn on Windows Defender Application Guard in Enterprise Mode

Enable Windows Defender Application Guard for Microsoft Edge by setting the option 1:


Update group policies on the client by running gpupdate /force


Lets open Edge and go to, since this is a trusted domain the site will open directly on the host PC instead of in Windows Defender Application Guard.


Now let try a site not in the trusted list like this time we will be redirected to the hardware-isolated Edge environment, shown with the icon in the upper left hand corner:


Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load and show you this message. However, subsequent starts should occur without delays.


Now lets try the same in Internet Explorer, still opens directly in Internet Explorer:

image will again be redirected to the hardware-isolated Edge environment:


If you try to copy to or from the Windows Defender Application Guard Edge browser you will see the message:

Your admin doesn’t allow you to copy and paste this content between Application Guard and other apps.


Stay tuned on till next time, were we will test some more Windows Defender Application Guard settings.

No comments:

Post a Comment