What is Microsoft Defender Application Guard?
Attackers often hijack browser sessions to steal and/or manipulate data. In addition, they run malicious code to steal passwords, plant trojans, ransomware, and other activities to penetrate your network.
To protect against browser-based attacks, Microsoft came out with Application Guard.
Application Guard is a system designed to isolate devices so bad actors are unable to penetrate browser sessions and gain access to stored data. It prevents bad actors from planting code on systems through browser-based sessions in untrusted sites (specifically when using Windows 10 and Microsoft Edge).
How does this work?
Microsoft 365 Security Administrators can explicitly define trusted websites, cloud resources, and networks. When a user attempts to access an untrusted site with Microsoft Edge or Internet Explorer, the site is opened in an isolated container – protecting the data stored on that system and preventing code from running outside of the isolated session.
Where can it be used?
Application Guard can be used on domain-joined systems. But with more and more users working remotely, and often using their own devices, Microsoft made it possible to be used on BYOD (Bring Your Own Device) or personal Windows devices. To implement Microsoft Defender Application Guard on devices not joined to your domain, you will need to manage these devices through Intune.
Once devices are configured to use Microsoft Defender Application Guard, it can be turned on or off on a Windows 10 Workstation.
Enabling Application Guard
Navigate to the Control Panel | Programs and Features | Install Windows Features and simply check the box “Microsoft Defender Application Guard”.
Using Application Guard Windows
After turning on the Microsoft Defender Application Guard feature, there will be a new option under Microsoft Edge “New Application Guard window." Now, users can select the option “New Application Guard window” option and the session being launched will be completely isolated.
What platform devices are supported?
Windows 10 Enterprise versions 1709 and higher and Windows 10 Professional versions 1803 and higher are supported. It is important to note that some restrictions apply to Windows 10 Professional. Microsoft Edge or Internet Explorer are supported browsers on both platforms. Management systems include Microsoft Intune, Microsoft Endpoint Configuration Manager, Group Policy, and some 3rd party MDM solutions.
Group Policy configuration
Application Guard can be configured through Group Policy. Network isolation settings can be configured using the following template:
Computer Configuration\Administrative Templates\Network\Network Isolation
Application-specific settings can be configured with this template:
Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard
With the addition of Microsoft Defender Application Guard, Microsoft is giving Security Administrators another tool that can be used to protect their networks against bad actors across the Internet. With the use of this tool, Administrators isolate malicious code lurking on websites while still giving users the freedom and security they need as they traverse the web.
Microsoft Defender Application Guard overview
Application Guard Stand Alone