The Windows Defender Application Guard (WDAG) runs the Microsoft Edge browser in an isolated virtualized container. If a malicious website tries to manipulate a flaw in Edge, it will not compromise your PC. Disabling the Application Guard is done by default.
Because of the April 2018 Update, users of Windows 10 Pro can now enable Application Guard. This feature was only allowed in Windows 10 Enterprise before now. Those who use Windows 10 Home and are interested in using Application Guard will have to upgrade to Windows 10 Pro.
Requirements from the System
Application Guard only works with Microsoft Edge. When enabled, Windows can run Edge in a protected and isolated container.
Windows uses Microsoft’s Hyper-V virtualization technology. Application Guard requires your PC to have Intel VT-X or AMD-V virtualization hardware, a 64-bit CPU with at least 4 cores, 8GB RAM, and 5GB free space.
Enabling Windows Defender Application Guard
- Go to Control Panel, click Programs and from there, Turn Windows Features On or Off.
- Look through the list to find “Windows Defender Application Guard” and then click the “OK” button.
If you don’t see the option in this list, you’re either using a Home version of Windows 10 or you haven’t upgraded to the April 2018 Update yet.
If you however find that the feature appears gray, then your PC doesn’t support it. Meaning that your PC doesn’t have Intel VT-X or AMD-V hardware or you ought to enable Intel VT-X in your PC’s BIOS or you have less than 8GB RAM.
Windows will install the Windows Defender Application Guard feature. When it’s done, you’ll be prompted to restart your PC. You must restart your PC before you can use this feature.
Launching Edge in Application Guard
By default, Edge runs in normal browsing mode, but now, you can open a secure browsing window that’s protected with Application Guard. To do this,
- Launch Microsoft Edge normally, click Menu and then click on New Application Guard Window.
This opens a separate Edge browser window. The orange Application Guard text at the top-left corner of the window lets you know that the browser is now protected with Application Guard.
From this point, you can open another window, including a private window. They all will have the orange Application Guard text.
The Application Guard window has a separate taskbar icon that has a blue Edge “e” logo with a gray shield icon on it.
If you download and open some files, Edge may launch document viewers or other applications in Application Guard mode. If an app runs in Application Guard mode, you’ll notice the same gray shield icon upon its taskbar icon.
While in the Guard mode, you will not be able to use Edge’s Favorites or Reading list features. Any browser history created will be removed and all cookies will be cleared when you sign out of your PC. You will have to sign back into your websites whenever you begin to use the Guard mode.
The isolated Edge browser is not able to access your regular file system and as such you won’t be able to download files to your system or upload files from your normal folders to websites in the Guard mode. You won’t be able to download certain file types counting .exe files, but you can view PDFs and other documents. Downloaded files are stored in a special Application Guard file system and they are erased when you sign out of your PC.
Copying and pasting is also not allowed in the Guard mode.
Microsoft added a few options to remove these limitations, however, these are its settings by default.
Configuring Windows Defender Application Guard
The WDAG and its limitations can be configured through Group Policy. If you’re using Application Guard on your Windows 10 Pro PC,
- Click Start and then type “gpedit.msc,” and then press Enter to launch the Local Group Policy Editor.
(The Group Policy Editor is not available on Windows 10 Home)
- Head to Computer Configuration, then click Administrative Templates, and then click Windows Components, and finally Windows Defender Application Defender.
- To enable “data persistence” and have WDAG save your favorites, browser history, and cookies, double-click on “Allow data persistence for Windows Defender Application Guard”, then select “Enabled,” and click “OK.” Application Guard won’t erase its data if you sign out of your PC.
- To let Edge download files to your normal system folders, double-click the “Allow files to download and save to the host operating system from Windows Defender Application Guard” setting, set it to “Enabled,” and finally click “OK.”
- If you want edge to download files to your regular system file, double-click on “Allow files to download and save to the host operating system from Windows Defender Application Guard”, click “Enabled,” and then click “OK.”
Files you download in the Guard mode will now be saved to an “Untrusted Files” folder in your regular Downloads folder.
To allow Edge access to your regular system clipboard, double-click “Configure Windows Defender Application Guard clipboard settings”, then click “Enabled” and customize your clipboard settings with the instructions laid down there. For instance, you can enable clipboard operations from the Application Guard browser to the normal operating system or from the normal operating system to the Application browser or in both. You could also choose if you want to allow text copying, image copying or both. When you’re done, click OK.
Microsoft encourages that you don’t copy from your host operating system to the Application Guard session because doing that, a compromised Application Guard browser session can read data from the clipboard on your computer.
To enable printing, double-click the “Configure Windows Defender Application Guard print settings” option. Click “Enabled” and customize your printer settings using the options here. For example, you could enter “4” to enable printing only to local printers, “2” to enable printing only to PDF files, or “6” to allow printing only to local printers and PDF files. Click “OK” when you’re done.
To allow printing, double-click “Configure Windows Defender Application Guard print settings”, and then click “Enabled”. After that customize your printing settings with the options you find. For instance, you may enter “4” to allow printing only to local printers, “2” to permit printing only to PDF files, or “6” to enable printing only to local printers and PDF files. When you’re done, click “OK”.
If you enable printing to PDF or XPS files, Application Guard will let you save those files on the host operating system’s regular file system.
After you change these settings, make sure you restart your PC because these changes won’t be saved unless you restart your PC.