Microsoft celebrated my birthday and released the new Windows 10 fall update on October 17, 2017 with many new exciting features and updates especially in the security field which will be our main concern in this series of articles. My intent is to go through each new Security feature targeted to Endpoint users (Windows 10 users) one by one in a separate blog post and we will start today with the Defender Application Guard.

What is the Windows Defender Application Guard ?

Windows Defender Application Guard is a new security feature in Windows 10 1709 that is integrated in Edge Browser (only Edge for now) that allows you and your Organization users to browse suspicious/un-trusted sites and check them without affecting or exposing your Operating System to any harm.

This happens with the beauty of Virtual machines (Windows Hyper-V) by opening the Edge browser in application guard mode which is simply opening the browser in an isolated virtual machine that totally isolates this web site/sites opened by the defender application guard mode from reaching your Operating System core components as well as your files and data. Once the Edge browser is closed (Virtual Machine turned off), all the site data opened is the browser is deleted and completely wiped.

What are the modes of Defender Application Guard ?

Windows Defender Application Guard comes in two flavors:

  1. Standalone: The user will manually start the Edge in Application Guard mode when he is feeling suspicious regarding opening a specific website and would like to test it in secure mode. There are no policies (Organization forced Group policies) governing this, its just the user perspective.                                                                                                                                                                                          
  2. Enterprise: The organization will set rules and policies to identify trusted sites and un-trusted sites. When users tries to open one of these un-trusted sites, these URLs will be loaded in the Application Guard Edge mode (Isolated Virtual Machine)
How to Install Application Guard ?
In General application Guard  requires a computer capable to run virtualization, remember the Application guard will leverage the Virtual Machine technology to isolate your suspicious URLs. Machines need to be 64 bit with Virtualization extensions support and some RAM for the Virtual machine (Microsoft recommendation is to have a system with at least 8 GB RAM)
Application Guard is disabled and you need to enable it from Control Panel – Turn Windows Features on or off.
After enabling the feature, it will get installed and requires reboot.
You can install it also using Powershell and link it to group policy if needed for mass distribution.
For more info check the below article 
How will the user open Edge Application Guard (Standalone) ?
As agreed before, in the standalone mode, the user will manually open the Edge browser in Application Guard mode to examine and open any suspicious URL
  1. The User will open normal Edge browser – Settings – New Application Guard Window                                                                                                                                                                                                                             


  2. It will take few minutes when you open it for the first time as it prepares the environment and loads the isolated virtual machine. Later on when you open another URL it will work faster since the environment is already set and VM is up and running.                                                                  
  3. A new Edge browser is loaded with Application Guard enabled (Top Left)
How to apply the Application Guard for Enterprise Users ?
So this is the second mode we discussed which is applying the application guard settings for the enterprise using group policies.
  1. Installation of Application Guard as discussed earlier by enabling the respective windows feature.                                                                                                                                                          
  2. For Enterprise users we will be controlling the settings using Group policies and for this reason we need to download the latest Windows 10 1709  Group policy Administrative templates (ADMX and ADML) and copy them to the Domain Controllers Central store.                                                                         
  3. To download the latest 1709 administrative template, please check the link below                                                                               
  4. By default the files will be installed under C:Program Files (x86)Microsoft Group PolicyWindows 10 Fall Creators Update (1709)PolicyDefinitions.                                                               
  5. Copy the Admx files under Local folder Policy definitions (mentioned in step 4) to the Central store (I hope everyone is using central store) Policy definitions  under \domain.comSYSVOLDomain.comPoliciesPolicyDefinitions                                                                  
  6. Repeat the same for the Adml files from the local folder mentioned in step 4 under PolicyDefinitionsen-US to \domain.comSYSVOLDomain.comPoliciesPolicyDefinitionsen-US. This will ensure your domain controllers have the latest needed templates for the network Isolation group policies.                                                                                                                                                           
  7. Next we need to set the Network Isolation policies for the computers. You need to create a new Group policy for the computers OU – Edit Policy – Computer Configuration – Policies – Administrative Templates – Network – Network Isolation                                                                                                                                                                                                                                                                     


  8. There are two main settings that you need to configure as shown in the above image                                                                                                                                                                             Enterprise Resource Domain hosted in the cloud: These are enterprise approved Cloud resource domain URLs that will be opened in the normal Edge, for example * or/and *………..etc                                                                                                                                                                                                                 Domains Categorized as both work and personal: You can add list of your internal or external work domains as well as personal domains used by users to be safely opened by normal Edge browser.                                                                                                                                                       
  9.  Next step is to enable the Application Guard for Enterprise mode using group policy settings from Administrative Templates – Windows Components – Windows Defender Application Guard                                                                                                                                                                                                                                                                                                                               


  10. Other settings in the same location (Step 9) allows you to set the behavior of copying and pasting from sites opened in Application Guard with other components in Desktop as well as print settings. You can enable or disable copying from this virtualized container to other systems.

So this concludes the first blog post in our new Windows 10 version 1709 Security features. Hopefully you are getting excited and see you on our next episode.