Posey's Tips & Tricks

Windows Defender Application Guard: First Look

Of the many security improvements Microsoft made to the latest Windows 10 release, the ability to wall-off the Edge browser against malware attacks is one of the most critical.

Some of the biggest improvements that Microsoft has made in Windows 10 version 1903, released this past May, are related to security. One of my personal favorites is Windows Defender Application Guard.

If you haven't heard of this feature, it launches the Edge browser in an isolated environment as a way to protect your PC and your data from malware. For whatever reason, this feature hasn't gotten much press. Even so, it is definitely worth taking the time to install it.

You can install Windows Defender Application Guard by opening the Control Panel (enter the Control command at the Run prompt) and clicking on the Programs link, followed by the option to turn Windows features on or off. As you scroll through the list of features, you will see an option for Windows Defender Application Guard, as shown in Figure 1. Select this option and click OK. Upon doing so, Windows will install Windows Defender Application Guard. It is worth noting that you will be required to restart your PC following the installation process.

Figure 1: Select the option to install Windows Defender Application Guard and click OK.

Once the installation process is complete, you can access the settings for Windows Defender Application Guard by clicking on the Start menu and choosing the Windows Security option. You can see what the Windows Security interface looks like in Figure 2.

[Click on image for larger view.] Figure 2: This is what the Windows Security interface looks like.

As you look at the figure above, you will notice that there are several tabs on the left side of the window. Click on the tab labeled App and Browser Control.

When the App and Browser Control screen appears, scroll down until you locate the Isolated Browsing section, which you can see at the bottom of Figure 3. Now click on the Change Application Guard Settings link.

[Click on image for larger view.] Figure 3: Click on the Change Application Guard Settings link, found in the Isolated Browsing section.

As previously noted, Windows Defender Application Guard is designed to protect you against Web-based malware by enforcing browser isolation. As such, there are several browser capabilities that are disabled by default. These include things like copy and paste, and the ability to print. The Windows Defender Application Guard Settings screen, which you can see in Figure 4, gives you the ability to enable these features on an as-needed basis. However, Microsoft warns that doing so could make browsing less secure.

[Click on image for larger view.] Figure 4: These are the Windows Defender Application Guard settings.

My advice is to leave these settings disabled unless you really need them. Remember: These settings do not apply to the normal browser. They only apply when you open a Windows Defender Application Guard browsing window.

Now that I have shown you how to enable and configure Windows Defender Application Guard, the big question is: How do you use it? Somewhat surprisingly, there does not seem to be a Start menu option for launching a Windows Defender Application Guard-protected browsing session, nor can you enable Windows Defender Application Guard by right-clicking on the Edge icon.

If you want to use Windows Defender Application Guard, you will have to open the Edge browser in the usual way, then click on the browser's menu. There is a menu option to open a new Windows Defender Application Guard session.

At first glance, the Windows Defender Application Guard browsing window looks exactly like any other Edge browser window. However, there are a few things that indicate that you are working within a protected browser. If you look at Figure 5, you can see that there is a black icon in the upper-left portion of the screen to indicate that you are using a Windows Defender Application Guard window. Similarly, Windows displays an icon at the bottom of the screen showing a shield over the normal Edge icon. Also, if you click on the browser's menu, you will find that some of the options (such as extensions) are grayed out.

[Click on image for larger view.] Figure 5: This is what the Windows Defender Application Guard-protected Edge browser looks like.

Windows 10 version 1903 is still relatively new, so I haven't had a lot of time to play around with the Windows Defender Application Guard protected browser window. Even so, I think that it has a lot of potential. My only real complaint is that I wish that Microsoft would adopt a "secure by default" stance in which Edge always opens in Windows Defender Application Guard mode, but provides an option to open in a normal browser mode.

Despite this minor complaint, I do have to give kudos to Microsoft for making Windows Defender Application Guard available to other browsers by way of a browser extension.

About the Author

Brien Posey is a 22-time Microsoft MVP with decades of IT experience. As a freelance writer, Posey has written thousands of articles and contributed to several dozen books on a wide variety of IT topics. Prior to going freelance, Posey was a CIO for a national chain of hospitals and health care facilities. He has also served as a network administrator for some of the country's largest insurance companies and for the Department of Defense at Fort Knox. In addition to his continued work in IT, Posey has spent the last several years actively training as a commercial scientist-astronaut candidate in preparation to fly on a mission to study polar mesospheric clouds from space. You can follow his spaceflight training on his Web site.


comments powered by Disqus

Subscribe on YouTube