For the fourth post in this series, we’re going to look at what’s probably my favourite new feature of Client Hyper-V: Windows Defender Application Guard.
This is really cool, as it allows you to isolate the biggest threat to your machine…Surfing the web. Either manually or through defined policies, Microsoft Edge will launch its session inside a protected Virtual Machine that has no (or configurable, like copy/paste) access to the host computer or operating system. Any malware that inadvertently gets downloaded during the browsing session has zero access to the computer, and is automatically purged as soon as Edge is closed.
Like Hyper-V itself, Windows Defender Application Guard is available to be installed as a Windows Feature. We enable it by first going to appwiz.cpl and clicking Turn Windows features on or off on the left-hand side. In the Windows Features window, scroll all the way to the bottom and you will find Windows Defender Application Guard. If you don’t see it, your version of Windows is no longer supported. As of Windows 10 1709, Enterprise edition is required to enable Windows Defender Application Guard, so if you don’t have that edition than it will be greyed out. By 1803, Microsoft will allow you to implement Application Guard on Windows Pro, having recognized the large benefit to consumer users as well.
If all is good, check the box to enable it and click OK. It will apply the changes and, sadly, prompt for a reboot.
Once we’ve rebooted, launch Microsoft Edge and click the ellipsis (…) button at the top right. Here you will see a New Application Guard Window option. Click this to start the initial build.
On first launch, this will take a few minutes to set up, however subsequent windows are instantaneous. What’s more, is there has been significant improvements to streaming performance within the AppGuard session, at least into the Insider release version, so YouTube streams nicely.
Should your intention be to only utilize Application Guard on your machine, you are free to go from here. However, if you’re looking at deploying this into your enterprise environment, there are some additional considerations and scenarios we can configure to ensure AppGuard is appropriately utilized. Thankfully, there is a Group Policy template that contains all the relevant options, which we’ll look at in a separate post.
Play around with it, and make sure and provide feedback through the notification if/when it appears. People at Microsoft really do read the feedback!
As I mentioned earlier, AppGuard runs inside a virtual machine. Your browser session is fully functional with an underlying file structure, so you can download files to the protected instance, edit them, and re-upload again. It will never be able to touch your actual computer, and downloaded files, as well as any malware, is purged when the browser session is closed.
Application Guard is relatively new in the development lifecycle, so can only get better from here. I’d like to see better rendering and streaming performance, but as is it’s still an important consideration for your Windows 10 security strategy.
Hope this helps!