In this post we’ll configure Windows Defender Application Guard. Windows Defender Application Guard is a Windows 10 feature which helps protect in a way that when an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated environment, which is separate from the host OS. This container isolation means that if the untrusted site turns out to be malicious, the host PC is protected, and the attacker can’t get to your enterprise data.

There are some prerequisites to enable Windows Defender Application Guard:

  • 64-Bit CPU
  • CPU virtualization extensions: Extended page tables, also called Second Level Address Translation (SLAT)
  • CPU virtualization extensions: VT-x (Intel) or AMD-V
  • 4 Core processor (minimum)
  • 8 GB Ram (minimum)
  • 5 GB Free Space, SSD is recommended
  • Input/Output Memory Management Unit (IOMMU) support (Not required, but strongly recommended)

As, we are going to enable and test Windows Defender Application Guard in a Virtual Machine, we need to enable Nested Virtualization.

Existing setup done:

  1. Two Local users created
  2. Azure AD Connect configured
  3. Seamless Single Sign-On (IE) configured
  4. Seamless Single Sign-On (Firefox) configured
  5. Hybrid Azure AD Join configured
  6. Intune enrollment – Domain Joined Windows 10 devices
  7. Azure AD Join
  8. Office 365 Pro Plus Application
  9. Sample SharePoint Team Site
  10. OneDrive Known Folder Migration and SharePoint library sync
  11. Copy necessary files (Win32 App)
  12. Set Desktop Background, Lock Screen and Screensaver
  13. Adding applications to StartUp folder
  14. Adding some 3rd Party applications (Browsers)
  15. Microsoft Store for Business configuration and integration and Store Apps.

Existing setup:

  1. SkyDC: Machine with ADDS, DNS, DHCP role
  2. SkyCON: Machine where we will install Azure AD Connect
  3. SkyCM: Machine with Configuration Manager Current Branch
  4. SkyTEN1: Domain Joined Windows 10 machine
  5. SkyTEN2: Domain Joined Windows 10 machine
  6. SkyTEN3i: Domain Joined Windows 10 machine (Intune Managed)
  7. SkyTEN4i: Domain Joined Windows 10 machine (Intune Managed)
  8. SkyTEN5i: Azure AD Joined Windows 10 (Intune Managed)
  9. SkyTEN6i: Azure AD Joined Windows 10 (Intune Managed)
  10. SkyTEN7i: Azure AD Joined Windows 10 (Cloud User, Intune Managed)
  11. SkyTEN8i: Azure AD Joined Windows 10 (Cloud User, Intune Managed)

Prepare Client hardware

Enable Nested virtualization

For this we’ll use one of the previously created VM SkyTEN4i.

Open PowerShell in Administrative context and execute below comand:

Set-VMProcessor -VMName virtualmachinename -ExposeVirtualizationExtensions $true

Increase Memory and processor count:

Install Hyper-V in the VM:

Start the machine.

Open Control Panel and click on Programs and Features.

Click on Turn Windows features on or off.

Check the box against Hyper-V and click OK.

Click on Restart now. The VM will restart.

Create a Network Isolation Policy

This policy is to define the Trusted Network.

Login to Azure portal.

Navigate to Intune -> Device configuration -> Profiles. Click on +Create profile.

Enter appropriate Name and Description. I have entered:

Name: Win 10 Network Boundary Policy

Description: Windows 10 Network Boundary Policy

In Platform, select Windows 10 and later.

In Profile type, select Network boundary.

In Settings – Configure, under Network boundary, have the below:

Boundary type: Network domain

Value: your_domain

Click Add.

Have the below:

Boundary type: Cloud resources

Value: .sharepoint.com|.office.com|.office365.com|.lync.com|.microsoft.com|.powerbi.com|.windowsazure.com|.bing.com

Note: add other websites that you want as part of could resources.

Click Add.

Have the below:

Boundary type: Neutral resources

Value: login.microsoftonline.com,login.windows.net,account.activedirectory.windowsazure.com

Click Add.

Click OK.

Click Create.

Click Assignments and select group appropriately.

As I enabled nested virtualization on one of the machine, I need to select the group which has that machine as member.

Once the group is selected, click Save.

Create Application Guard Policy

Navigate to Intune -> Device configuration -> Profiles. Click on +Create profile.

Enter appropriate Name and Description. I have entered:

Name: Win 10 WDAG Policy

Description: Windows 10 : Windows Defender Application Guard Policy

In Platform, select Windows 10 and later.

In Profile type, select Endpoint protection.

Click on Microsoft Defender Application Guard.

In Application Guard, select Enabled for Edge.

In Clipboard behavior, select appropriate option.

In Clipboard content, select appropriate option.

In rest of the settings, configure appropriately and click OK.

Click OK.

Click Create.

Click Assignments and select the group to which you deployed the Network Boundary policy.

Once the group is selected, click Save.

Testing in client machine

Login to the machine

Initiate the Sync

After some time when the machine settles down, restart it

After some time, you’ll see that the policy status as Succeeded in portal

Again in client machine

Try to open any website which is not in Network Boundary.

The Application Guard window coming up

Test Clipboard behavior

In my policy, I have only enabled text to be copied from PC to Browser only.

So, I selected some text in Browser window and copied it.

Opened Notepad. Right clicked and clicked on Paste.

Got a message that the content is not allowed to be pasted.

Done.

Leave a comment

Your email address will not be published. Required fields are marked *