In this post, we’ll extend Windows Defender Application Guard to Mozilla Firefox and Google Chrome. After the configuration, whenever anyone uses Chrome or Firefox to open URLs which are not in the Corporate Network Boundary, it will automatically open in Windows Defender Application Guard window.
The steps include installing Windows Defender Companion app from Microsoft Store and then installing Application Guard extension in the respective browsers.
Prerequisites: Kindly complete the previous post to enable Windows Defender Application Guard.
Existing setup done:
- Two Local users created
- Azure AD Connect configured
- Seamless Single Sign-On (IE) configured
- Seamless Single Sign-On (Firefox) configured
- Hybrid Azure AD Join configured
- Intune enrollment – Domain Joined Windows 10 devices
- Azure AD Join
- Office 365 Pro Plus Application
- Sample SharePoint Team Site
- OneDrive Known Folder Migration and SharePoint library sync
- Copy necessary files (Win32 App)
- Set Desktop Background, Lock Screen and Screensaver
- Adding applications to StartUp folder
- Adding some 3rd Party applications (Browsers)
- Microsoft Store for Business configuration and integration and Store Apps.
- Windows Defender Application Guard configuration
Existing setup:
- SkyDC: Machine with ADDS, DNS, DHCP role
- SkyCON: Machine where we will install Azure AD Connect
- SkyCM: Machine with Configuration Manager Current Branch
- SkyTEN1: Domain Joined Windows 10 machine
- SkyTEN2: Domain Joined Windows 10 machine
- SkyTEN3i: Domain Joined Windows 10 machine (Intune Managed)
- SkyTEN4i: Domain Joined Windows 10 machine (Intune Managed)
- SkyTEN5i: Azure AD Joined Windows 10 (Intune Managed)
- SkyTEN6i: Azure AD Joined Windows 10 (Intune Managed)
- SkyTEN7i: Azure AD Joined Windows 10 (Cloud User, Intune Managed)
- SkyTEN8i: Azure AD Joined Windows 10 (Cloud User, Intune Managed)
Add Windows Defender Companion app in Microsoft Store for Business
Navigate to https://businessstore.microsoft.com
Enter your Global Admin ID and click Next.
Enter password and click Sign in.
In the Search windows, search for Application Guard.
Click on Windows Defender Application Guard Companion app.
Check the System requirements.
Click on Get the app.
Click close.
Deploy Windows Defender Companion app using Intune
Login to Azure portal.
Navigate to Intune -> Client apps -> Apps.
There is no Windows Defender Companion app in the list, so we need to sync Microsoft Store for Business.
Click Microsoft Store for Business and click Sync.
After some time, we see that the Windows Defender Application Guard Companion (Online) app is listed in the Apps section. Click on it.
Navigate to Assignments and click Add group.
Follow the wizard and select the group where Windows Defender Application Guard policy is deployed.
Click Save.
In client machine
Initiate the Sync in client machine.
After some time we’ll see that the app has come in Start Menu.
Deploy Application Guard extension for Firefox
Get the Application Guard extension’s URL and ID
Open Firefox Add-ons page in a Test machine.
Search “Application Guard” and click on Application Guard Extension.
Right click on + Add to Firefox and click Copy Link Location.
Open Notepad and paste there.
The URL we are going to use is highlighted. https://addons.mozilla.org/firefox/downloads/file/3420915/application_guard_extension-2.0.1909.10001-fx.xpi
Click on + Add to Firefox to install the Add-On.
Click ok Add.
Choose appropriate option and click Okay, Got it.
In the Address bar, enter about:memory and press Enter.
In the Show memory reports, click on Measure.
Scroll down to Other Measurements.
Find the extension by name and copy the text which follows baseURL=moz-extension://. Don’t include the last /. You can see the selected text. This is Extension’s ID.
Extension ID: b5a7cdc3-3cf5-4647-9748-a89c1cda4a2d
Create PowerShell script
Create a PowerShell script with above text.
In the first part of the code $value contains the extension’s URL.
In the second part of the code $value contains the extension’s ID.
Note: I followed the below method to get the registry path and values:
I imported the Firefox ADMX files from Github. Added it to Central Store in a DC. Configured Group Policy. Checked in a client machine’s registry and got the registry path and values.
#Add Application Guard Extension to Firefox
$registryPath = “HKLM:\SOFTWARE\Policies\Mozilla\Firefox\Extensions\Install”
$Name = “1”
If(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force | Out-Null
New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType ExpandString -Force | Out-Null
}
Else
{
New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType ExpandString -Force | Out-Null
}
$registryPath = “HKLM:\SOFTWARE\Policies\Mozilla\Firefox\Extensions\Locked”
$Name = “1”
$value = “b5a7cdc3-3cf5-4647-9748-a89c1cda4a2d”
If(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force | Out-Null
New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType String -Force | Out-Null
}
Else
{
New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType String -Force | Out-Null
}
Deploy the PowerShell script using Intune to the Group where Application Guard is deployed.
Navigate to Intune -> Device configuration -> PowerShell scripts. Click on +Add.
Enter appropriate Name and Description and click Next.
Name: Firefox – Enable App Guard
Description: Enable Application Guard extension for Firefox
Click on Folder icon, select the PowerShell script created earlier and click Next.
Select Group where Windows Defender Application Guard and Firefox application is deployed.
Click Next.
Click Add.
In Client machine:
Sync the device
Restart the Intune Management Extension service
Start Firefox.
You can see that the extension is automatically installed.
Even the URL https://www.mozilla.org/en-US/privacy/firefox/ opened in Application Guard window automatically.
Add Google Chrome extension
Get Application Guard extension’s ID and update URL
Open Chrome in a Test machine. Open URL: https://chrome.google.com/webstore/category/extensions?h1=en
Search for Application Guard
Click on the Application Guard Extension.
The Extension ID is already in the URL, but we’ll also find it using another method.
Extension ID: mfjnknhkkiafjajicegabkbimfhplplj
Click on Add extension.
We can see the message.
Navigate to three Dots -> More tools and click on Extensions.
In the Application Guard Extension, click on Details.
Enable Developer mode.
We can see the ID. Select the ID, right click and Copy it.
Extension ID: mfjnknhkkiafjajicegabkbimfhplplj
The extensions are installed on User basis. Open the below path and locate the folder which has Extension ID as name. Click on the folder.
C:\Users\User_Name\AppData\Local\Google\Chrome\User Data\Default\Extensions
There will be a version folder. Click on the folder. Open the manifest.json file.
Search for update_url and copy the text within double quotes.
Update URL: https://clients2.google.com/service/update2/crx
Create a string by combining both ID and Update URL, with a semi colon in between.
Extension ID: mfjnknhkkiafjajicegabkbimfhplplj
Update URL: https://clients2.google.com/service/update2/crx
Combined string: mfjnknhkkiafjajicegabkbimfhplplj;https://clients2.google.com/service/update2/crx
Create a PowerShell script which will add the above entry at the respective location:
Create a PowerShell script with above text.
In the code $value contains the combined text of Extansion ID and Update URL.
Note: I followed the below method to get the registry path and values:
I imported the Chrome ADMX files from the Chrome Enterprise Bundle. Added it to Central Store in a DC. Configured Group Policy. Checked in a client machine’s registry and got the registry path and values.
There is one more way to find the registry path. The Enterprise bundle contains the detailed information of the registry path. So, we can also get it from there.
#Add Application Guard Extension to Google Chrome
$registryPath = “HKCU:\Software\Policies\Google\Chrome\ExtensionInstallForcelist”
$Name = “1”
$value = “mfjnknhkkiafjajicegabkbimfhplplj;https://clients2.google.com/service/update2/crx”
If(!(Test-Path $registryPath))
{
New-Item -Path $registryPath -Force | Out-Null
New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType String -Force | Out-Null
}
Else
{
New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType String -Force | Out-Null
}
Deploy the script using Intune
Navigate to Intune -> Device configuration -> PowerShell scripts. Click on +Add.
Enter appropriate Name and Description and click Next.
Name: Chrome – Enable App Guard
Description: Enable Application Guard extension for Chrome
Click on Folder icon, select the PowerShell script created earlier.
In Run this script using the logged on credentials, select Yes and click Next.
Choose the group appropriately.
As I have the user already logged on to the particular device, I’ll choose the device group.
After selecting the group, click Next.
Click Add.
We can see that the script is added and assigned.
In Client machine:
Sync the device
Restart the Intune Management Extension service
Navigate to three Dots -> More tools and click on Extensions.
We can see that the Application Guard Extension is installed.
Open a URL that is not in Trusted Network.
We can see a message in Chrome that the page will open in Application Guard for Microsoft Edge.
Windows Defender Application Guard is starting
The URL opened in Application Guard window.
Done