In this post, we’ll extend Windows Defender Application Guard to Mozilla Firefox and Google Chrome. After the configuration, whenever anyone uses Chrome or Firefox to open URLs which are not in the Corporate Network Boundary, it will automatically open in Windows Defender Application Guard window.

The steps include installing Windows Defender Companion app from Microsoft Store and then installing Application Guard extension in the respective browsers.

Prerequisites: Kindly complete the previous post to enable Windows Defender Application Guard.

Existing setup done:

  1. Two Local users created
  2. Azure AD Connect configured
  3. Seamless Single Sign-On (IE) configured
  4. Seamless Single Sign-On (Firefox) configured
  5. Hybrid Azure AD Join configured
  6. Intune enrollment – Domain Joined Windows 10 devices
  7. Azure AD Join
  8. Office 365 Pro Plus Application
  9. Sample SharePoint Team Site
  10. OneDrive Known Folder Migration and SharePoint library sync
  11. Copy necessary files (Win32 App)
  12. Set Desktop Background, Lock Screen and Screensaver
  13. Adding applications to StartUp folder
  14. Adding some 3rd Party applications (Browsers)
  15. Microsoft Store for Business configuration and integration and Store Apps.
  16. Windows Defender Application Guard configuration

Existing setup:

  1. SkyDC: Machine with ADDS, DNS, DHCP role
  2. SkyCON: Machine where we will install Azure AD Connect
  3. SkyCM: Machine with Configuration Manager Current Branch
  4. SkyTEN1: Domain Joined Windows 10 machine
  5. SkyTEN2: Domain Joined Windows 10 machine
  6. SkyTEN3i: Domain Joined Windows 10 machine (Intune Managed)
  7. SkyTEN4i: Domain Joined Windows 10 machine (Intune Managed)
  8. SkyTEN5i: Azure AD Joined Windows 10 (Intune Managed)
  9. SkyTEN6i: Azure AD Joined Windows 10 (Intune Managed)
  10. SkyTEN7i: Azure AD Joined Windows 10 (Cloud User, Intune Managed)
  11. SkyTEN8i: Azure AD Joined Windows 10 (Cloud User, Intune Managed)

Add Windows Defender Companion app in Microsoft Store for Business

Navigate to https://businessstore.microsoft.com

Enter your Global Admin ID and click Next.

Enter password and click Sign in.

In the Search windows, search for Application Guard.

Click on Windows Defender Application Guard Companion app.

Check the System requirements.

Click on Get the app.

Click close.

Deploy Windows Defender Companion app using Intune

Login to Azure portal.

Navigate to Intune -> Client apps -> Apps.

There is no Windows Defender Companion app in the list, so we need to sync Microsoft Store for Business.

Click Microsoft Store for Business and click Sync.

After some time, we see that the Windows Defender Application Guard Companion (Online) app is listed in the Apps section. Click on it.

Navigate to Assignments and click Add group.

Follow the wizard and select the group where Windows Defender Application Guard policy is deployed.

Click Save.

In client machine

Initiate the Sync in client machine.

After some time we’ll see that the app has come in Start Menu.

Deploy Application Guard extension for Firefox

Get the Application Guard extension’s URL and ID

Open Firefox Add-ons page in a Test machine.

https://addons.mozilla.org/

Search “Application Guard” and click on Application Guard Extension.

Right click on + Add to Firefox and click Copy Link Location.

Open Notepad and paste there.

The URL we are going to use is highlighted. https://addons.mozilla.org/firefox/downloads/file/3420915/application_guard_extension-2.0.1909.10001-fx.xpi

Click on + Add to Firefox to install the Add-On.

Click ok Add.

Choose appropriate option and click Okay, Got it.

In the Address bar, enter about:memory and press Enter.

In the Show memory reports, click on Measure.

Scroll down to Other Measurements.

Find the extension by name and copy the text which follows baseURL=moz-extension://. Don’t include the last /. You can see the selected text. This is Extension’s ID.

Extension ID: b5a7cdc3-3cf5-4647-9748-a89c1cda4a2d

Create PowerShell script

Create a PowerShell script with above text.

In the first part of the code $value contains the extension’s URL.

In the second part of the code $value contains the extension’s ID.

Note: I followed the below method to get the registry path and values:

I imported the Firefox ADMX files from Github. Added it to Central Store in a DC. Configured Group Policy. Checked in a client machine’s registry and got the registry path and values.

#Add Application Guard Extension to Firefox

$registryPath = “HKLM:\SOFTWARE\Policies\Mozilla\Firefox\Extensions\Install”

$Name = “1”

$value = “https://addons.mozilla.org/firefox/downloads/file/3420915/application_guard_extension-2.0.1909.10001-fx.xpi

If(!(Test-Path $registryPath))

{

New-Item -Path $registryPath -Force | Out-Null

New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType ExpandString -Force | Out-Null

}

Else

{

New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType ExpandString -Force | Out-Null

}

$registryPath = “HKLM:\SOFTWARE\Policies\Mozilla\Firefox\Extensions\Locked”

$Name = “1”

$value = “b5a7cdc3-3cf5-4647-9748-a89c1cda4a2d”

If(!(Test-Path $registryPath))

{

New-Item -Path $registryPath -Force | Out-Null

New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType String -Force | Out-Null

}

Else

{

New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType String -Force | Out-Null

}

Deploy the PowerShell script using Intune to the Group where Application Guard is deployed.

Navigate to Intune -> Device configuration -> PowerShell scripts. Click on +Add.

Enter appropriate Name and Description and click Next.

Name: Firefox – Enable App Guard

Description: Enable Application Guard extension for Firefox

Click on Folder icon, select the PowerShell script created earlier and click Next.

Select Group where Windows Defender Application Guard and Firefox application is deployed.

Click Next.

Click Add.

In Client machine:

Sync the device

Restart the Intune Management Extension service

Start Firefox.

You can see that the extension is automatically installed.

Even the URL https://www.mozilla.org/en-US/privacy/firefox/ opened in Application Guard window automatically.

Add Google Chrome extension

Get Application Guard extension’s ID and update URL

Open Chrome in a Test machine. Open URL: https://chrome.google.com/webstore/category/extensions?h1=en

Search for Application Guard

Click on the Application Guard Extension.

The Extension ID is already in the URL, but we’ll also find it using another method.

Extension ID: mfjnknhkkiafjajicegabkbimfhplplj

Click on Add extension.

We can see the message.

Navigate to three Dots -> More tools and click on Extensions.

In the Application Guard Extension, click on Details.

Enable Developer mode.

We can see the ID. Select the ID, right click and Copy it.

Extension ID: mfjnknhkkiafjajicegabkbimfhplplj

The extensions are installed on User basis. Open the below path and locate the folder which has Extension ID as name. Click on the folder.

C:\Users\User_Name\AppData\Local\Google\Chrome\User Data\Default\Extensions

There will be a version folder. Click on the folder. Open the manifest.json file.

Search for update_url and copy the text within double quotes.

Update URL: https://clients2.google.com/service/update2/crx

Create a string by combining both ID and Update URL, with a semi colon in between.

Extension ID: mfjnknhkkiafjajicegabkbimfhplplj

Update URL: https://clients2.google.com/service/update2/crx

Combined string: mfjnknhkkiafjajicegabkbimfhplplj;https://clients2.google.com/service/update2/crx

Create a PowerShell script which will add the above entry at the respective location:

Create a PowerShell script with above text.

In the code $value contains the combined text of Extansion ID and Update URL.

Note: I followed the below method to get the registry path and values:

I imported the Chrome ADMX files from the Chrome Enterprise Bundle. Added it to Central Store in a DC. Configured Group Policy. Checked in a client machine’s registry and got the registry path and values.

There is one more way to find the registry path. The Enterprise bundle contains the detailed information of the registry path. So, we can also get it from there.

#Add Application Guard Extension to Google Chrome

$registryPath = “HKCU:\Software\Policies\Google\Chrome\ExtensionInstallForcelist”

$Name = “1”

$value = “mfjnknhkkiafjajicegabkbimfhplplj;https://clients2.google.com/service/update2/crx”

If(!(Test-Path $registryPath))

{

New-Item -Path $registryPath -Force | Out-Null

New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType String -Force | Out-Null

}

Else

{

New-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType String -Force | Out-Null

}

Deploy the script using Intune

Navigate to Intune -> Device configuration -> PowerShell scripts. Click on +Add.

Enter appropriate Name and Description and click Next.

Name: Chrome – Enable App Guard

Description: Enable Application Guard extension for Chrome

Click on Folder icon, select the PowerShell script created earlier.

In Run this script using the logged on credentials, select Yes and click Next.

Choose the group appropriately.

As I have the user already logged on to the particular device, I’ll choose the device group.

After selecting the group, click Next.

Click Add.

We can see that the script is added and assigned.

In Client machine:

Sync the device

Restart the Intune Management Extension service

Navigate to three Dots -> More tools and click on Extensions.

We can see that the Application Guard Extension is installed.

Open a URL that is not in Trusted Network.

We can see a message in Chrome that the page will open in Application Guard for Microsoft Edge.

Windows Defender Application Guard is starting

The URL opened in Application Guard window.

Done

Leave a comment

Your email address will not be published. Required fields are marked *