by Martin Brinkmann on March 17, 2019 in Firefox, Google Chrome – 5 comments
Microsoft released the extension Windows Defender Application Guard for Google Chrome and Mozilla Firefox recently.
Windows Defender Application Guard is a security feature designed to load untrusted sites and services in a lightweight virtual machine. It requires Windows 10 Professional or Enterprise at the time of writing, and works in standalone and Enterprise-managed modes. It requires at least Windows 10 version 1803.
The new browser extension brings Application Guard functionality to the third-party browsers Google Chrome and Mozilla Firefox.
Windows Defender Application Guard extension
Installation is slightly more complicated than installing another browser extension. The main reason for that is that you need to make sure that Application Guard is turned on as a feature on the device, and that you have installed the Microsoft Store companion app as well.
In other words: you may need to install three different applications before you can make use of it.
The following steps are required:
- Enable Windows Defender Application Guard on the device if it is not turned on already. Make sure the system meets the hardware and software requirements.
- Install the Windows Defender Application Guard companion application from the Microsoft Store.
- Install the Google Chrome extension or the Mozilla Firefox add-on.
- Enterprise-only: Define network isolation settings to define a list of trusted sites that you may access using Chrome or Firefox.
- Restart the device.
Using the extension
The extension highlights if all requirements are met after installation. You should see three green lights indicating that the device is compatible, that the companion app is installed, and that Application Guard is turned on.
How the extension is used depends largely on the edition of Windows 10.
Note: You may want to turn off diagnostic data collecting that is enabled by default. Just click on the extension icon and toggle “Allow Microsoft to collect diagnostic data” to do so.
Standalone mode
Windows 10 Pro users and Enterprise users who choose standalone mode get very little out of the extension as it does not work automatically in that mode.
All you can do, really, is to click on the extension icon and there on the “New application guard window” button to start a new Application Guard instance of Microsoft Edge.
More comfortable than having to launch Application Guard instances from Microsoft Edge manually, but not by much and probably not worth the hassle of installing the extension and Microsoft Store application.
Enterprise-managed mode
Enterprise administrators have additional configuration options that automate the experience. All that is required for that is to set up network isolation settings; these define trusted sites, e.g. an IP address range, that users may access using the third-party browsers the extension is installed in.
Any site not on the trust list is automatically redirected to the Microsoft Edge Application Guard instance.
When users navigate to a site, the extension checks the URL against a list of trusted sites defined by enterprise administrators. If the site is determined to be untrusted, the user is redirected to an isolated Microsoft Edge session. In the isolated Microsoft Edge session, the user can freely navigate to any site that has not been explicitly defined as trusted by their organization without any risk to the rest of system.
Microsoft plans to extend the functionality by loading trusted sites opened in the Application Guard instance in the third-party browser.
With our upcoming dynamic switching capability, if the user tries to go to a trusted site while in an isolated Microsoft Edge session, the user is taken back to the default browser.
Closing Words
The Windows Defender Application Guard extension is a useful browser extension for Enterprise environments in which supported third-party browsers are permitted. It seems less likely that it will see a lot of traction on Pro devices though due to the limitations.
Now You: Do you use Application Guard or other browsing virtualization services?