Microsoft has released a browser extension called Application Guard that protect Chrome and Firefox enterprise users from untrusted sites by opening them in a sandboxed Edge environment that cannot interact with the rest of the computer.
Windows 10 includes an optional feature called Windows Defender Application Guard that uses Hyper-V to launch Edge in a sandboxed environment. When running Edge in a sandbox, Windows will be protected from web site exploits or malicious scripts as they will be unable to makes any changes outside of the sandbox.
The new Application Guard extension extends this protection to Windows 10 Enterprise users running Chrome and Firefox by automatically transferring a browsing session to a sandboxed Edge environment when visiting a site that is not considered trusted by Network Isolation policies. For non-Enterprise users, you gain no additional benefit from installing this extension.
Using the Application Guard extension
In order to use the Application Guard extension, you must not only have the Windows Defender Application Guard feature installed in Windows, but you also must meet the following requirements:
- Be running Windows 10 with Hyper-V support.
- Have configured Network Isolation policies.
- Have the Application Guard extension installed in Chrome or Firefox
- Have installed the Windows Defender Application Guard Companion app from the Microsoft Store.
The first step you should take is to install Windows Defender Application guard using these following steps:
- From the Windows 10 Start Menu search for features and when you see a search result titled Turn Windows features on or off, click on it.
- When the Turn Windows features on or off screen appears, scroll down until you see the Windows Defender Application Guard feature. Then put a checkmark in it and press OK to install the feature.
- When prompted, restart Windows 10.
Once Windows Defender Application Guard is installed, install either the Chrome extension or Firefox extension depending on what browser you are using. For the purposes of this article, we will use Chrome.
Once the Application Guard extension is installed, you will be shown instructions on various steps you need to complete before the extension will be activated. While these steps are being completed, you will not be able to browse the web. If you do not wish to proceed, you can remove the extension without finishing the required steps.
When you have installed all the required components, the screen will update to indicate that the extension is now properly installed and protecting your browser from untrusted websites.
Now, if you are a Windows 10 Enterprise user and have Network Isolation policies configured, when you visit an untrusted site it will automatically transfer the browsing session to Application Guard window in Edge. Application Guard can also be used in standalone mode, which means using it without Network isolation policies, to launch a sandboxed Edge environment.
To do that, click on the extension icon and select New Application Guard window as shown below.
When Edge is launched, you will be able to determine if it is an Application Guard session by the shield in the upper left hand corner of the window as indicated by the red arrow below.
While the Windows Defender Application Guard is a useful Windows 10 feature that can be used to visit untrusted sites, unless you are running Windows 10 Enterprise, the extension is not necessary and performs no extra benefit. This is because only Enterprise users can setup Network Isolation policies and benefit from the automatic transfer to sandboxed Windows.
For everyone else, you can always launch an Application Guard session directly within Edge.