Microsoft two weeks ago quietly added a security feature to Windows 10 Pro that initially was available only in the operating system's most expensive edition.
Dubbed Windows Defender Application Guard (WDAG) - and linked to Windows 10's default browser, Edge - the anti-malware, anti-exploit technology was designed to make the Web a safer place for employees, an important goal in times when ransomware runs rampant and hackers pinch customer or worker credentials, or personal information, with near impunity.
"Now, like Windows 10 Enterprise users, Windows 10 Pro users can navigate the Internet in Application Guard knowing their systems are safe from common web-based attacks," Jason Silves, a program manager at Microsoft, wrote in an online post when the feature began beta testing late last year.
Originally, WDAG was offered only to customers running Windows 10 Enterprise, starting with version 1709, the feature upgrade launched in October.
Mark Hachman / IDGBut Application Guard in Windows 10 Pro is not equal to Application Guard in Enterprise. Computerworld scoped out the deal for answers to the most pressing questions about WDAG.
What is Windows Defender Application Guard?
WDAG creates a disposable instance of both Windows and Edge - very condensed versions of the OS and the browser - in a virtualized environment using Windows' baked-in HyperVisor technology. Every opening between the pseudo machine, the virtual machine, and the real deal is bricked up, barring almost all interaction between the web session and the physical device.
WDAG lets customers browse in a more secure environment because it prevents malware from reaching the real operating system and real applications on the real device. Then when the user is finished, the virtualized Windows+Edge is discarded. Think of it as a quarantine, but a very brutal one that erases the patient if he or she gets sick.
Is WDAG like sandboxed tabs in other browsers?
Although some of the isolationist concepts are similar, WDAG is different from sandboxing. The latter typically quarantines the process, and the portion of memory allotted to that process, required to run a browser tab. WDAG, meanwhile, builds a virtualized "container" - a faux device, so to speak, created only in the physical device's memory - within which runs both Windows and Edge.
Who gets WDAG? Everyone running Edge?
Nope.
When WDAG debuted last year in Windows 10 1709, the October 2017 version also known as "Fall Creators Update," it was restricted to users running Windows Enterprise E3 or E5 subscription plans.
As of April 30, and Windows 10 1803 released that day, customers running Windows 10 Pro also have access to WDAG, albeit a subset of the features handed to Enterprise users.
What don't Windows 10 Pro users get out of WDAG?
Edge in Windows 10 Pro:
- Can't download files when in WDAG
- Can't be managed so that it automatically kicks in WDAG when the user enters a non-domain URL; this is called enterprise-managed mode and is the alternative to standalone mode, in which workers manually start Edge in Application Guard to browse untrusted websites.
Microsoft puts it this way: "Application Guard for Windows 10 Professional is only designed to be used in standalone mode. The ability to deploy enforcement of trusted vs. untrusted websites is only available in the Enterprise version."
Can I download documents or other files while using Edge in WDAG mode
Maybe.
Users of Windows 10 Enterprise 1803, the newest feature upgrade, can download files from the contained Edge session to the host device, assuming that that policy has been enabled by IT.
Windows 10 Enterprise 1709 (and earlier) and all versions of Windows 10 Pro, including the recent 1803, cannot. Instead, Microsoft recommended that users of those versions running WDAG choose Print as PDF or XPS Document Writer from Edge, then save the resulting document(s) to the host PC.
Files downloaded from a WDAG session appear in a folder tagged Untrusted Files within the standard Downloads folder.
Will I ever be able to download on Pro?
Probably. At one point during the Windows Insider preview process leading up to the April launch of Windows 10 1803, Windows 10 Pro was able to download files and documents from Edge+WDAG to the host PC. But by the time version 1803 went public, only the Enterprise SKU (stock-keeping unit) had the feature.
Of course, it's also possible that Microsoft will continue to limit the capability to Enterprise; that's a tactic it has often used to steer customers toward the more capable, but also costlier, edition.
How about copy/paste and printing?
Can I print while using Edge in WDAG mode? Can I copy something like a URL from the host PC's clipboard and paste it into Edge running under Application Guard? What about cookies, such as those used to allow auto log-in at websites - can those be saved for the next time I run Edge with WDAG?
Yes, to all.
Windows 10 Enterprise version 1709 and later, and Windows 10 Pro 1803, can be set to allow printing, copy-paste in both directions and what Microsoft dubbed "persistence."
Of the latter, Microsoft said: "If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard."
But by turning on data persistence, all that data is retained in the isolated container for the next WDAG session with Edge, even, said Microsoft, after a restart and "even through build-to-build upgrades of Windows 10." That data, cookies, for instance, are not shared with the host system.
IT admins can set printing, copying and pasting, and persisting data using the policy interface available at the location Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard
All of those functions are disabled by default in Application Guard.
What's needed to run Edge with WDAG?
According to Microsoft, the system requirements for Application Guard are:
- A 64-bit, Hyper-V capable processor in the system, with a minimum of four (4) cores. Most sixth-, seventh- and eighth-generation Intel chips will support Hyper-V, as will a wide range of AMD processors. (To check whether a machine qualifies, head here if the PC has an Intel processor, or here for AMD).
- 8GB of RAM
Does running WDAG slow down browsing?
Indeed, it does.
Initializing Application Guard for the first time may take a minute or more, according to PCWorld: That's the time necessary for the host PC to create the virtual machine in which Edge will run. Subsequent sessions with WDAG should start faster, however.
By default, Application Guard relies on software-based rendering powered by the CPU (central processing unit). Microsoft makes clear the security technology does not "load any third-party graphics drivers or interact with any connected graphics hardware." That eliminates any GPU-assisted (graphics processor unit) rendering by the browser, a feature most now offer to speed up painting pages.
Why? "Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device," Microsoft answered.
But customers running Windows 10 Enterprise version 1803 can contact Microsoft for a special registry key that unlocks hardware-assisted rendering, which the company said is currently an "experimental feature."
Adding the Microsoft-provided registry key will improve browser performance under high graphics loads, such as during video playback, Microsoft asserted, as well as extend battery life on a laptop running Application Guard for long stretches.
Can a different browser, like Chrome, use Application Guard?
Easy answer: No.
That goes for Internet Explorer as well, by the way. Edge is the only browser that works with WDAG. And don't expect Microsoft to change that.
What about browser add-ons?
They won't work. "Currently, the Application Guard Edge session doesn't support Extensions," Microsoft said. It left the door ajar, though, adding that it is "closely monitoring" user feedback on the issue.
How do I get started with Application Guard and Edge?
To kick off standalone mode - remember, that's the only mode available to Windows 10 Pro users - open the Control Panel, click Programs, then click Turn Windows features on or off. Check the box labeled Windows Defender Application Guard, then click OK.
Finally, restart the PC, launch Edge and click New Application Guard window from the menu under the ellipsis on the far right of the browser window. The secure session at an untrusted URL will be visually identified by an orange informational box, as well as orange-tinted tabs.
For enterprise-managed mode - only Windows 10 Enterprise customers need apply - IT admins should follow this step-by-step guide published in this Application Guard support document.