Enable Windows Defender Application Guard on Windows 10 using PowerShell

A couple of days back I saw a tweet form Stefan Stranger (Consultant at Microsoft) which reminded me of a feature called Windows Defender Application Guard, which is included in Windows 10 Enterprise since the Fall Creators Update (1709). If you have never heard of Application Guard, you might want to check out this blog post: Introducing Windows Defender Application Guard for Microsoft Edge

Basically Windows Defender Application Guard starts Microsoft Edge in a Hyper-V Container and uses Hyper-V isolation. So if a user browses on a malicious site, the site is separate from the host operating system.

What is Windows Defender Application Guard and how does it work?
Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted.

If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container, which is separate from the host operating system. This container isolation means that if the untrusted site turns out to be malicious, the host PC is protected, and the attacker can’t get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can’t get to your employee’s enterprise credentials.

Source: Windows Defender Application Guard overview

Usually Windows Defender Application Guard is configured using a Enterprise devices management tool like System Center Configuration Manager, Microsoft Intune or another third-party tool. But if you want to use this on your standalone Windows 10 PC you can also do this using PowerShell.

Want to browse more safely using #Edge on Windows 10 Enterprise Fall Creators Update? Enable Windows Defender Application Guard via #PowerShell. pic.twitter.com/Xo6OcuSVz2

— Stefan Stranger (@sstranger) January 5, 2018

The only thing you need to run this is:

• Windows 10 Enterprise 1709 (Fall Creators Update) or higher
• A computer which supports Hyper-V
  • A 64-bit computer with minimum 4 cores is required for hypervisor and virtualization-based security (VBS)
  • Extended page tables, also called Second Level Address Translation (SLAT)
  • One of the following virtualization extensions for VBS:
    • Intel VT-x
    • AMD-V
  • Microsoft recommends 8GB RAM for optimal performance
  • 5 GB free space, solid state disk (SSD) recommended
  • Input/Output Memory Management Unit (IOMMU) support is strongly recommended
•  Microsoft Edge and Internet Explorer

You can simply install Application Guard using the following command:

Enable-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard

This will reboot your computer and after this you will be able to open a new Microsoft Edge windows in Application Guard.

This does added some extra security, however it does not really protect against like the Meltdown and Spectre attacks.

If you have a look at the processes running on your computer you can now see that there is a new Virtual Machine Worker Process which is used by the Application Guard.

This is a great example how the Hyper-V isolation can not only be used for Hyper-V Virtual Machines but also other features like Hyper-V Containers or for example on the Xbox One.