Revisiting Application Guard in the Windows 10 April 2018 Update
I first reviewed Windows Defender Application Guard (WDAG) on Petri last year. At that time, it was only available in the Enterprise SKU. But starting in the Windows 10 April 2018 Update, WDAG is also available to Windows 10 Pro users. In this Ask the Admin, I’ll look at new functionality and examine whether performance has improved.
Say Goodbye to Traditional PC Lifecycle Management
Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.
Windows Defender Application Guard (WDAG) is a containerization solution for Microsoft Edge that uses Hyper-V to virtualize browser sessions. As with any container solution, WDAG protects the operating system and other running applications from security breaches that might occur inside the container. The biggest change to WDAG in the April 2018 Update is that it is now available to users of Windows 10 Pro. Previously, you needed to be running the Enterprise or Education SKU.
For more information on the technical requirements for WDAG, see Protect Users Against Malicious Websites Using Windows 10 Application Guard on Petri.
Starting WDAG for the first time took a little over a minute on my Intel Core i5-6200 2.4Ghz Dell XPS notebook with 8GB RAM. That’s with nothing else running on the system. Subsequent launches in the same user session are instant. But after a reboot, WDAG still takes almost a minute to start up for the first time.
I haven’t run any scientific tests on page load times but WDAG does seem to load pages a little slower. On sites like Petri, the difference was barely noticeable. But a lot will depend on the sites that users are visiting. The Azure management portal is one of the most resource intensive sites that I use and I was pleasantly surprised to see that it runs quite well in Application Guard. In my previous review, I noted that scrolling on graphic-intensive pages was a little laggy. In the April 2018 Update, I can report that scrolling is smoother on sites like ZDNet.
Something that I didn’t point out last time is that users’ Favorites and Reading List are not available in WDAG. That’s likely to be a serious issue for many. And now that we have Timeline in the April 2018 Update, it’s worth noting that pages visited in WDAG aren’t recorded in the Timeline.
In this version of Application Guard, Microsoft has added the ability for organizations to allow users to download files from a WDAG session to the host operating system. The new Group Policy setting to enable this feature can be found under Computer Configuration > Administrative Templates > Windows Components > Windows Defender Application Guard.
WDAG has two operational modes: standalone and enterprise-managed. In standalone mode, users can start Edge in WDAG and browse untrusted sites. Enterprise-managed mode forces Edge to run in Application Guard. But you can create a list of sites that are excluded and will always open in Edge without a WDAG container.
I’d previously had trouble getting the list of sites in the Enterprise resource domains hosted in the cloud setting under Administrative Templates > Network > Network Isolation to stick. After a bit more digging, I found out that sites must be listed with the full domain name or use a period as a wild card if you want to trust subdomains. For instance, you could create a list that looks like this:
Or like this:
Another problem I had with WDAG in Windows 10 version 1709 was that it prevents connecting to public WIFI hotspots. An example of this is like those in Starbucks where you need to agree to the terms and conditions before you get access to the Internet. That problem persists in the April 2018 Update.
Should You Enable Application Guard?
You shouldn’t enable WDAG in enterprise-managed mode unless you can clearly determine which sites users need to access; and if they are not part of the organization’s own cloud or intranet, whether those sites should be trusted to run outside of WDAG. Enterprise-managed mode will be a non-starter for notebook users unless you provide them Internet access through a cell operator.
Despite some functionality changes and performance improvements, WDAG is still a bit of a clunky and inconvenient experience. Especially the lack of access to Favorites, which will be a deal-breaker for many users. There will be organizations that need or want the extra security regardless of WDAG’s limitations.
Follow Russell on Twitter @smithrussell.