What is Windows Defender Application Guard?

The Windows Defender Application Guard (for Edge) is designed to protect your Windows OS from malware and zero-day attacks. When enabled, the feature works by creating a new instance of the Edge browser. The new instance is created on the hardware level using Hyper-V with its own kernel and all the required elements for the Edge browser to run normally.

According to Microsoft the new security protection mechanism helps against new Browser attacks and vulnerabilities. Picture Source: Microsoft Blog

Do I need it?

Simply put, when using Edge with Application Guard, you will be running a separate copy of Windows within Windows that has no access to the normal user operating environment.

Windows Application Guard Windows 1803
It’s by default disabled and you manually have to enable it.

Since the new instance of Edge is completely isolated on the hardware level, the attacker or the infected website or service cannot harm your system or data. You can find out more about how the Application Guard works from the Edge Dev Blog.

Overall spoken it’s a good idea to enable it IF you use MS Edge as Browser.

Why isn’t it enabled by default?

  • You need at least Windows Build 1803 (Spring Creators Update or April Update)
  • Your processor should support virtualization. Without hardware virtualization support, you cannot use Application Guard.
  • It costs performance CPU level to scale the visualization.
  • The Windows Defender Application Guard is only available for Windows 10 Pro users. If you are using the Home version, then the feature is not available to you and there is no way to integrate it.

After you enabled the Application Guard function you need to reboot your OS, same goes if you like to deactivate it. To use Edge with Windows Defender Application Guard, open the Settings menu (three horizontal dots) appearing on the top-right corner and select the option “New Application Guard window.”

Edge Application Guard
Yep, you see right uBlock is installed. It works well in Edge too. 

As soon as you click on the option, Windows 10 will launch another instance of Edge with Application Guard. The instance is clearly marked with the bright-red “Application Guard” button in the title bar.

Application Guard activated and running

Because of the restrictions placed by the Application Guard process in Edge browser, all the extensions will be disabled in the new instance. You will also lose access to features like page pinning, developer tools, casting, read aloud, etc. The normal Edge browser will not be affected, though. That being said, you can still perform basic actions like copy and paste, printing, etc. If you want to disable Edge Application Guard, open Windows Features just as in the first step, uncheck the checkbox next to “Windows Defender Application Guard” and save the changes.

Closing Words

Edge is becoming powerful and the new features are in terms of security good, forget the Internet Explorer times and say hello to a solid Browser. I really appreciate that MS is trying to modernize it’s integrated Browser but is this enough to compete against Firefox or Chrome?