Upravit

Sdílet prostřednictvím


Microsoft Defender Application Guard Extension

Note

Microsoft Defender Application Guard Extension is a web browser add-on available for Chrome and Firefox.

Microsoft Defender Application Guard provides Hyper-V isolation on Windows 10 and Windows 11, to protect users from potentially harmful content on the web. The extension helps Application Guard protect users running other web browsers.

Tip

Application Guard, by default, offers native support to both Microsoft Edge and Internet Explorer. These browsers do not need the extension described here for Application Guard to protect them.

Microsoft Defender Application Guard Extension defends devices in your organization from advanced attacks, by redirecting untrusted websites to an isolated version of Microsoft Edge. If an untrusted website turns out to be malicious, it remains within Application Guard's secure container, keeping the device protected.

Prerequisites

Microsoft Defender Application Guard Extension works with the following editions of Windows 10, version 1809 or later:

  • Windows 10 Professional
  • Windows 10 Enterprise
  • Windows 10 Education
  • Windows 11

Application Guard itself is required for the extension to work. It has its own set of requirements. Check the Application Guard installation guide for further steps, if you don't have it installed already.

Installing the extension

Application Guard can be run under managed mode or standalone mode. The main difference between the two modes is whether policies have been set to define the organization's boundaries.

Enterprise administrators running Application Guard under managed mode should first define Application Guard's network isolation settings, so a set of enterprise sites is already in place.

From there, the steps for installing the extension are similar whether Application Guard is running in managed or standalone mode.

  1. On the local device, download and install the Application Guard extension for Google Chrome and/or Mozilla Firefox.
  2. Install the Microsoft Defender Application Guard companion app from the Microsoft Store. This companion app enables Application Guard to work with web browsers other than Microsoft Edge or Internet Explorer.
  3. Restart the device.

Both Chrome and Firefox have their own browser-specific group policies. We recommend that admins use the following policy settings.

Chrome policies

These policies can be found along the filepath, Software\Policies\Google\Chrome\, with each policy name corresponding to the file name. For example, IncognitoModeAvailability is located at Software\Policies\Google\Chrome\IncognitoModeAvailability.

Policy name Values Recommended setting Reason
IncognitoModeAvailability 0 = Enabled
1 = Disabled
2 = Forces pages to only open in Incognito mode
Disabled This policy allows users to start Chrome in Incognito mode. In this mode, all extensions are turned off by default.
BrowserGuestModeEnabled false or 0 = Disabled
true, 1, or not configured = Enabled
Disabled This policy allows users to sign in as Guest, which opens a session in Incognito mode. In this mode, all extensions are turned off by default.
BackgroundModeEnabled false or 0 = Disabled
true or 1 = Enabled

Note: If this policy isn't set, the user can enable or disable background mode through local browser settings.
Enabled This policy keeps Chrome running in the background, ensuring that navigation is always passed to the extension.
ExtensionSettings This policy accepts a dictionary that configures multiple other management settings for Chrome. See the Google Cloud documentation for complete schema. Include an entry for force_installed This policy prevents users from manually removing the extension.

Firefox policies

These policies can be found along the filepath, Software\Policies\Mozilla\Firefox\, with each policy name corresponding to the file name. Foe example, DisableSafeMode is located at Software\Policies\Mozilla\Firefox\DisableSafeMode.

Policy name Values Recommended setting Reason
DisableSafeMode false or 0 = Safe mode is enabled
true or 1 = Safe mode is disabled
The policy is enabled and Safe mode isn't allowed to run. Safe mode can allow users to circumvent Application Guard
BlockAboutConfig false or 0 = User access to about:config is allowed
true or 1 = User access to about:config isn't allowed
The policy is enabled and access to about:config isn't allowed. About:config is a special page within Firefox that offers control over many settings that may compromise security
Extensions - Locked This setting accepts a list of UUIDs for extensions. You can find these extensions by searching extensions.webextensions.uuids within the about:config page) Software\Policies\Mozilla\Firefox\Extensions\Locked\1 = "ApplicationGuardRel@microsoft.com" This setting allows you to lock the extension, so the user can't disable or uninstall it.

Troubleshooting guide

Error message Cause Actions
Application Guard undetermined state The extension was unable to communicate with the companion app during the last information request. 1. Install the companion app and reboot
2. If the companion app is already installed, reboot and see if that resolves the error
3. If you still see the error after rebooting, uninstall and reinstall the companion app
4. Check for updates in both the Microsoft store and the respective web store for the affected browser
ExceptionThrown An unexpected exception was thrown. 1. File a bug
2. Retry the operation
Failed to determine if Application Guard is enabled The extension was able to communicate with the companion app, but the information request failed in the app. 1. Restart the browser
2. Check for updates in both the Microsoft store and the respective web store for the affected browser
Launch in WDAG failed with a companion communication error The extension couldn't talk to the companion app, but was able to at the beginning of the session. This error can be caused by the companion app being uninstalled while Chrome was running. 1. Make sure the companion app is installed
2. If the companion app is installed, reboot and see if that resolves the error
3. If you still see the error after rebooting, uninstall and reinstall the companion app
4. Check for updates in both the Microsoft store and the respective web store for the affected browser
Main page navigation caught an unexpected error An unexpected exception was thrown during the main page navigation. 1. File a bug
2. Retry the operation
Process trust response failed with a companion communication error The extension couldn't talk to the companion app, but was able to at the beginning of the session. This error can be caused by the companion app being uninstalled while Chrome was running. 1. Make sure the companion app is installed.
2. If the companion app is installed, reboot and see if that resolves the error
3. If you still see the error after rebooting, uninstall and reinstall the companion app
4. Check for updates in both the Microsoft store and the respective web store for the affected browser
Protocol out of sync The extension and native app can't communicate with each other. This error is likely caused by one being updated without supporting the protocol of the other. Check for updates in both the Microsoft store, and the web store for the affected browser
Security patch level doesn't match Microsoft determined that there was a security issue with either the extension or the companion app, and has issued a mandatory update. Check for updates in both the Microsoft store, and the web store for the affected browser
Unexpected response while processing trusted state The extension was able to communicate with the companion app, but the API failed and a failure response code was sent back to the extension. 1. File a bug
2. Check if Microsoft Edge is working
3. Retry the operation