Microsoft Defender Application Guard Extension
Applies to:
- Windows 10
- Windows 11
Microsoft Defender Application Guard Extension is a web browser add-on available for Chrome and Firefox.
Microsoft Defender Application Guard provides Hyper-V isolation on Windows 10 and Windows 11, to protect users from potentially harmful content on the web. The extension helps Application Guard protect users running other web browsers.
Tip
Application Guard, by default, offers native support to both Microsoft Edge and Internet Explorer. These browsers do not need the extension described here for Application Guard to protect them.
Microsoft Defender Application Guard Extension defends devices in your organization from advanced attacks, by redirecting untrusted websites to an isolated version of Microsoft Edge. If an untrusted website turns out to be malicious, it remains within Application Guard's secure container, keeping the device protected.
Prerequisites
Microsoft Defender Application Guard Extension works with the following editions of Windows 10, version 1803 or later:
- Windows 10 Professional
- Windows 10 Enterprise
- Windows 10 Education
- Windows 11
Application Guard itself is required for the extension to work. It has its own set of requirements. Check the Application Guard installation guide for further steps, if you don't have it installed already.
Installing the extension
Application Guard can be run under managed mode or standalone mode. The main difference between the two modes is whether policies have been set to define the organization's boundaries.
Enterprise administrators running Application Guard under managed mode should first define Application Guard's network isolation settings, so a set of enterprise sites is already in place.
From there, the steps for installing the extension are similar whether Application Guard is running in managed or standalone mode.
- On the local device, download and install the Application Guard extension for Google Chrome and/or Mozilla Firefox.
- Install the Microsoft Defender Application Guard companion app from the Microsoft Store. This companion app enables Application Guard to work with web browsers other than Microsoft Edge or Internet Explorer.
- Restart the device.
Recommended browser group policies
Both Chrome and Firefox have their own browser-specific group policies. We recommend that admins use the following policy settings.
Chrome policies
These policies can be found along the filepath, Software\Policies\Google\Chrome\, with each policy name corresponding to the file name. For example, IncognitoModeAvailability is located at Software\Policies\Google\Chrome\IncognitoModeAvailability.
| Policy name | Values | Recommended setting | Reason |
|---|---|---|---|
| IncognitoModeAvailability | 0 = Enabled 1 = Disabled 2 = Forces pages to only open in Incognito mode |
Disabled | This policy allows users to start Chrome in Incognito mode. In this mode, all extensions are turned off by default. |
| BrowserGuestModeEnabled | false or 0 = Disabled true, 1, or not configured = Enabled |
Disabled | This policy allows users to sign in as Guest, which opens a session in Incognito mode. In this mode, all extensions are turned off by default. |
| BackgroundModeEnabled | false or 0 = Disabled true or 1 = Enabled Note: If this policy isn't set, the user can enable or disable background mode through local browser settings. |
Enabled | This policy keeps Chrome running in the background, ensuring that navigation is always passed to the extension. |
| ExtensionSettings | This policy accepts a dictionary that configures multiple other management settings for Chrome. See the Google Cloud documentation for complete schema. | Include an entry for force_installed |
This policy prevents users from manually removing the extension. |
Firefox policies
These policies can be found along the filepath, Software\Policies\Mozilla\Firefox\, with each policy name corresponding to the file name. Foe example, DisableSafeMode is located at Software\Policies\Mozilla\Firefox\DisableSafeMode.
| Policy name | Values | Recommended setting | Reason |
|---|---|---|---|
| DisableSafeMode | false or 0 = Safe mode is enabled true or 1 = Safe mode is disabled |
The policy is enabled and Safe mode isn't allowed to run. | Safe mode can allow users to circumvent Application Guard |
| BlockAboutConfig | false or 0 = User access to about:config is allowed true or 1 = User access to about:config isn't allowed |
The policy is enabled and access to about:config isn't allowed. |
About:config is a special page within Firefox that offers control over many settings that may compromise security |
| Extensions - Locked | This setting accepts a list of UUIDs for extensions. You can find these extensions by searching extensions.webextensions.uuids within the about:config page) |
Software\Policies\Mozilla\Firefox\Extensions\Locked\1 = "ApplicationGuardRel@microsoft.com" |
This setting allows you to lock the extension, so the user can't disable or uninstall it. |
Troubleshooting guide
| Error message | Cause | Actions |
|---|---|---|
| Application Guard undetermined state | The extension was unable to communicate with the companion app during the last information request. | 1. Install the companion app and reboot 2. If the companion app is already installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and reinstall the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser |
| ExceptionThrown | An unexpected exception was thrown. | 1. File a bug 2. Retry the operation |
| Failed to determine if Application Guard is enabled | The extension was able to communicate with the companion app, but the information request failed in the app. | 1. Restart the browser 2. Check for updates in both the Microsoft store and the respective web store for the affected browser |
| Launch in WDAG failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This error can be caused by the companion app being uninstalled while Chrome was running. | 1. Make sure the companion app is installed 2. If the companion app is installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and reinstall the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser |
| Main page navigation caught an unexpected error | An unexpected exception was thrown during the main page navigation. | 1. File a bug 2. Retry the operation |
| Process trust response failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This error can be caused by the companion app being uninstalled while Chrome was running. | 1. Make sure the companion app is installed. 2. If the companion app is installed, reboot and see if that resolves the error 3. If you still see the error after rebooting, uninstall and reinstall the companion app 4. Check for updates in both the Microsoft store and the respective web store for the affected browser |
| Protocol out of sync | The extension and native app can't communicate with each other. This error is likely caused by one being updated without supporting the protocol of the other. | Check for updates in both the Microsoft store, and the web store for the affected browser |
| Security patch level doesn't match | Microsoft determined that there was a security issue with either the extension or the companion app, and has issued a mandatory update. | Check for updates in both the Microsoft store, and the web store for the affected browser |
| Unexpected response while processing trusted state | The extension was able to communicate with the companion app, but the API failed and a failure response code was sent back to the extension. | 1. File a bug 2. Check if Microsoft Edge is working 3. Retry the operation |
Related articles
Feedback
Submit and view feedback for