The idea is to limit the access to the system by isolating the browser experience and lock in hackers potentially using the browser to enter the system.
This feature let your Edge browser run in a VM for unknown websites. You will not experience a VM startup. It just feels like a "different private mode" in your browser.
A good idea - how it works behind the scenes - can be found in this video:
You can manage it through GPOs telling which trusted websites (e.g. organizational websites) should be open in Edge normally also using the full set of Win32 APIs.
All other websites would be opened in the sandboxed version of Edge. The sandboxing is realized also by Hyper-V virtualization. It includes a kernel with a limited set of Win32 APIs to make it even harder to break in. But even if it is possible to break in the attacker is locked in the virtualization layer. When you close the browser the threat is also gone. As this is a non persistent environment.
Additionally this is tied into Windows Defender Advanced Threat Protection. So you get even notified if someone tried to compromise your environment.
To get more information's on this checkout this site.
https://blogs.windows.com/msedgedev/2016/09/27/application-guard-microsoft-edge
And to get the FULL CURRENT (1709) holistic Microsoft Security view. Please checkout this recent video. Which covers more than just Application Guard which is one brick in a bigger wall.
To enable it is relatively simple (depending HW reqs.)
But you need to fulfill the requirements:
Currently WDAG reacts a bit tricky with Updates. So it worked in 16299.19 in English-US version of Windows. Update KB4043961 broke the feature so you need to dismiss this update. Also other languages may not work right away. But in later version onwards 17035 is also starts to working in German again.
- Windows 10 Enterprise SKU only
- PC must support Hyper-V (some older PCs may not support Hyper-V or have this feature disabled in BIOS)
- Windows Defender Application Guard is Off by default, it must be enabled manually or by policy
- Hardware Limits:
- Min. 4 (!) logical processors (E.g. Dual Core + Hyperthreading etc.)
- Min. 8 GB RAM
- Min. 5 GB HDD Disk
- When you follow these limits and you enable GuestVirtualization in the Hyper-V (only possible via Powershell) then it works also in a VM.
1. You need to enable Windows Application Guard in the "Windows Features"
2. You need to setup the Policies for WDAG (very important!)
- Network Isolation Policies (defining whats enterprise network)Computer Configuration\Administrative Templates\Network\Network Isolation
- Application Guard Policies (defining WDAG behaviour)Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard
More about the policies you find here: