Run Microsoft Edge in Sandbox with Windows Defender Application Guard

To test some online applications using the Microsoft Edge browser but in an isolated and protected Sandbox environment, we can take the support of Windows 10 office or Edge Defender Application Guard (WDAG). And here in this tutorial, we let you know how to do this…

The new Microsoft Edge based on Chromium offers a possibility to isolate the browser session from the rest of the system. Of course, this is not some feature that we want to use regularly that’s why it is disabled by default. To run Edge browser in a Sandbox environment, we need to first enable the “Microsoft Defender Application Guard” feature.

Well, one thing to be noted that, Defender Application Guard is not available in the home version of Windows 10, but only in the Professional, Enterprise, and Education editions running on Build 16188+. And for good performance, the system should have at least 8 GB of RAM and a CPU that supports Second Level Address Translation (SLAT) which are common nowadays in all modern system running Windows 10 operating systems.

 

What is Defender Application Guard (WDAG) and how does it work?

To execute Microsoft Edge browser and Office apps such as Word, PowerPoint, and Excel in a safe environment, so that they can’t harm the main system; Microsoft has implemented a feature on Windows 10 called Defender Application Guard.  It helps enterprises and other users to run Edge browser and office app in an isolated Hyper-V virtual machine/container to make them separate from the host operating system.

This feature helps developers, enterprises, and common users to visit websites that are not safe to visit in a standard environment. The container isolation means, if the untrusted site or file turns out to be malicious, the host device is protected, and the attacker can’t get credentials or other enterprise data saved on the browser & system.

Hardware isolation with Windows defender application Guard

Note: As this uses the native virtual machine, thus you would need to change the Paravirtualization interface to Hyper-V in VirtualBox to run its VMs. Still, there is no surety that your Vmware or VirtualBox will work properly after enabling this feature.

 

Enable Defender Application Guard

By default, Windows Defender Application Guard will not be activated, therefore to use this feature we need to manually activate it from the “Turn Windows features on or off” option.

  1. Go to the Windows 10 search box and type – Turn Windows features and when you see it, click on the Open link.
  2. Now, scroll and find to enable Microsoft Defender Application Guard.
    Microsoft Defender Guard
  3. Check the box given in front of it.
  4. Wait for few seconds, the system will install this feature.
  5. Now, restart your Windows 10 to let the changes take effect.
    Restart Windows to install feature update

 

Alternatively, we can enable it using the PowerShell command. Right-click on Windows 10 Start Menu and select Windows PowerShell (admin) and copy-paste the below command:

Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard

 

Run Microsoft Edge in Application Guard

Once you have restarted your system and activated Application Gaud, it’s time to run your Microsoft Edge browser in with.

  • Open Microsoft edge on your Windows 10 system
  • Click on the three dots given on the right top side to access settings.
  • Select “New Application Guard windows“.  Alternatively, you can use the keyboard shortcut “Ctrl+Shift+A“.Microsoft Edge in Defender Application Guard
  • This will start a New Edge browser session in a sandbox environment.  The process would take some time depending upon your system speed.

 

Check Edge Integration

Well, you hardly can make any difference, in the newly opened session because everything looks the same even all settings of the Edge browser are available in Defender mode. Of course, it will be because it is the same browser just running on a virtual machine.

However, if you want to aware that whether the Edge is running in Defender Application Guard or not; you can see an icon right to the URL bar. Click that and it will show “You are browsing in Application Guard for Microsoft Edge. This helps keep your computer safer by creating a separate browsing environment.”

Check Edge browser integration with application Guard

If you go to Settings, a message appears “Your browser is managed by your organization”. Well, you can access all settings of the browser as you do in a normal session including Extensions, Import of bookmarks, Save data to clipboard or paste from the clipboard, and more… But things like Sign in with a Microsoft or company account and Store files outside of the sandbox will not be available to use.

 

How to Enable Application Guard features for Edge browser

Well, few features will not be accessible while using Edge on Defender Application Guard unless you enable them manually from the setting such as Saving of Edge DataCopy-paste from the Application Guard for Microsoft Edge, Print filesCamera and microphone, and Advanced Graphics. Thus, to use them follow the below steps…

  • In the Windows 10 Search box type- Windows Security.
  • Select App & browser control.
  • Select the “Change Application Guard Settings” link from the right-side panel.
    Change Application Guard Settings for Microsoft Edge browser
  • Now, you will have all the settings related to Guard. Enable the one you want such as copy-paste.
    Application Guard Settings

 

Disable or Uninstall

Well, you can either go to the Turn windows feature on or off, from where you have enabled this Sandbox feature. And just uncheck it again to revert to old settings. Alternatively, click on the link given in Windows Security under Apps & Browser control to uninstall Application guard.

Disable or uninstall Application Guard min

Or Directly run the below command in PowerShell as Admin.

Disable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard

 

Closing thoughts

Thus, this was the way to use this Edge Sandbox feature while running the whole system in a normal regular environment. Whatever happens in the sandbox stays in the sandbox. So if you actually land on a malicious site, it cannot access the actual system. This means some possible threat, malicious file, script, code, or any other type of infected file will remain trapped in the sandbox and automatically disappear unless and until you enable copy-paste feature and deliberately copy some file from sandbox to your main system.

Thus, saying that the Application Guard is primarily intended for use in companies will not be wrong.  Also, remember one thing, after enabling this feature you perhaps face slow down or some issues with VirtualBox or Vmware Workstation player VMs.  Know about this Windows 10 feature from the official website.

 

 

 

 

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.