Microsoft Application Guard Extension for Chrome and Firefox
Microsoft Windows defender is a relatively new security application guard extension for Chrome and Firefox designed to help prevent old and newly emerging attacks to help keep employees productive. Using the Microsoft unique hardware isolation approach, the goal is to destroy the playbook that attackers use by making current attack methods obsolete. Presently, the application extensions only work for Chrome and Firefox running on current Windows Insider builds, but are expected to work with the upcoming Windows 10 stable release, 19H1, scheduled for release later.
The Windows defender application guard is designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted.
Microsoft said the Windows defender will allow enterprise administrators set up a list of trusted websites and local resources that the user can access using Edge. If a user accesses an URL that is not on this list, Windows defender application guard comes into effect and starts a sandboxed session of Edge (an Hyper-V-enabled container) where the new website will be loaded in a safe environment isolated from the rest of the Edge browser and underlying operating system.
Microsoft Windows Defender Guard overview
Enterprise desktops: These desktops are domain-joined and managed by your organization. Configuration management is primarily done through System Center Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network.
Enterprise mobile laptops: These laptops are domain-joined and managed by your organization. Configuration management is primarily done through System Center Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network.
Bring your own device (BYOD) mobile laptops: These personally-owned laptops are not
Threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Windows Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive.
64-bit CPU: A 64-bit computer with a minimum of 4 cores (logical processors) is required for the hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see Hyper-V on Windows Server 2016 or Introduction to Hyper-V on Windows 10. For more info about hypervisor, see Hypervisor Specifications.
CPU virtualization extensions: Extended page tables, also called Second Level Address Translation (SLAT)
AND: One of the following virtualization extensions for VBS:
OR: – AMD-V
Hardware memory: Microsoft requires a minimum of 8GB RAM
Hard disk: 5 GB free space, solid state disk (SSD) recommended
Input/Output Memory Management Unit (IOMMU) support: Not required, but strongly recommended
Operating system: Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803
Browser: Microsoft Edge and Internet Explorer, Firefox, Chrome
Management system (only for managed devices): Microsoft Intune
OR: System Center Configuration Manager
OR: Group Policy
OR: Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.
Personal devices: These personally-owned desktops or mobile laptops are not domain-joined or managed by an organization. The user is an admin on the device and uses a high-bandwidth wireless personal network while at home or a comparable public network while outside.