Hands-on: Windows Defender Application Guard

Microsoft announced more than a year ago a new feature coming to Windows 10 allowing Microsoft Edge to run in Isolated User Mode. This needs to be configured before users can access the feature, this can be done through Group Policy. For more information: https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard

In the chart below you can see Microsoft’s comparison of Microsoft Edge and Edge with Windows Defender Application Guard:


I installed a Windows 10  Enterprise Insider Preview Build 16278 on a computer, enabled Application Guard and started experimenting.

I started out by enabling some useful Policies settings, that can be found here “Administrative Templates -> Windows Components -> Windows Defender Application Guard”.

Allow data persistence for Windows Defender Application Guard: Saves user downloaded files and other items (such as, cookies, Favorites and so on) for use in future Application Guard Sessions. Enabled this feature to give end-users a smoother experience when using Application Guard. There will be some confusion on how to access files that were downloaded in an Application Guard session. A session can be reset by using “Reset-ApplicationGuard”, the command is not available in the current build I’m running.

Configure Windows Defender Application Guard Clipboard Settings: Enabling this settings give you several options. It is not recommended to enable copying data data from the host to the isolated session, enabling this might give a compromised Application Guard session access to the host’ clipboard. I enabled with “Enable clipboard operation from an isolated session to the host” and then specified the value 1: Allows text copying (2 = Allow image copying, 3 = Allows both text and image).

Configure Windows Defender Application Guard Print settings:

By default you can’t print from an Application Guard session. In this policy you can chose from 15 different options to allow printing from the session to local, XPS, PDF and network printers. In this scenario I only chose to allow printing to PDF for now.

I also had to configure settings in “Administrative Templates -> Network -> Network Isolation” in order to fully configure Windows Defender Application Guard-

I specified “Enterprise resource domains hosted in the cloud”, which are sites that I fully trust and allow to run in a normal browser session, for these testing purposes I specified 2 sites, pay close attention to the separation of the 2 sites I specified, instead of a comma-separation these sites are separated by a pipe (|)character. It also supports wildcard scenarios by specifying DOT character before domain name.


After a reboot I was ready to launch Microsoft Edge and give the feature a try. My first attempt to launch an Application Guard session (directly from Microsoft Edge, which was now an option):

It took 5 minutes for initial session to launch my first session, patience is a virtue:

When launching the first thing I notice is my Favorites are missing, just as expected:

I started browsing a site that’s on the list of Enterprise Resources and it launched just as expected in a normal session where I was able to interact with one of the sites I trust, screenshot:


The second I access a site that’s not on the list of Enterprise resources it opens in a new instance of Microsoft Edge that has another icon on the toolbar and is protected, as expected:

Trying to copy data from the host into the Application Guard session gives me a warning, also as expected:

Trying to paste data from the session to Notepad works just fine without any warning.

Overall, this feature is very secure and provides a way for users to browse the internet without risking that the host will be compromised, currently it’s not the most efficient way and Microsoft is looking into integrating add-ins and let Favorites work across the Isolated and Normal session.


Windows Defender Application Guard is set to release with the Windows 10 Fall Creator’s Update.

Securing Windows environments with baselines

I recently held a webcast in Norwegian related to securing Windows with baselines and the changes to managing baselines after Microsoft announced the retirement “Security Compliance Manager”. For more information: https://blogs.technet.microsoft.com/secguide/2017/06/15/security-compliance-manager-scm-retired-new-tools-and-procedures/

I promised to write a blog post containing the simple script I used to export the GPO’s from my lab environment and import to Production.

Recording of the full presentation can be seen here (Norwegian only):

A quick summary of how I manage the baselines:

  1. Dummy server containing all Group Policy objects x 2. 1 that’s unchanged from the baseline and 1 that has my customization’s configured. The reason behind having 2 is that it makes it easier to do a comparison of what differences there are between my customization and the default – using PolicyAnalyzer.
  2. Export the baseline containing a specific string from the dummy server
  3. Importing the baseline to the production environment, removing the specific string (“Test” in my case). If a policy with the name already exists, current policy will be merged.

The “Security Compliance Toolkit” can be downloaded here: https://www.microsoft.com/en-us/download/details.aspx?id=55319

I also promised to do some generalizations in my script prior to publishing but it’s almost been two weeks since my webcast and I haven’t had the time yet. The script is only intended for demonstration purposes and should not be used in production environments without adjusting the code.

That’s it.

Work Folders – Extending Sync Shares beyond the limit (21)

Work Folders feature was introduced in Windows Server 2012 R2 that allowed clients to synchronize files with a built-in agent (in Windows 8.1 and 10, there’s also a patch for Win 7 Enterprise), later they’ve also added support for iOS and Android. To read more about Work Folders: https://technet.microsoft.com/en-us/library/dn265974(v=ws.11).aspx

By default you can only create 21 Sync Shares in Work Folders, because of limitations in the JetDB which Work Folders is based on. Usually a few Sync Shares should be more than enough for a company of most sizes and extending the limit beyond 21 will only be necessary for very rare occasions. Due to the rare nature of the environment I would need up to several hundred Sync Shares and reached the limit quickly. When reaching the limit you are able to create more Sync Shares but users that has their Sync Share configured to one of those created after number 21 will receive “Parameter is incorrect” error in their Work Folders Control panel.

In order to extend the Sync Share limit beyond 21: Open Regedit on the Work Folders server, navigate to HKLM\SYSTEM\CurrentControlSet\Services\SyncShareSvc\Settings, create a new Multi-string value with the following data:

ValueName: EseParameterSettings




..and that’s it. Restart the Sync Share Service and every Sync Share you create will work until you reach 1024 Sync Shares on the same server/cluster. Make sure to configure all nodes with the same configuration if you’re a cluster.


Windows 10 Enterprise E3 on CSP

As Microsoft continues to move towards the “Windows as a Service” model they recently released Windows 10 as a part of the Cloud Service Provider program which makes Windows 10 available for organizations of any size as a monthly subscription, in addition I considered this another opportunity to increase the adoption of Windows 10. Espcially considering  Enterprise features such as Credential Guard and AppLocker are almost becoming mandatory for sufficient protection of Windows with the increased threat landscape.

The biggest disappointment with this license is that it requires an activated Windows 10 Professional License prior to activating, which means it can not be used for a cheaper upgrade to Windows 10. It also doesn’t include Software Assurance which I consider one of the bigger benefits with Enterprise license. Technical documentation can be found here: https://technet.microsoft.com/en-us/itpro/windows/deploy/windows-10-enterprise-e3-overview

Microsoft will likely introduce a new license called “Windows 10 Enterprise E5” which will include Windows Defender ATP, if Software Assurance will be a part of this E5 license is currently unknown.

Considering the deprecation of some Group Policies in Windows 10 Professional prior to the launch of this license it could seem like Microsoft is trying to force organizations to use Enterprise license, sources in Microsoft confirmed this is not the case and Professional will still be usable for business in the future.


Customizing Bitlocker Unlock screen

With Windows 10 ADMX templates finally released I had a thorough search through every setting that was added and I found one of them very useful. Too see the full announcement from Microsoft:  http://blogs.technet.com/b/askds/archive/2015/08/07/windows-10-group-policy-admx-templates-now-available-for-download.aspx 

The specific setting I found very useful is found here: Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives\

“Configure pre-boot recovery message and URL” which lets you configure the default message that user get when they receive a Bitlocker Encryption while trying to enter Recovery Mode or sometimes appear when they attach their PC into a docking.

I tested it myself and it work just as described (I added an example text to show how useful it would be to configure it for enterprises):