Once I had solved my recent Windows Defender Application Guard (WDAG) problems:
Resolving Windows Defender Application Guard Issues
I now wanted to get it working in a manner that suited me. That meant that I wanted Microsoft Edge to work normally for things like Microsoft 365, Azure and other Microsoft sites but to automatically open Edge with WDAG if I ventured outside that. I also wanted to retain the flexibility to have a third party browser (Brave) also working on my machines. In essence, I am trying to achieve the ability to automatically ‘sandbox’ general internet browsing from work in the Microsoft Cloud as way of protecting the workstation from malicious web sites.
I’m not going to cover off setting up WDAG on your machine or via Intune because there are plenty of articles out there that show you how to enable it. You can start here:
Windows Defender Application Guard Overview
In essence, WDAG opens a defined set of URLs in a sandboxed version of Edge automatically. This means you’ll need to do a little configuration and add some features to your local version of Windows prior to getting it working. You can read about that here:
Prepare to install Windows Defender Application Guard
My configuration will be in Enterprise-managed mode. This means that I can automatically ‘white-list’ domains that I don’t want WDAG to operate with via a policy pushed from the Internet. In my case, these will be Microsoft Cloud URLs like http://www.office.com, portal.office.com and so on. Everything, apart from what I ‘white list’ I want to open using WDAG for protection.
The first thing to note here is that if you want to use Enterprise-managed mode you will need to have Windows 10 Enterprise edition. Windows 10 Pro edition only supports stand alone mode. This means:
In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites.
To do this manually, you must edit the local computer policy using the local Group Policy editor or like as shown here:
Application Guard in stand alone mode
It is pretty easy to set up and get working but not really scalable. Scripting may help overcome that.
In Enterprise-mode my initial questions was ‘Where do I define my sites?’. As it turns out, this isn’t particularly obvious, so it took me a while to track down. The definitions for the sites you want to ‘white list’ for WDAG are actually in the Intune App Protection policy settings.
Turns out they are in the Advanced settings of your Intune App Protection policy, as shown above.
I had wrestled with these settings previously, which I detailed here:
Intune App Protection Policy blocking browser
What I didn’t appreciate initially was that sites you define here however ALSO APPLY to WDAG! Makes sense now that I look at it, but I certainly didn’t think it was the place I should be looking to ‘white list’ sites for WDAG. Now you too are the wiser.
Another subtle configuration option that took me a while to figure out was:
Initially, I had portal.office.com white listed from WDAG but in fact the navigation was going to http://www.office.com, which means WDAG would trigger and open http://www.office.com because it wasn’t ‘white listed’. Then I thought *.office.com would work, but no. Maybe office.com? Nope. Turns out what I needed was
..office.com
which:
Trust all levels of the domain hierarchy that are to the left of the dot. Matching sites include shop.contoso.com, us.shop.contoso.com, http://www.us.shop.contoso.com, but NOT contoso.com itself.
So be super careful with how you configure you network perimeter settings and domain wildcards as it can make things very confusing if you don’t have a good handle on it. My suggestion is to start with only one or two sites in your network perimeter and ensure that they work. Only then scale up once you have verified it is operating as expected.
Finally, with all that configured correctly, WDGA was working as expected. Yeah! This meant that when I went to a Microsoft Cloud URLs like http://www.office.com, portal.azure.com, etc. WDGA wasn’t activated, but if I went elsewhere, WDGA launched and navigated to that site in the WDAG container. In the end I also white listed sites like bing.com, docs.microsoft.com, etc as I go there many times a day.
If you browse to a non ‘white listed’ site (here www.ciaopsacademy.com), then a WDAG session is launched. You’ll see WDAG spin up, if it is the very first time it has been activated. You’ll then see the browser load the site in question and then you’ll notice a WDAG icon in the toolbar as shown above, which, when opened, will let you know that the current browser is using WDAG.
You configure WDAG settings via Intune Endpoint protection policies as shown above.
My suggestion would be to enable the option to Retain user generated browser data as shown above. This means things like extensions, session cookies and the like will be retained between sessions. However, if you want a totally clean experience each time, then disable that option.
By default, you’ll find that any file you download while WDAG is active, will be saved into an Untrusted files folder as shown above.
You can also get a WDAG companion app from the Windows store:
This allows you to manually launch a WDAG session, which is probably handy if you are not using Enterprise-managed mode. It will launch this is a container isolated from anything that automatically launches via your browsing, keeping that separate as well.
If you want non Microsoft browsers to also be protected with WDAG then you’ll find plugins available:
With these plug ins installed, those browsers will also only open non-whitelisted sites. Anything else will be opened in an Edge WDAG session for protection.
So now I have WDAG working the way I wanted. My main stumbling block was no appreciating that the WDAG ‘white list’ was the same as WIP and set via Intune App Protection policies. I now have a better appreciation for the breath of the settings in these policies.
I’m sure I’ll be tweaking WDAG along the way but I feel much more secure in the fact that I have it working and protecting my ‘random browsing’. Like most security configurations, WDAG takes a little bit of understanding and setup to get working but the end result is a much safer environment to work in and I’m all for that. Hopefully you are too!
CIAOPS 
Hi, now that the Intune admin portal has been removed, do you know where these settings have moved to? Specifically the whitelisting URLs…
LikeLike
EndPoint Manager will be the ultimate location
LikeLike
Hello mate,
You are a lifesaver! Thanks for finding this out as I too was struggling to set the sites for WDAG. I wonder why MS did not document this anywhere. 😦
LikeLike
Glad to hear I was able to help.
LikeLike
Hi mate, I am stuck.. for some sites like cloud resources and neutral resources MS Edge opens normally (cos I have defined them) but though I have defined sites in protected domains and network domains, they still open in application guard. It just doesn’t work for network domain sites. any idea how I can troubleshoot this?
LikeLike
If you are having issues, log a ticket with MS. They are free after all.
LikeLike
Hello, This post is really very helpful…Is it also possible to provide user the ability to report a url to allow for whitelisting ? thanks!
LikeLike
No. WDAC is all admin controlled.
LikeLike
is there any tool or any other method(O365) to configure this ?
LikeLike
Yeah, you use the standard Windows tools like PowerShell
LikeLike
Any references for this ?
LikeLike
https://blog.mindcore.dk/2019/02/windows-defender-application-guard_25.html show you via Group Policy
LikeLike
Hello, I was able to implement application guard but is there a way to know and check the url which has been whitelisted from Intune on the client machine ?
LikeLike
That is all determined by policy. There is no ‘what if’ capabilities when it comes to URLs they are all determined by your policies.
LikeLike