Enable Download to Host from Windows Defender Application Guard Microsoft Edge session in Windows 10


Microsoft Edge is a new web browser that is available across the Windows 10 device family. It is designed for Windows 10 to be faster, safer, and compatible with the modern Web.

Microsoft Edge running in Application Guard provides the maximum level of protection from malware and zero day attacks against Windows. Windows Defender Application Guard for Microsoft Edge is a lightweight virtual machine that helps isolate potentially malicious website activity from reaching your operating systems, apps, and data.

There is no persistence of any cookies or local storage when an Application Guard window is closed in Microsoft Edge.

Three core features of Windows Defender Application Guard:
  • Isolated Browsing - Windows Defender Application Guard uses the latest virtualization technology to help protect your operating system by creating an isolated environment for your Microsoft Edge session.
  • Help Safeguard your PC - Windows Defender Application Guard starts up every time you visit a non-work-related site to help keep potentially malicious attacks away from your PC.
  • Malware Removal - Any websites you visit, files you download, or settings you change while in this isolated environment are deleted when you sign out of Windows, wiping out any potential malware.

Starting with Windows 10 build 17120, the Windows Defender Application Guard (WDAG) Team has introduced new improvements for users to have a better experience. One of the items users voiced in the Feedback Hub was an inability to “download files from within WDAG” to the host. This created an inconsistent experience for Edge overall as downloaded files were stuck inside the container. In build 17120, users can now turn on a feature to download files from their WDAG Microsoft Edge browsing session onto the host file system.

After this policy (feature) is enabled, users can download files from their Windows Defender Edge session to their Downloads folder and open all files on the host. The files from Application Guard will be saved in a folder called Untrusted Files nested inside the Downloads folder. This folder is created automatically when the user first downloads a file from Application Guard after enabling the policy.

Notes:
  • This feature is off by default.
  • Users will need to assess the files they downloaded and assume any risks of opening on the host.

Requirements:

This tutorial will show you how to enable or disable the ability to download files from within a Windows Defender Application Guard Microsoft Edge session to the host for all users in Windows 10 Pro and Windows 10 Enterprise.

You must be signed in as an administrator to enable or disable the ability to download files from within a Windows Defender Application Guard Microsoft Edge session to the host operating system.

Microsoft Defender Application Guard, including the Windows Isolated App Launcher APIs, is being deprecated for Microsoft Edge for Business and will no longer be updated. Please download the Microsoft Edge For Business Security Whitepaper to learn more about Edge for Business security capabilities.



 CONTENTS:

  • Option One: Enable or Disable Download to Host from WDAG Microsoft Edge session in Local Group Policy Editor
  • Option Two: Enable or Disable Download to Host from WDAG Microsoft Edge session using a REG file


EXAMPLE: Download to host from Windows Defender Application Guard Microsoft Edge session enabled and disabled
Enable Download to Host from WDAG Microsoft Edge in Windows 10-enable-savefilestohost_in_windows_defender_application_guard_edge_session.png Enable Download to Host from WDAG Microsoft Edge in Windows 10-disable-savefilestohost_in_windows_defender_application_guard_edge_session.jpg






OPTION ONE

Enable or Disable Download to Host from WDAG Microsoft Edge session in Local Group Policy Editor


1. Open the Local Group Policy Editor.

2. Navigate to the location below in the left pane of the Local Group Policy Editor. (see screenshot below)

Computer Configuration > Administrative Templates > Windows Components > Windows Defender Application Guard

Enable Download to Host from WDAG Microsoft Edge in Windows 10-savefilestohost_in_windows_defender_application_guard_edge_session-gpedit-1.jpg

3. In the right pane of Windows Defender Application Guard in Local Group Policy Editor, double click/tap on the Allow files to download and save to the host operating system from Windows Defender Application Guard policy to edit it. (see screenshot above)

4. Do step 5 (enable) or step 6 (disable) below for what you would like to do.


 5. To Enable Download to Host from WDAG Microsoft Edge session

A) Select (dot) Enabled, click/tap on OK, and go to step 7 below. (see screenshot below)


 6. To Disable Download to Host from WDAG Microsoft Edge session

A) Select (dot) Not Configured or Disabled, click/tap on OK, and go to step 7 below. (see screenshot below)

Not Configured is the default setting.

Enable Download to Host from WDAG Microsoft Edge in Windows 10-savefilestohost_in_windows_defender_application_guard_edge_session-gpedit-2.jpg

7. Close the Local Group Policy Editor.

8. Restart the computer to apply.






OPTION TWO

Enable or Disable Download to Host from WDAG Microsoft Edge session using a REG file



The downloadable .reg files below will add and modify the DWORD value in the registry key below.

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI

SaveFilesToHost DWORD

(delete) = Disable
1 = Enable

1. Do step 2 (enable) or step 3 (disable) below for what you would like to do.


 2. To Enable Download to Host from WDAG Microsoft Edge session

A) Click/tap on the Download button below to download the file below, and go to step 4 below.

Enable_SaveFilesToHost_in_Windows_Defender_Application_Guard_Edge_session.reg

Download


 3. To Disable Download to Host from WDAG Microsoft Edge session

This is the default setting.

A) Click/tap on the Download button below to download the file below, and go to step 4 below.

Disable_SaveFilesToHost_in_Windows_Defender_Application_Guard_Edge_session.reg

Download

4. Save the .reg file to your desktop.

5. Double click/tap on the downloaded .reg file to merge it.

6. When prompted, click/tap on Run, Yes (UAC), Yes, and OK to approve the merge.

7. Restart the computer to apply.

8. If you like, you can now delete the downloaded .reg file.


That's it,
Shawn Brink


Related Tutorials



  • Windows 11 Tutorials