启用defender_如何为Microsoft Edge启用Windows Defender Application Guard

启用defender

Windows 10’s “Windows Defender Application Guard” feature runs the Microsoft Edge browser in an isolated, virtualized container. Even if a malicious website exploited a flaw in Edge, it couldn’t compromise your PC. Application Guard is disabled by default.

Windows 10的“ Windows Defender应用程序防护”功能在隔离的虚拟容器中运行Microsoft Edge浏览器。 即使恶意网站利用Edge中的漏洞，也不会损害您的PC。 默认情况下，Application Guard被禁用。

Starting with the April 2018 Update, anyone using Windows 10 Professional can now enable Application Guard. Previously, this feature was only available in Windows 10 Enterprise. If you have Windows 10 Home and want Application Guard, you’ll have to upgrade to Pro.

从2018年4月更新开始 ，使用Windows 10专业版的任何人现在都可以启用Application Guard。 以前，此功能仅在Windows 10 Enterprise中可用。 如果您拥有Windows 10 Home，并且需要Application Guard，则必须升级到Pro 。

系统要求 (System Requirements)

Windows Defender Application Guard, also known as Application Guard or WDAG, only works with the Microsoft Edge browser. When you enable this feature, Windows can run Edge in a protected, isolated container.

Windows Defender Application Guard，也称为Application Guard或WDAG，仅与Microsoft Edge浏览器一起使用。 启用此功能后，Windows可以在受保护的隔离容器中运行Edge。

Specifically, Windows is using Microsoft’s Hyper-V virtualization technology. That’s why Application Guard requires you have a PC with either Intel VT-X or AMD-V virtualization hardware. Microsoft also lists other system requirements, including a 64-bit CPU with at least 4 cores, 8 GB of RAM, and 5 GB of free space.

具体来说，Windows正在使用Microsoft的Hyper-V虚拟化技术 。 因此，Application Guard要求您有一台装有Intel VT-X或AMD-V虚拟化硬件的PC。 Microsoft还列出了其他系统要求 ，包括具有至少4个内核，8 GB RAM和5 GB可用空间的64位CPU。

如何启用Windows Defender应用程序防护 (How to Enable Windows Defender Application Guard)

To enable this feature, head to Control Panel > Programs > Turn Windows Features On or Off.

要启用此功能，请转到“控制面板”>“程序”>“打开或关闭Windows功能”。

Check the “Windows Defender Application Guard” option in the list here, and then click the “OK” button.

检查此处列表中的“ Windows Defender Application Guard”选项，然后单击“确定”按钮。

If you don’t see the option in this list, you’re either using a Home version of Windows 10 or you haven’t upgraded to the April 2018 Update yet.

如果在此列表中未看到该选项，则说明您使用的是Windows 10的家庭版，或者尚未升级到2018年4月更新。

If you see the option, but it’s grayed out, your PC doesn’t support this feature. You may not have a PC with Intel VT-x or AMD-V hardware, or you may need to enable Intel VT-X in your computer’s BIOS. The option will also be grayed out if you have less than 8 GB of RAM.

如果您看到该选项，但该选项显示为灰色，则表明您的PC不支持此功能。 您可能没有配备Intel VT-x或AMD-V硬件的PC，或者您可能需要在计算机的BIOS中启用Intel VT-X 。 如果您的RAM少于8 GB，该选项也会显示为灰色。

Windows will install the Windows Defender Application Guard feature. When it’s done, you’ll be prompted to restart your PC. You must restart your PC before you can use this feature.

Windows将安装Windows Defender Application Guard功能。 完成后，系统将提示您重新启动PC。 您必须先重新启动PC，然后才能使用此功能。

如何在Application Guard中启动Edge (How to Launch Edge in Application Guard)

Edge still runs in normal browsing mode by default, but you can now now open a secure browsing window protected with the Application Guard feature.

默认情况下，Edge仍默认在正常浏览模式下运行，但是现在您可以打开一个受Application Guard功能保护的安全浏览窗口。

To do so, first launch Microsoft Edge normally. In Edge, click Menu > New Application Guard Window.

为此，请首先正常启动Microsoft Edge。 在Edge中，单击菜单>新建Application Guard窗口。

A new, separate Microsoft Edge browser window opens. The orange “Application Guard” text at the top left corner of the window informs you that the browser window is secured with Application Guard.

将打开一个新的单独的Microsoft Edge浏览器窗口。 窗口左上角的橙色“ Application Guard”文本通知您浏览器窗口已由Application Guard保护。

You can open additional browser windows from here—even additional InPrivate windows for private browsing—and they’ll also have the orange “Application Guard” text.

您可以从此处打开其他浏览器窗口，甚至可以打开其他InPrivate窗口进行私人浏览，并且它们还带有橙色的“ Application Guard”文本。

The Application Guard window also has a separate taskbar icon from the normal Microsoft Edge browser icon. It features a blue Edge “e” logo with a gray shield icon over it.

Application Guard窗口还具有一个与常规Microsoft Edge浏览器图标分开的任务栏图标。 它具有蓝色的Edge“ e”徽标和其上方的灰色盾牌图标。

When you download and open some types of files, Edge may launch document viewers or other types of applications in Application Guard mode. If an application is running in Application Guard mode, you’ll see the same gray shield icon over its taskbar icon.

当您下载并打开某些类型的文件时，Edge可能会在Application Guard模式下启动文档查看器或其他类型的应用程序。 如果应用程序在“应用程序防护”模式下运行，则在其任务栏图标上将看到相同的灰色盾牌图标。

In Application Guard mode, you can’t use Edge’s Favorites or Reading list features. Any browser history you create will also be deleted when you sign out of your PC. All cookies from the current session will be cleared when you sing out of your PC, too. This means you’ll have to sign back into your websites every time you start using Application Guard mode.

在Application Guard模式下，您不能使用Edge的“收藏夹”或“阅读列表”功能。 当您退出PC时，您创建的所有浏览器历史记录也会被删除。 当您从计算机中唱歌时，也会清除当前会话中的所有cookie 。 这意味着您每次开始使用Application Guard模式时都必须重新登录网站。

Downloads are also limited. The isolated Edge browser can’t access your normal file system, so you can’t download files to your system or upload files from your normal folders to websites in Application Guard mode. You can’t download and open most types of files in Application Guard mode, including .exe files, although you can view PDFs and other types of documents. Files you download are stored in a special Application Guard file system, and are erased after you sign out of your PC.

下载也受到限制。 孤立的Edge浏览器无法访问您的常规文件系统，因此您无法在Application Guard模式下将文件下载到系统或将文件从常规文件夹上传到网站。 尽管可以查看PDF和其他类型的文档，但是您不能在Application Guard模式下下载和打开大多数类型的文件，包括.exe文件。 您下载的文件存储在特殊的Application Guard文件系统中，并且在退出PC后会被删除。

Other features, including copy and paste and printing, are also disabled for Application Guard windows.

Application Guard窗口也禁用了其他功能，包括复制，粘贴和打印。

Microsoft added some options to remove these limitations, if you like, but these are the default settings.

如果您愿意，Microsoft添加了一些选项来消除这些限制，但这是默认设置。

如何配置Windows Defender Application Guard (How to Configure Windows Defender Application Guard)

You can configure Windows Defender Application Guard and its limitations via Group Policy. If you’re using Application Guard on your own standalone Windows 10 Professional PC, you can launch the Local Group Policy Editor by pressing clicking Start, typing “gpedit.msc,” and then pressing Enter.

您可以通过组策略配置Windows Defender Application Guard及其限制。 如果您在自己的独立Windows 10 Professional PC上使用Application Guard，则可以通过以下方式启动本地组策略编辑器 ：单击“开始”，键入“ gpedit.msc”，然后按Enter。

(The Group Policy Editor isn’t available on Home editions of Windows 10, but neither is the Windows Defender Application Guard feature.)

(组策略编辑器在Windows 10的家庭版上不可用，但Windows Defender Application Guard功能也没有。)

Navigate to Computer Configuration > Administrative Templates > Windows Components > Windows Defender Application Guard.

导航到“计算机配置”>“管理模板”>“ Windows组件”>“ Windows Defender Application Guard”。

To enable “data persistence” and let Application Guard save your favorites, browser history, and cookies, double-click the “Allow data persistence for Windows Defender Application Guard” setting here, select “Enabled,” and click “OK.” Application Guard won’t erase its data after you sign out of your PC.

要启用“数据持久性”并让Application Guard保存您的收藏夹，浏览器历史记录和cookie，请在此处双击“允许Windows Defender Application Guard的数据持久性”设置，选择“启用”，然后单击“确定”。 注销PC后，Application Guard不会删除其数据。

To let Edge download files to your normal system folders, double-click the “Allow files to download and save to the host operating system from Windows Defender Application Guard” setting, set it to “Enabled,” and click “OK.”

若要让Edge将文件下载到您的普通系统文件夹，请双击“允许文件从Windows Defender Application Guard下载并保存到主机操作系统”设置，将其设置为“ Enabled”，然后单击“ OK”。

Files you download in Application Guard mode will be saved to an “Untrusted Files” folder inside your Windows user account’s normal Downloads folder.

您在Application Guard模式下下载的文件将保存到Windows用户帐户的常规Downloads文件夹内的“ Untrusted Files”文件夹中。

To give Edge access to your normal system clipboard, double-click the “Configure Windows Defender Application Guard clipboard settings” option. Click “Enabled” and customize your clipboard settings using the instructions here. For example, you can enable clipboard operations from the Application Guard browser to the normal operating system, from the normal operating system to the Application Guard browser, or in both ways. You can also choose whether you want to allow text copying, image copying, or both. Click “OK” when you’re done.

要使Edge可以访问常规系统剪贴板，请双击“配置Windows Defender Application Guard剪贴板设置”选项。 单击“启用”，然后按照此处的说明自定义剪贴板设置。 例如，您可以启用从Application Guard浏览器到正常操作系统，从正常操作系统到Application Guard浏览器的剪贴板操作，或同时启用这两种方式。 您还可以选择是否要允许文本复制，图像复制或同时允许两者。 完成后，单击“确定”。

Microsoft recommends you don’t allow copying from your host operating system to the Application Guard session. If you do, a compromised Application Guard browser session could read data from your computer’s clipboard.

Microsoft建议您不允许从主机操作系统复制到Application Guard会话。 如果这样做，则受损的Application Guard浏览器会话可能会从计算机的剪贴板中读取数据。

To enable printing, double-click the “Configure Windows Defender Application Guard print settings” option. Click “Enabled” and customize your printer settings using the options here. For example, you could enter “4” to enable printing only to local printers, “2” to enable printing only to PDF files, or “6” to allow printing only to local printers and PDF files. Click “OK” when you’re done.

要启用打印，请双击“配置Windows Defender Application Guard打印设置”选项。 单击“启用”，然后使用此处的选项来自定义打印机设置。 例如，您可以输入“ 4”以仅允许在本地打印机上打印，输入“ 2”以仅允许在PDF文件上打印，或输入“ 6”仅允许向本地打印机和PDF文件打印。 完成后，单击“确定”。

If you enable printing to PDF or XPS files, Application Guard will allow you to save those files on the host operating system’s normal file system.

如果启用了打印到PDF或XPS文件的功能 ，Application Guard将允许您将那些文件保存在主机操作系统的普通文件系统上。

You must restart your PC after changing these settings. They won’t take effect until you do.

更改这些设置后，您必须重新启动PC。 直到您生效，它们才会生效。

Despite the Group Policy editor saying these settings require Windows 10 Enterprise, we found they worked perfectly fine on Windows 10 Professional with the April 2018 Update. Someone at Microsoft probably forgot to update the documentation.

尽管组策略编辑器说这些设置需要Windows 10企业版，但我们发现在2018年4月更新的Windows 10专业版上它们可以正常工作。 Microsoft的某人可能忘记了更新文档。

If you do need more information about what these group policy settings do, consult Microsoft’s Windows Defender Application Guard group policy documentation.

如果您确实需要更多有关这些组策略设置的信息，请查阅Microsoft的Windows Defender Application Guard组策略文档 。

And, if you’re interested in Windows 10 security features, be sure to take a look at Controlled Folder Access, which helps protect your files from ransomware. This feature is also disabled by default.

而且，如果您对Windows 10安全功能感兴趣，请务必查看受控文件夹访问 ，它有助于保护您的文件免遭勒索软件的侵害。 默认情况下也禁用此功能。

翻译自: https://www.howtogeek.com/357937/how-to-enable-windows-defender-application-guard-for-microsoft-edge/

启用defender