Prepare to install Microsoft Defender Application Guard

• Applies to:

  ✅ Windows 11, ✅ Windows 10

Note

• Microsoft Defender Application Guard, including the Windows Isolated App Launcher APIs, is deprecated for Microsoft Edge for Business and will no longer be updated. To learn more about Microsoft Edge security capabilities, see Microsoft Edge For Business Security.
• Starting with Windows 11, version 24H2, Microsoft Defender Application Guard, including the Windows Isolated App Launcher APIs, is no longer available.
• Because Application Guard is deprecated there will not be a migration to Edge Manifest V3. The corresponding browser extensions and associated Windows Store app are no longer available. If you want to block unprotected browsers until you are ready to retire MDAG usage in your enterprise, we recommend using AppLocker policies or Microsoft Edge management service. For more information, see Microsoft Edge and Microsoft Defender Application Guard.

Before you continue, review System requirements for Microsoft Defender Application Guard to review the hardware and software installation requirements for Microsoft Defender Application Guard.

Note

Microsoft Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host.

Prepare for Microsoft Defender Application Guard

Before you can install and use Microsoft Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either Standalone or Enterprise-managed mode.

Standalone mode

Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the Application Guard in standalone mode testing scenario.

Standalone mode is applicable for:

• Windows 10 Enterprise edition, version 1709 and later
• Windows 10 Pro edition, version 1803 and later
• Windows 10 Education edition, version 1809 and later
• Windows 11 Enterprise, Education, or Pro editions

Enterprise-managed mode

You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to add nonenterprise domain(s) in the container.

Enterprise-managed mode is applicable for:

• Windows 10 Enterprise edition, version 1709 and later
• Windows 10 Education edition, version 1809 and later
• Windows 11 Enterprise or Education editions

The following diagram shows the flow between the host PC and the isolated container.

Install Application Guard

Application Guard functionality is turned off by default. However, you can quickly install it on your employee's devices through the Control Panel, PowerShell, or your mobile device management (MDM) solution.

Install from Control Panel

1. Open the Control Panel, select Programs, and then select Turn Windows features on or off.

   

2. Select the check box next to Microsoft Defender Application Guard and then select OK to install Application Guard and its underlying dependencies.

Install from PowerShell

Note

Ensure your devices have met all system requirements prior to this step. PowerShell will install the feature without checking system requirements. If your devices don't meet the system requirements, Application Guard may not work. This step is recommended for enterprise managed scenarios only.

1. Select the Search icon in the Windows taskbar and type PowerShell.

2. Right-click Windows PowerShell, and then select Run as administrator to open Windows PowerShell with administrator credentials.

3. Type the following command:

   PowerShell

   Enable-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard
   

4. Restart the device to install Application Guard and its underlying dependencies.

Install from Intune

Important

Make sure your organization's devices meet requirements and are enrolled in Intune.

1. Sign in to the Microsoft Intune admin center.

2. Select Endpoint security > Attack surface reduction > Create Policy, and do the following:

   • In the Platform list, select Windows 10 and later.
   • In the Profile type, select App and browser isolation.
   • Select Create.

3. In the Basics tab, specify the Name and Description for the policy. Select Next.

4. In the Configuration settings tab, configure the Application Guard settings, as desired. Select Next.

5. In the Scope tags tab, if your organization is using scope tags, choose + Select scope tags, and then select the tags you want to use. Select Next.

   To learn more about scope tags, see Use role-based access control (RBAC) and scope tags for distributed IT.

6. In the Assignments page, select the users or groups that receive the policy. Select Next.

   To learn more about assigning policies, see Assign policies in Microsoft Intune.

7. Review your settings, and then select Create.

After the policy is created, any devices to which the policy should apply will have Microsoft Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place.