Tell us about your PDF experience.

Microsoft Defender Application Guard

overview
Article • 12/18/2023 • Applies to: ✅ Windows 11, ✅ Windows 10

７ Note

Microsoft Defender Application Guard, including the Windows Isolated App

Launcher APIs, will be deprecated for Microsoft Edge for Business and will no
longer be updated. Please download the Microsoft Edge For Business Security
Whitepaper to learn more about Edge for Business security capabilities.

Microsoft Defender Application Guard (MDAG) is designed to help prevent old and
newly emerging attacks to help keep employees productive. Using our unique hardware
isolation approach, our goal is to destroy the playbook that attackers use by making
current attack methods obsolete.

What is Application Guard and how does it

work?
For Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted
sites, protecting your company while your employees browse the Internet. As an
enterprise administrator, you define what is among trusted web sites, cloud resources,
and internal networks. Everything not on your list is considered untrusted. If an
employee goes to an untrusted site through either Microsoft Edge or Internet Explorer,
Microsoft Edge opens the site in an isolated Hyper-V-enabled container.

For Microsoft Office, Application Guard helps prevents untrusted Word, PowerPoint and
Excel files from accessing trusted resources. Application Guard opens untrusted files in
an isolated Hyper-V-enabled container. The isolated Hyper-V container is separate from
the host operating system. This container isolation means that if the untrusted site or
file turns out to be malicious, the host device is protected, and the attacker can't get to
your enterprise data. For example, this approach makes the isolated container
anonymous, so an attacker can't get to your employee's enterprise credentials.
What types of devices should use Application Guard?
Application Guard has been created to target several types of devices:

Enterprise desktops. These desktops are domain-joined and managed by your

organization. Configuration management is primarily done through Microsoft
Configuration Manager or Microsoft Intune. Employees typically have Standard
User privileges and use a high-bandwidth, wired, corporate network.

Enterprise mobile laptops. These laptops are domain-joined and managed by your
organization. Configuration management is primarily done through Microsoft
Configuration Manager or Microsoft Intune. Employees typically have Standard
User privileges and use a high-bandwidth, wireless, corporate network.

Bring your own device (BYOD) mobile laptops. These personally owned laptops
aren't domain-joined, but are managed by your organization through tools, such
as Microsoft Intune. The employee is typically an admin on the device and uses a
high-bandwidth wireless corporate network while at work and a comparable
personal network while at home.
 Personal devices. These personally owned desktops or mobile laptops aren't
domain-joined or managed by an organization. The user is an admin on the device
and uses a high-bandwidth wireless personal network while at home or a
comparable public network while outside.

Windows edition and licensing requirements

The following table lists the Windows editions that support Microsoft Defender
Application Guard (MDAG) for Edge standalone mode:

ﾉ Expand table

Windows Pro Windows Enterprise Windows Pro Education/SE Windows Education

Yes Yes Yes Yes

Microsoft Defender Application Guard (MDAG) for Edge standalone mode license
entitlements are granted by the following licenses:

ﾉ Expand table

Windows Pro/Pro Windows Windows Windows Windows

Education/SE Enterprise E3 Enterprise E5 Education A3 Education A5

Yes Yes Yes Yes Yes

For more information about Windows licensing, see Windows licensing overview.

For more information about Microsoft Defender Application Guard (MDAG) for Edge
enterprise mode, Configure Microsoft Defender Application Guard policy settings.

Related articles
ﾉ Expand table

Article Description

System requirements for Microsoft Specifies the prerequisites necessary to install and use
Defender Application Guard Application Guard.

Prepare and install Microsoft Provides instructions about determining which mode to
Defender Application Guard use, either Standalone or Enterprise-managed, and how to
install Application Guard in your organization.
 Article Description

Configure the Group Policy settings Provides info about the available Group Policy and MDM
for Microsoft Defender Application settings.
Guard

Testing scenarios using Microsoft Provides a list of suggested testing scenarios that you can
Defender Application Guard in your use to test Application Guard in your organization.
business or organization

Microsoft Defender Application Describes the Application Guard extension for Chrome
Guard Extension for web browsers and Firefox, including known issues, and a
troubleshooting guide

Microsoft Defender Application Describes Application Guard for Microsoft Office,

Guard for Microsoft Office including minimum hardware requirements, configuration,
and a troubleshooting guide

Frequently asked questions - Provides answers to frequently asked questions about

Microsoft Defender Application Application Guard features, integration with the Windows
Guard operating system, and general configuration.

Use a network boundary to add Network boundary, a feature that helps you protect your
trusted sites on Windows devices in environment from sites that aren't trusted by your
Microsoft Intune organization.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

System requirements for Microsoft
Defender Application Guard
Article • 12/18/2023 • Applies to: ✅ Windows 11, ✅ Windows 10

７ Note

Microsoft Defender Application Guard, including the Windows Isolated App

Launcher APIs, will be deprecated for Microsoft Edge for Business and will no
longer be updated. Please download the Microsoft Edge For Business Security
Whitepaper to learn more about Edge for Business security capabilities.

The threat landscape is continually evolving. While hackers are busy developing new
techniques to breach enterprise networks by compromising workstations, phishing
schemes remain one of the top ways to lure employees into social engineering attacks.
Microsoft Defender Application Guard is designed to help prevent old, and newly
emerging attacks, to help keep employees productive.

７ Note

Given the technological complexity, the security promise of Microsoft Defender

Application Guard (MDAG) may not hold true on VMs and in VDI environments.
Hence, MDAG is currently not officially supported on VMs and in VDI environments.
However, for testing and automation purposes on non-production machines, you
may enable MDAG on a VM by enabling Hyper-V nested virtualization on the host.

Hardware requirements
Your environment must have the following hardware to run Microsoft Defender
Application Guard.

７ Note

Application Guard currently isn't supported on Windows 11 ARM64 devices.

ﾉ Expand table
 Hardware Description

64-bit CPU A 64-bit computer with minimum four cores (logical processors) is
required for hypervisor and virtualization-based security (VBS). For more
info about Hyper-V, see Hyper-V on Windows Server 2016 or
Introduction to Hyper-V on Windows 10. For more info about hypervisor,
see Hypervisor Specifications.

CPU virtualization Extended page tables, also called Second Level Address Translation (SLAT)
extensions
AND

One of the following virtualization extensions for VBS:

VT-x (Intel)
OR
AMD-V

Hardware memory Microsoft requires a minimum of 8-GB RAM

Hard disk 5-GB free space, solid state disk (SSD) recommended

Input/Output Memory Not required, but recommended

Management Unit
(IOMMU) support

Software requirements
Your environment must have the following software to run Microsoft Defender
Application Guard.

ﾉ Expand table

Software Description

Operating system Windows 10 Enterprise or Education editions, version 1809 or later

Windows 10 Professional edition, version 1809 or later (only standalone
mode is supported)
Windows 11 Education or Enterprise editions
Windows 11 Professional edition (only Standalone mode is supported)

Browser Microsoft Edge

Management Microsoft Intune

system
(only for OR
managed devices)
Microsoft Configuration Manager

OR
 Software Description

Group Policy

OR

Your current, company-wide, non-Microsoft mobile device management

(MDM) solution. For info about non-Microsoft MDM solutions, see the
documentation that came with your product.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Prepare to install Microsoft Defender
Application Guard
Article • 12/18/2023 • Applies to: ✅ Windows 11, ✅ Windows 10

７ Note

Microsoft Defender Application Guard, including the Windows Isolated App

Launcher APIs, will be deprecated for Microsoft Edge for Business and will no
longer be updated. Please download the Microsoft Edge For Business Security
Whitepaper to learn more about Edge for Business security capabilities.

Before you continue, review System requirements for Microsoft Defender Application
Guard to review the hardware and software installation requirements for Microsoft
Defender Application Guard.

７ Note

Microsoft Defender Application Guard is not supported on VMs and VDI

environment. For testing and automation on non-production machines, you may
enable WDAG on a VM by enabling Hyper-V nested virtualization on the host.

Prepare for Microsoft Defender Application

Guard
Before you can install and use Microsoft Defender Application Guard, you must
determine which way you intend to use it in your enterprise. You can use Application
Guard in either Standalone or Enterprise-managed mode.

Standalone mode
Employees can use hardware-isolated browsing sessions without any administrator or
management policy configuration. In this mode, you must install Application Guard and
then the employee must manually start Microsoft Edge in Application Guard while
browsing untrusted sites. For an example of how this works, see the Application Guard
in standalone mode testing scenario.

Standalone mode is applicable for:

 Windows 10 Enterprise edition, version 1709 and later
Windows 10 Pro edition, version 1803 and later
Windows 10 Education edition, version 1809 and later
Windows 11 Enterprise, Education, or Pro editions

Enterprise-managed mode
You and your security department can define your corporate boundaries by explicitly
adding trusted domains and by customizing the Application Guard experience to meet
and enforce your needs on employee devices. Enterprise-managed mode also
automatically redirects any browser requests to add non-enterprise domain(s) in the
container.

Enterprise-managed mode is applicable for:

Windows 10 Enterprise edition, version 1709 and later

Windows 10 Education edition, version 1809 and later
Windows 11 Enterprise or Education editions

The following diagram shows the flow between the host PC and the isolated container.
Install Application Guard
Application Guard functionality is turned off by default. However, you can quickly install
it on your employee's devices through the Control Panel, PowerShell, or your mobile
device management (MDM) solution.

Install from Control Panel

1. Open the Control Panel, select Programs, and then select Turn Windows features
on or off.

2. Select the check box next to Microsoft Defender Application Guard and then
select OK to install Application Guard and its underlying dependencies.

Install from PowerShell

７ Note
 Ensure your devices have met all system requirements prior to this step. PowerShell
will install the feature without checking system requirements. If your devices don't
meet the system requirements, Application Guard may not work. This step is
recommended for enterprise managed scenarios only.

1. Select the Search icon in the Windows taskbar and type PowerShell.

2. Right-click Windows PowerShell, and then select Run as administrator to open

Windows PowerShell with administrator credentials.

3. Type the following command:

PowerShell

Enable-WindowsOptionalFeature -Online -FeatureName Windows-Defender-

ApplicationGuard

4. Restart the device to install Application Guard and its underlying dependencies.

Install from Intune

） Important

Make sure your organization's devices meet requirements and are enrolled in
Intune.

1. Sign in to the Microsoft Intune admin center .

2. Select Endpoint security > Attack surface reduction > Create Policy, and do the
following:

In the Platform list, select Windows 10 and later.

In the Profile type, select App and browser isolation.
Select Create.

3. In the Basics tab, specify the Name and Description for the policy. Select Next.

4. In the Configuration settings tab, configure the Application Guard settings, as

desired. Select Next.

5. In the Scope tags tab, if your organization is using scope tags, choose + Select
scope tags, and then select the tags you want to use. Select Next.
 To learn more about scope tags, see Use role-based access control (RBAC) and
scope tags for distributed IT.

6. In the Assignments page, select the users or groups that will receive the policy.
Select Next.

To learn more about assigning policies, see Assign policies in Microsoft Intune.

7. Review your settings, and then select Create.

After the policy is created, any devices to which the policy should apply will have
Microsoft Defender Application Guard enabled. Users might have to restart their devices
in order for protection to be in place.

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Configure Microsoft Defender
Application Guard policy settings
Article • 12/12/2023 • Applies to: ✅ Windows 11, ✅ Windows 10

７ Note

Microsoft Defender Application Guard, including the Windows Isolated App

Launcher APIs, will be deprecated for Microsoft Edge for Business and will no
longer be updated. Please download the Microsoft Edge For Business Security
Whitepaper to learn more about Edge for Business security capabilities.

Microsoft Defender Application Guard (Application Guard) works with Group Policy to
help you manage your organization's computer settings. By using Group Policy, you can
configure a setting once, and then copy it onto many computers. For example, you can
set up multiple security settings in a Group Policy Object, which is linked to a domain,
and then apply all those settings to every endpoint in the domain.

Application Guard uses both network isolation and application-specific settings.

Windows edition and licensing requirements

The following table lists the Windows editions that support Microsoft Defender
Application Guard (MDAG) for Edge enterprise mode and enterprise management:

ﾉ Expand table

Windows Pro Windows Enterprise Windows Pro Education/SE Windows Education

No Yes No Yes

Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise
management license entitlements are granted by the following licenses:

ﾉ Expand table

Windows Pro/Pro Windows Windows Windows Windows

Education/SE Enterprise E3 Enterprise E5 Education A3 Education A5

No Yes Yes Yes Yes

For more information about Windows licensing, see Windows licensing overview.

For more information about Microsoft Defender Application Guard (MDAG) for Edge in
stand-alone mode, see Microsoft Defender Application Guard overview.

Network isolation settings

These settings, located at Computer Configuration\Administrative
Templates\Network\Network Isolation , help you define and manage your organization's
network boundaries. Application Guard uses this information to automatically transfer
any requests to access the non-corporate resources into the Application Guard
container.

７ Note

For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have
KB5014668 installed, you don't need to configure network isolation policy to
enable Application Guard for Microsoft Edge in managed mode.

７ Note

You must configure either the Enterprise resource domains hosted in the cloud or
Private network ranges for apps settings on your employee devices to successfully
turn on Application Guard using enterprise mode. Proxy servers must be a neutral
resource listed in the Domains categorized as both work and personal policy.

ﾉ Expand table

Policy name Supported Description

versions

Private network At least Windows A comma-separated list of IP address ranges that are in
ranges for apps Server 2012, your corporate network. Included endpoints or
Windows 8, or endpoints that are included within a specified IP
Windows RT address range, are rendered using Microsoft Edge and
won't be accessible from the Application Guard
environment.

Enterprise At least Windows A pipe-separated ( | ) list of your domain cloud

resource domains Server 2012, resources. Included endpoints are rendered using
hosted in the Windows 8, or Microsoft Edge and won't be accessible from the
cloud Windows RT Application Guard environment.
 Policy name Supported Description
versions

This list supports the wildcards detailed in the Network

isolation settings wildcards table.

Domains At least Windows A comma-separated list of domain names used as both

categorized as Server 2012, work or personal resources. Included endpoints are
both work and Windows 8, or rendered using Microsoft Edge and will be accessible
personal Windows RT from the Application Guard and regular Edge
environment.
This list supports the wildcards detailed in the Network
isolation settings wildcards table.

Network isolation settings wildcards

ﾉ Expand table

Value Number of Meaning

dots to the
left

contoso.com 0 Trust only the literal value of contoso.com .

www.contoso.com 0 Trust only the literal value of www.contoso.com .

.contoso.com 1 Trust any domain that ends with the text contoso.com .
Matching sites include spearphishingcontoso.com ,
contoso.com , and www.contoso.com .

..contoso.com 2 Trust all levels of the domain hierarchy that are to the left of
the dot. Matching sites include shop.contoso.com ,
us.shop.contoso.com , www.us.shop.contoso.com , but NOT
contoso.com itself.

Application-specific settings
These settings, located at Computer Configuration\Administrative Templates\Windows
Components\Microsoft Defender Application Guard , can help you to manage your

organization's implementation of Application Guard.

ﾉ Expand table
Name Supported Description Options
versions

Configure Windows 10 Determines Enabled. This is effective only in managed

Microsoft Enterprise, whether mode. Turns on the clipboard functionality
Defender 1709 or Application and lets you choose whether to additionally:
Application higher Guard can use - Disable the clipboard functionality
Guard Windows 10 the clipboard completely when Virtualization Security is
clipboard Education, functionality. enabled.
settings 1809 or - Enable copying of certain content from
higher Application Guard into Microsoft Edge.
- Enable copying of certain content from
Windows 11 Microsoft Edge into Application Guard.
Enterprise Important: Allowing copied content to go
and from Microsoft Edge into Application Guard
Education can cause potential security risks and isn't
recommended.

Disabled or not configured. Completely turns

off the clipboard functionality for Application
Guard.

Configure Windows 10 Determines Enabled. This is effective only in managed

Microsoft Enterprise, whether mode. Turns on the print functionality and
Defender 1709 or Application lets you choose whether to additionally:
Application higher Guard can use - Enable Application Guard to print into the
Guard print Windows 10 the print XPS format.
settings Education, functionality. - Enable Application Guard to print into the
1809 or PDF format.
higher - Enable Application Guard to print to locally
attached printers.
Windows 11 - Enable Application Guard to print from
Enterprise previously connected network printers.
and Employees can't search for other printers.
Education
Disabled or not configured. Completely turns
Off the print functionality for Application
Guard.

Allow Windows 10 Determines Enabled. This is effective only in managed

Persistence Enterprise, whether data mode. Application Guard saves user-
1709 or persists across downloaded files and other items (such as,
higher different cookies, Favorites, and so on) for use in future
Windows 10 sessions in Application Guard sessions.
Education, Microsoft
1809 or Defender Disabled or not configured. All user data
higher Application within Application Guard is reset between
Guard. sessions.
Windows 11
Enterprise
Name Supported Description Options
versions

and NOTE: If you later decide to stop supporting

Education data persistence for your employees, you can
use our Windows-provided utility to reset the
container and to discard any personal data.

To reset the container:

1. Open a command-line program and
navigate to Windows/System32 .
2. Type wdagtool.exe cleanup . The container
environment is reset, retaining only the
employee-generated data.
3. Type wdagtool.exe cleanup
RESET_PERSISTENCE_LAYER . The container
environment is reset, including discarding all
employee-generated data.

Turn on Windows 10 Determines Enabled. Turns on Application Guard for

Microsoft Enterprise, whether to turn Microsoft Edge and/or Microsoft Office,
Defender 1709 or on Application honoring the network isolation settings,
Application higher Guard for rendering untrusted content in the
Guard in Windows 10 Microsoft Edge Application Guard container. Application
Managed Education, and Microsoft Guard won't actually be turned on unless the
Mode 1809 or Office. required prerequisites and network isolation
higher settings are already set on the device.
Available options:
Windows 11 - Enable Microsoft Defender Application
Enterprise Guard only for Microsoft Edge
and - Enable Microsoft Defender Application
Education Guard only for Microsoft Office
- Enable Microsoft Defender Application
Guard for both Microsoft Edge and Microsoft
Office

Disabled. Turns off Application Guard,

allowing all apps to run in Microsoft Edge and
Microsoft Office.

Note: For Windows 10, if you have KB5014666

installed, and for Windows 11, if you have
KB5014668 installed, you are no longer
required to configure network isolation policy
to enable Application Guard for Edge.

Allow files to Windows 10 Determines Enabled. Allows users to save downloaded

download to Enterprise whether to save files from the Microsoft Defender Application
host operating or Pro, 1803 downloaded Guard container to the host operating system.
system or higher files to the host This action creates a share between the host
Name Supported Description Options
versions

Windows 10 operating and container that also allows for uploads

Education, system from the from the host to the Application Guard
1809 or Microsoft container.
higher Defender
Application Disabled or not configured. Users aren't able
Windows 11 Guard container. to save downloaded files from Application
Enterprise Guard to the host operating system.
or Pro or
Education

Allow Windows 10 Determines Enabled. This is effective only in managed

hardware- Enterprise, whether mode. Microsoft Defender Application Guard
accelerated 1709 or Microsoft uses Hyper-V to access supported, high-
rendering for higher Defender security rendering graphics hardware (GPUs).
Microsoft Windows 10 Application These GPUs improve rendering performance
Defender Education, Guard renders and battery life while using Microsoft
Application 1809 or graphics using Defender Application Guard, particularly for
Guard higher hardware or video playback and other graphics-intensive
software use cases. If this setting is enabled without
Windows 11 acceleration. connecting any high-security rendering
Enterprise graphics hardware, Microsoft Defender
and Application Guard will automatically revert to
Education software-based (CPU) rendering. Important:
Enabling this setting with potentially
compromised graphics devices or drivers
might pose a risk to the host device.

Disabled or not configured. Microsoft

Defender Application Guard uses software-
based (CPU) rendering and won't load any
third-party graphics drivers or interact with
any connected graphics hardware.

Allow camera Windows 10 Determines Enabled. This is effective only in managed

and Enterprise, whether to allow mode. Applications inside Microsoft Defender
microphone 1709 or camera and Application Guard are able to access the
access in higher microphone camera and microphone on the user's device.
Microsoft Windows 10 access inside Important: Enabling this policy with a
Defender Education, Microsoft potentially compromised container could
Application 1809 or Defender bypass camera and microphone permissions
Guard higher Application and access the camera and microphone
Guard. without the user's knowledge.
Windows 11
Enterprise Disabled or not configured. Applications
and inside Microsoft Defender Application Guard
Education are unable to access the camera and
microphone on the user's device.
 Name Supported Description Options
versions

Allow Windows 10 Determines Enabled. Certificates matching the specified

Microsoft Enterprise whether Root thumbprint are transferred into the container.
Defender or Pro, 1809 Certificates are Use a comma to separate multiple certificates.
Application or higher shared with
Guard to use Windows 10 Microsoft Disabled or not configured. Certificates aren't
Root Education, Defender shared with Microsoft Defender Application
Certificate 1809 or Application Guard.
Authorities higher Guard.
from a user's
device Windows 11
Enterprise
or Pro

Allow auditing Windows 10 This policy Enabled. This is effective only in managed
events in Enterprise, setting allows mode. Application Guard inherits auditing
Microsoft 1709 or you to decide policies from your device and logs system
Defender higher whether events from the Application Guard container
Application Windows 10 auditing events to your host.
Guard Education, can be collected
1809 or from Microsoft Disabled or not configured. Event logs aren't
higher Defender collected from your Application Guard
Application container.
Windows 11 Guard.
Enterprise
and
Education

Application Guard support dialog settings

These settings are located at Administrative Templates\Windows Components\Windows
Security\Enterprise Customization . If an error is encountered, you're presented with a

dialog box. By default, this dialog box only contains the error information and a button
for you to report it to Microsoft via the feedback hub. However, it's possible to provide
additional information in the dialog box.

Use Group Policy to enable and customize contact information.

Feedback
Was this page helpful?  Yes  No
Provide product feedback
Application Guard testing scenarios
Article • 12/12/2023 • Applies to: ✅ Windows 11, ✅ Windows 10

７ Note

Microsoft Defender Application Guard, including the Windows Isolated App

Launcher APIs, will be deprecated for Microsoft Edge for Business and will no
longer be updated. Please download the Microsoft Edge For Business Security
Whitepaper to learn more about Edge for Business security capabilities.

We've come up with a list of scenarios that you can use to test hardware-based isolation
in your organization.

Application Guard in standalone mode

You can see how an employee would use standalone mode with Application Guard.

To test Application Guard in Standalone mode

1. Install Application Guard.

2. Restart the device, start Microsoft Edge, and then select New Application Guard
window from the menu.

3. Wait for Application Guard to set up the isolated environment.

７ Note
 Starting Application Guard too quickly after restarting the device might cause
it to take a bit longer to load. However, subsequent starts should occur
without any perceivable delays.

4. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the
new Microsoft Edge window, making sure you see the Application Guard visual
cues.

Application Guard in Enterprise-managed

mode
How to install, set up, turn on, and configure Application Guard for Enterprise-managed
mode.

Install, set up, and turn on Application Guard

Before you can use Application Guard in managed mode, you must install Windows 10
Enterprise edition, version 1709, and Windows 11 which includes the functionality. Then,
you must use Group Policy to set up the required settings.

1. Install Application Guard.

2. Restart the device, and then start Microsoft Edge.

3. Set up the Network Isolation settings in Group Policy:

a. Select the Windows icon, type Group Policy , and then select Edit Group Policy.

b. Go to the Administrative Templates\Network\Network Isolation\Enterprise

resource domains hosted in the cloud setting.

c. For the purposes of this scenario, type .microsoft.com into the Enterprise cloud
resources box.

d. Go to the Administrative Templates\Network\Network Isolation\Domains

categorized as both work and personal setting.

e. For the purposes of this scenario, type bing.com into the Neutral resources box.
4. Go to the Computer Configuration\Administrative Templates\Windows
Components\Microsoft Defender Application Guard\Turn on Microsoft Defender
Application Guard in Managed Mode setting.

5. Select Enabled, choose Option 1, and select OK.

 ７ Note

Enabling this setting verifies that all the necessary settings are properly
configured on your employee devices, including the network isolation settings
set earlier in this scenario.

6. Start Microsoft Edge and type https://www.microsoft.com .

After you submit the URL, Application Guard determines the URL is trusted
because it uses the domain you've marked as trusted and shows the site directly
on the host PC instead of in Application Guard.
 7. In the same Microsoft Edge browser, type any URL that isn't part of your trusted or
neutral site lists.

After you submit the URL, Application Guard determines the URL is untrusted and
redirects the request to the hardware-isolated environment.

Customize Application Guard

Application Guard lets you specify your configuration, allowing you to create the proper
balance between isolation-based security and productivity for your employees.

Application Guard provides the following default behavior for your employees:

No copying and pasting between the host PC and the isolated container.

No printing from the isolated container.

No data persistence from one isolated container to another isolated container.

You have the option to change each of these settings to work with your enterprise from
within Group Policy.

Applies to:

Windows 10 Enterprise or Pro editions, version 1803 or later

Windows 11 Enterprise or Pro editions

Copy and paste options

1. Go to the Computer Configuration\Administrative Templates\Windows
Components\Microsoft Defender Application Guard\Configure Microsoft
Defender Application Guard clipboard settings.

2. Select Enabled and select OK.

 3. Choose how the clipboard works:

Copy and paste from the isolated session to the host PC

Copy and paste from the host PC to the isolated session

Copy and paste both directions

4. Choose what can be copied:

Only text can be copied between the host PC and the isolated container.

Only images can be copied between the host PC and the isolated container.

Both text and images can be copied between the host PC and the isolated
container.

5. Select OK.

Print options
 1. Go to the Computer Configuration\Administrative Templates\Windows
Components\Microsoft Defender Application Guard\Configure Microsoft
Defender Application Guard print settings.

2. Select Enabled and select OK.

3. Based on the list provided in the setting, choose the number that best represents
what type of printing should be available to your employees. You can allow any
combination of local, network, PDF, and XPS printing.

4. Select OK.

Data persistence options

1. Go to the Computer Configuration\Administrative Templates\Windows

Components\Microsoft Defender Application Guard\Allow data persistence for
Microsoft Defender Application Guard setting.

2. Select Enabled and select OK.

3. Open Microsoft Edge and browse to an untrusted, but safe URL.

The website opens in the isolated session.

4. Add the site to your Favorites list and then close the isolated session.

5. Sign out and back in to your device, opening Microsoft Edge in Application Guard
again.

The previously added site should still appear in your Favorites list.

７ Note

Starting with Windows 11, version 22H2, data persistence is disabled by

default. If you don't allow or turn off data persistence, restarting a device or
signing in and out of the isolated container triggers a recycle event. This
action discards all generated data, such as session cookies and Favorites, and
removes the data from Application Guard. If you turn on data persistence, all
employee-generated artifacts are preserved across container recycle events.
However, these artifacts only exist in the isolated container and aren't shared
 with the host PC. This data persists after restarts and even through build-to-
build upgrades of Windows 10 and Windows 11.

If you turn on data persistence, but later decide to stop supporting it for your
employees, you can use our Windows-provided utility to reset the container
and to discard any personal data.

To reset the container, follow these steps:

1. Open a command-line program and navigate to Windows/System32.
2. Type wdagtool.exe cleanup . The container environment is reset, retaining
only the employee-generated data.
3. Type wdagtool.exe cleanup RESET_PERSISTENCE_LAYER . The container
environment is reset, including discarding all employee-generated data.

Microsoft Edge version 90 or later no longer supports RESET_PERSISTENCE_LAYER .

Applies to:

Windows 10 Enterprise or Pro editions, version 1803

Windows 11 Enterprise or Pro editions, version 21H2. Data persistence is disabled
by default in Windows 11, version 22H2 and later.

Download options
1. Go to the Computer Configuration\Administrative Templates\Windows
Components\Microsoft Defender Application Guard\Allow files to download and
save to the host operating system from Microsoft Defender Application Guard
setting.

2. Select Enabled and select OK.

 3. Sign out and back in to your device, opening Microsoft Edge in Application Guard
again.

4. Download a file from Microsoft Defender Application Guard.

5. Check to see the file has been downloaded into This PC > Downloads > Untrusted
files.

Hardware acceleration options

1. Go to the Computer Configuration\Administrative Templates\Windows

Components\Microsoft Defender Application Guard\Allow hardware-accelerated
rendering for Microsoft Defender Application Guard setting.

2. Select Enabled and Select OK.

 3. Once you have enabled this feature, open Microsoft Edge and browse to an
untrusted, but safe URL with video, 3D, or other graphics-intensive content. The
website opens in an isolated session.

4. Assess the visual experience and battery performance.

Camera and microphone options

1. Go to the Computer Configuration\Administrative Templates\Windows

Components\Microsoft Defender Application Guard\Allow camera and
microphone access in Microsoft Defender Application Guard setting.

2. Select Enabled and select OK.

 3. Sign out and back in to your device, opening Microsoft Edge in Application Guard
again.

4. Open an application with video or audio capability in Edge.

5. Check that the camera and microphone work as expected.

Root certificate sharing options

1. Go to the Computer Configuration\Administrative Templates\Windows
Components\Microsoft Defender Application Guard\Allow Microsoft Defender
Application Guard to use Root Certificate Authorities from the user's device
setting.

2. Select Enabled, copy the thumbprint of each certificate to share, separated by a

comma, and select OK.
 3. Sign out and back in to your device, opening Microsoft Edge in Application Guard
again.

Application Guard Extension for third-party

web browsers
The Application Guard Extension available for Chrome and Firefox allows Application
Guard to protect users even when they are running a web browser other than Microsoft
Edge or Internet Explorer.

Once a user has the extension and its companion app installed on their enterprise
device, you can run through the following scenarios.

1. Open either Firefox or Chrome, whichever browser you have the extension installed
on.

2. Navigate to an organizational website. In other words, an internal website

maintained by your organization. You might see this evaluation page for an instant
 before the site is fully loaded.

3. Navigate to a non-enterprise, external website site, such as www.bing.com . The

site should be redirected to Microsoft Defender Application Guard Edge.
 4. Open a new Application Guard window, by selecting the Microsoft Defender
Application Guard icon, then New Application Guard Window

Feedback
Was this page helpful?  Yes  No

Provide product feedback

Microsoft Defender Application Guard Extension
Article • 12/12/2023 • Applies to: ✅ Windows 11, ✅ Windows 10

７ Note

Microsoft Defender Application Guard, including the Windows Isolated App Launcher APIs, will be
deprecated for Microsoft Edge for Business and will no longer be updated. Please download the
Microsoft Edge For Business Security Whitepaper to learn more about Edge for Business security
capabilities.

Microsoft Defender Application Guard Extension is a web browser add-on available for Chrome and
Firefox .

Microsoft Defender Application Guard provides Hyper-V isolation on Windows 10 and Windows 11, to
protect users from potentially harmful content on the web. The extension helps Application Guard protect
users running other web browsers.

 Tip

Application Guard, by default, offers native support to both Microsoft Edge and Internet Explorer.
These browsers do not need the extension described here for Application Guard to protect them.

Microsoft Defender Application Guard Extension defends devices in your organization from advanced
attacks, by redirecting untrusted websites to an isolated version of Microsoft Edge . If an untrusted
website turns out to be malicious, it remains within Application Guard's secure container, keeping the
device protected.

Prerequisites
Microsoft Defender Application Guard Extension works with the following editions of Windows 10, version
1809 or later:

Windows 10 Professional
Windows 10 Enterprise
Windows 10 Education
Windows 11

Application Guard itself is required for the extension to work. It has its own set of requirements. Check the
Application Guard installation guide for further steps, if you don't have it installed already.

Installing the extension

Application Guard can be run under managed mode or standalone mode. The main difference between the
two modes is whether policies have been set to define the organization's boundaries.

Enterprise administrators running Application Guard under managed mode should first define Application
Guard's network isolation settings, so a set of enterprise sites is already in place.
From there, the steps for installing the extension are similar whether Application Guard is running in
managed or standalone mode.

1. On the local device, download and install the Application Guard extension for Google Chrome
and/or Mozilla Firefox .
2. Install the Microsoft Defender Application Guard companion app from the Microsoft Store. This
companion app enables Application Guard to work with web browsers other than Microsoft Edge or
Internet Explorer.
3. Restart the device.

Recommended browser group policies

Both Chrome and Firefox have their own browser-specific group policies. We recommend that admins use
the following policy settings.

Chrome policies
These policies can be found along the filepath, Software\Policies\Google\Chrome\ , with each policy name
corresponding to the file name. For example, IncognitoModeAvailability is located at
Software\Policies\Google\Chrome\IncognitoModeAvailability .

ﾉ Expand table

Policy name Values Recommended Reason

setting

IncognitoModeAvailability 0 = Enabled Disabled This policy allows users to

1 = Disabled start Chrome in Incognito
2 = Forces pages to only open in mode. In this mode, all
Incognito mode extensions are turned off by
default.

BrowserGuestModeEnabled false or 0 = Disabled Disabled This policy allows users to

true , 1 , or not configured = sign in as Guest, which
Enabled opens a session in
Incognito mode. In this
mode, all extensions are
turned off by default.

BackgroundModeEnabled false or 0 = Disabled Enabled This policy keeps Chrome

true or 1 = Enabled running in the background,
ensuring that navigation is
Note: If this policy isn't set, the always passed to the
user can enable or disable extension.
background mode through local
browser settings.

ExtensionSettings
This policy accepts a dictionary Include an entry This policy prevents users
that configures multiple other for from manually removing
management settings for Chrome. force_installed the extension.
See the Google Cloud
documentation for complete
schema.
Firefox policies
These policies can be found along the filepath, Software\Policies\Mozilla\Firefox\ , with each policy name
corresponding to the file name. Foe example, DisableSafeMode is located at
Software\Policies\Mozilla\Firefox\DisableSafeMode .

ﾉ Expand table

Policy name Values Recommended setting Reason

DisableSafeMode false or 0 = Safe mode is The policy is enabled and Safe mode isn't allowed to Safe mode
enabled run. can allow
true or 1 = Safe mode is users to
disabled circumvent
Application
Guard

BlockAboutConfig false or 0 = User access to The policy is enabled and access to about:config isn't About:config
about:config is allowed allowed. is a special
true or 1 = User access to page within
about:config isn't allowed Firefox that
offers control
over many
settings that
may
compromise
security

Extensions - Locked This setting accepts a list of Software\Policies\Mozilla\Firefox\Extensions\Locked\1 This setting

UUIDs for extensions. You can = " ApplicationGuardRel@microsoft.com " allows you to
find these extensions by lock the
searching extension, so
extensions.webextensions.uuids the user can't
within the about:config page) disable or
uninstall it.

Troubleshooting guide
ﾉ Expand table

Error message Cause Actions

Application Guard
undetermined state
The extension was unable to communicate with the
companion app during the last information request.
1. Install the companion app
and reboot
2. If the companion app is
already installed, reboot and
see if that resolves the error
3. If you still see the error after
rebooting, uninstall and
reinstall the companion app
4. Check for updates in both
the Microsoft store and the
respective web store for the
affected browser
Error message
ExceptionThrown
Failed to determine if
Application Guard is enabled
Launch in WDAG failed with
a companion
communication error
Main page navigation
caught an unexpected error
Process trust response failed
with a companion
communication error
Protocol out of sync
Security patch level doesn't
match
Unexpected response while
processing trusted state
Related articles
Microsoft Defender Application Guard overview
Testing scenarios using Microsoft Defender Application Guard in your business or organization
Cause Actions
An unexpected exception was thrown. 1. File a bug
2. Retry the operation
The extension was able to communicate with the 1. Restart the browser
companion app, but the information request failed in 2. Check for updates in both
the app. the Microsoft store and the
respective web store for the
affected browser
The extension couldn't talk to the companion app, but 1. Make sure the companion
was able to at the beginning of the session. This error app is installed
can be caused by the companion app being 2. If the companion app is
uninstalled while Chrome was running. installed, reboot and see if that
resolves the error
3. If you still see the error after
rebooting, uninstall and
reinstall the companion app
4. Check for updates in both
the Microsoft store and the
respective web store for the
affected browser
An unexpected exception was thrown during the main 1. File a bug
page navigation. 2. Retry the operation
The extension couldn't talk to the companion app, but 1. Make sure the companion
was able to at the beginning of the session. This error app is installed.
can be caused by the companion app being 2. If the companion app is
uninstalled while Chrome was running. installed, reboot and see if that
resolves the error
3. If you still see the error after
rebooting, uninstall and
reinstall the companion app
4. Check for updates in both
the Microsoft store and the
respective web store for the
affected browser
The extension and native app can't communicate with Check for updates in both the
each other. This error is likely caused by one being Microsoft store, and the web
updated without supporting the protocol of the other. store for the affected browser
Microsoft determined that there was a security issue Check for updates in both the
with either the extension or the companion app, and Microsoft store, and the web
has issued a mandatory update. store for the affected browser
The extension was able to communicate with the 1. File a bug
companion app, but the API failed and a failure 2. Check if Microsoft Edge is
response code was sent back to the extension. working
3. Retry the operation
Feedback
Was this page helpful?  Yes  No

Provide product feedback

Frequently asked questions -
Microsoft Defender Application
Guard
FAQ

７ Note

Microsoft Defender Application Guard, including the Windows Isolated App

Launcher APIs, will be deprecated for Microsoft Edge for Business and will no
longer be updated. Please download the Microsoft Edge For Business Security
Whitepaper to learn more about Edge for Business security capabilities.

This article lists frequently asked questions with answers for Microsoft Defender
Application Guard (Application Guard). Questions span features, integration with the
Windows operating system, and general configuration.

Frequently Asked Questions

Can I enable Application Guard on

machines equipped with 4-GB RAM?
We recommend 8-GB RAM for optimal performance but you can use the following
registry DWORD values to enable Application Guard on machines that aren't meeting
the recommended hardware configuration.

HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount (Default is four cores.)

HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB (Default is 8 GB.)

HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB (Default is 5 GB.)

My network configuration uses a proxy

and I’m running into a “Cannot resolve
External URLs from MDAG Browser:
Error: err_connection_refused”. How do I
resolve that?
The manual or PAC server must be a hostname (not IP) that is neutral on the site-list.
Additionally, if the PAC script returns a proxy, it must meet those same requirements.

To ensure the FQDNs (Fully Qualified Domain Names) for the “PAC file” and the “proxy
servers the PAC file redirects to” are added as Neutral Resources in the Network
Isolation policies used by Application Guard, you can:

Verify this addition by going to edge://application-guard-internals/#utilities and

entering the FQDN for the pac/proxy in the “check url trust” field and verifying that
it says “Neutral.”
It must be an FQDN. A simple IP address won't work.
Optionally, if possible, the IP addresses associated with the server hosting the
above should be removed from the Enterprise IP Ranges in the Network Isolation
policies used by Application Guard.

How do I configure Microsoft Defender

Application Guard to work with my
network proxy (IP-Literal Addresses)?
Application Guard requires proxies to have a symbolic name, not just an IP address. IP-
Literal proxy settings such as 192.168.1.4:81 can be annotated as itproxy:81 or using a
record such as P19216810010 for a proxy with an IP address of 192.168.100.10 . This
annotation applies to Windows 10 Enterprise edition, version 1709 or higher. These
annotations would be for the proxy policies under Network Isolation in Group Policy or
Intune.

Which Input Method Editors (IME) in

19H1 aren't supported?
The following Input Method Editors (IME) introduced in Windows 10, version 1903 are
currently not supported in Microsoft Defender Application Guard:

Vietnam Telex keyboard

Vietnam number key-based keyboard
Hindi phonetic keyboard
 Bangla phonetic keyboard
Marathi phonetic keyboard
Telugu phonetic keyboard
Tamil phonetic keyboard
Kannada phonetic keyboard
Malayalam phonetic keyboard
Gujarati phonetic keyboard
Odia phonetic keyboard
Punjabi phonetic keyboard

I enabled the hardware acceleration

policy on my Windows 10 Enterprise,
version 1803 deployment. Why are my
users still only getting CPU rendering?
This feature is currently experimental only and isn't functional without an extra registry
key provided by Microsoft. If you would like to evaluate this feature on a deployment of
Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to
enable the feature.

What is the WDAGUtilityAccount local

account?
WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version
1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is
enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard
container as a standard user with a random password. It's NOT a malicious account. It
requires Logon as a service permissions to be able to function correctly. If this
permission is denied, you might see the following error:

Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error:
0x00000000 Location: 0x00000000

How do I trust a subdomain in my site

list?
To trust a subdomain, you must precede your domain with two dots (..). For example:
..contoso.com ensures that mail.contoso.com or news.contoso.com are trusted. The first

dot represents the strings for the subdomain name (mail or news), and the second dot
recognizes the start of the domain name ( contoso.com ). These two dots prevent sites
such as fakesitecontoso.com from being trusted.

Are there differences between using

Application Guard on Windows Pro vs
Windows Enterprise?
When using Windows Pro or Windows Enterprise, you have access to using Application
Guard in Standalone Mode. However, when using Enterprise you have access to
Application Guard in Enterprise-Managed Mode. This mode has some extra features
that the Standalone Mode doesn't. For more information, see Prepare to install
Microsoft Defender Application Guard.

Is there a size limit to the domain lists

that I need to configure?
Yes, both the Enterprise Resource domains that are hosted in the cloud and the domains
that are categorized as both work and personal have a 1,6383-byte limit.

Why does my encryption driver break

Microsoft Defender Application Guard?
Microsoft Defender Application Guard accesses files from a VHD mounted on the host
that needs to be written during setup. If an encryption driver prevents a VHD from being
mounted or from being written to, Application Guard doesn't work and results in an
error message (0x80070013 ERROR_WRITE_PROTECT).

Why do the Network Isolation policies

in Group Policy and CSP look different?
There's not a one-to-one mapping among all the Network Isolation policies between
CSP and GP. Mandatory network isolation policies to deploy Application Guard are
different between CSP and GP.

Mandatory network isolation GP policy to deploy Application Guard:

DomainSubnets or CloudResources

Mandatory network isolation CSP policy to deploy Application Guard:

EnterpriseCloudResources or (EnterpriseIpRange and
EnterpriseNetworkDomainNames)

For EnterpriseNetworkDomainNames, there's no mapped CSP policy.

Application Guard accesses files from a VHD mounted on the host that needs to be
written during setup. If an encryption driver prevents a VHD from being mounted or
from being written to, Application Guard doesn't work and results in an error message
(0x80070013 ERROR_WRITE_PROTECT).

Why did Application Guard stop

working after I turned off
hyperthreading?
If hyperthreading is disabled (because of an update applied through a KB article or
through BIOS settings), there's a possibility Application Guard no longer meets the
minimum requirements.

Why am I getting the error message

"ERROR_VIRTUAL_DISK_LIMITATION"?
Application Guard might not work correctly on NTFS compressed volumes. If this issue
persists, try uncompressing the volume.

Why am I getting the error message

"ERR_NAME_NOT_RESOLVED" after not
being able to reach the PAC file?
This issue is a known one. To mitigate this issue, you need to create two firewall rules.
For information about creating a firewall rule with Group Policy, see Configure Windows
Firewall rules with group policy
First rule (DHCP Server)
Program path: %SystemRoot%\System32\svchost.exe

Local Service: Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177

(Internet Connection Service (SharedAccess))

Protocol UDP

Port 67

Second rule (DHCP Client)

This rule is the same as the first rule, but scoped to local port 68. In the Microsoft
Defender Firewall user interface go through the following steps:

1. Right-click on inbound rules, and then create a new rule.

2. Choose custom rule.

3. Specify the following program path: %SystemRoot%\System32\svchost.exe .

4. Specify the following settings:

Protocol Type: UDP

Specific ports: 67
Remote port: any

5. Specify any IP addresses.

6. Allow the connection.

7. Specify to use all profiles.

8. The new rule should show up in the user interface. Right click on the rule >
properties.

9. In the Programs and services tab, under the Services section, select settings.

10. Choose Apply to this Service and select Internet Connection Sharing (ICS) Shared
Access.

How can I disable portions of Internet

Connection Service (ICS) without
breaking Application Guard?
ICS is enabled by default in Windows, and ICS must be enabled in order for Application
Guard to function correctly. We don't recommend disabling ICS; however, you can
disable ICS in part by using a Group Policy and editing registry keys.

1. In the Group Policy setting, Prohibit use of Internet Connection Sharing on your
DNS domain network, set it to Disabled.

2. Disable IpNat.sys from ICS load as follows:

System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1

3. Configure ICS (SharedAccess) to be enabled as follows:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3

4. (This step is optional) Disable IPNAT as follows:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4

5. Reboot the device.

Why doesn't the container fully load

when device control policies are
enabled?
Allow-listed items must be configured as "allowed" in the Group Policy Object to ensure
AppGuard works properly.

Policy: Allow installation of devices that match any of the following device IDs:

SCSI\DiskMsft____Virtual_Disk____

{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba
VMS_VSF

root\Vpcivsp

root\VMBus
vms_mp

VMS_VSP
ROOT\VKRNLINTVSP

ROOT\VID

root\storvsp
vms_vsmp
 VMS_PP

Policy: Allow installation of devices using drivers that match these device setup classes

{71a27cdd-812a-11d0-bec7-08002be2092f}

I'm encountering TCP fragmentation

issues, and can't enable my VPN
connection. How do I fix this issue?
WinNAT drops ICMP/UDP messages with packets greater than MTU when using Default
Switch or Docker NAT network. Support for this solution has been added in
KB4571744 . To fix the issue, install the update and enable the fix by following these
steps:

1. Ensure that the FragmentAware DWORD is set to 1 in this registry setting:

\Registry\Machine\SYSTEM\CurrentControlSet\Services\Winnat .

2. Reboot the device.

What does the _Allow users to trust files

that open in Microsoft Defender
Application Guard_ option in the Group
policy do?
This policy was present in Windows 10 prior to version 2004. It was removed from later
versions of Windows as it doesn't enforce anything for either Edge or Office.

How do I open a support ticket for

Microsoft Defender Application Guard?
Visit Create a new support request .
Under the Product Family, select Windows. Select the product and the product
version you need help with. For the category that best describes the issue, select,
Windows Security Technologies. In the final option, select Windows Defender
Application Guard.
Is there a way to enable or disable the
behavior where the host Edge tab auto-
closes when navigating to an untrusted
site?
Yes. Use this Edge flag to enable or disable this behavior: --disable-
features="msWdagAutoCloseNavigatedTabs"

See also
Configure Microsoft Defender Application Guard policy settings

Feedback
Was this page helpful?  Yes  No

Provide product feedback

 Windows client security documentation
Learn how to secure Windows clients for your organization.

GET STARTED W H AT ' S N E W

Get started with Windows Windows 11, version 22H2
security

TRAINING OVERVIEW
Advance your security posture Security features licensing and
with Microsoft Intune from chip edition requirements
to cloud

Get started

Hardware security OS security Identity protection

Trusted Platform Module Trusted boot Windows Hello for Business
Microsoft Pluton Windows security settings Windows passwordless
experience
Windows Defender System BitLocker
Guard Web sign-in for Windows
Windows security baselines
Virtualization-based security Support for passkeys in
Microsoft Defender
(VBS) Windows
SmartScreen
Secured-core PC Enhanced phishing
Learn more about OS
protection with SmartScreen
Learn more about hardware security >
security > Learn more about identity
protection >
 Application security
Windows Defender
Application Control (WDAC)
User Account Control (UAC)
Microsoft vulnerable driver
blocklist
Microsoft Defender
Application Guard (MDAG)
Windows Sandbox
Learn more about
application security >
More Windows resources
Windows Server
Windows Server
documentation
What's new in Windows Server
2022?
Windows Server blog
Security foundations Cloud security
FIPS 140-2 validation Security baselines with
Intune
Common Criteria
Certifications Windows Autopatch
Microsoft Security Windows Autopilot
Development Lifecycle (SDL)
Universal Print
Microsoft Windows Insider
Remote wipe
Preview bounty program
Learn more about cloud
OneFuzz service
security >
Learn more about security
foundations >
Windows product site Participate in the
and blogs community
Find out how Windows enables Windows community
your business to do more
Microsoft Intune community
Windows blogs
Microsoft Support community
Windows IT Pro blog
Microsoft Intune blog
Windows help & learning: end-
user documentation