Professional Documents
Culture Documents
Windows Security Application Security Application Isolation Microsoft Defender Application Guard
Windows Security Application Security Application Isolation Microsoft Defender Application Guard
7 Note
Microsoft Defender Application Guard (MDAG) is designed to help prevent old and
newly emerging attacks to help keep employees productive. Using our unique hardware
isolation approach, our goal is to destroy the playbook that attackers use by making
current attack methods obsolete.
For Microsoft Office, Application Guard helps prevents untrusted Word, PowerPoint and
Excel files from accessing trusted resources. Application Guard opens untrusted files in
an isolated Hyper-V-enabled container. The isolated Hyper-V container is separate from
the host operating system. This container isolation means that if the untrusted site or
file turns out to be malicious, the host device is protected, and the attacker can't get to
your enterprise data. For example, this approach makes the isolated container
anonymous, so an attacker can't get to your employee's enterprise credentials.
What types of devices should use Application Guard?
Application Guard has been created to target several types of devices:
Enterprise mobile laptops. These laptops are domain-joined and managed by your
organization. Configuration management is primarily done through Microsoft
Configuration Manager or Microsoft Intune. Employees typically have Standard
User privileges and use a high-bandwidth, wireless, corporate network.
Bring your own device (BYOD) mobile laptops. These personally owned laptops
aren't domain-joined, but are managed by your organization through tools, such
as Microsoft Intune. The employee is typically an admin on the device and uses a
high-bandwidth wireless corporate network while at work and a comparable
personal network while at home.
Personal devices. These personally owned desktops or mobile laptops aren't
domain-joined or managed by an organization. The user is an admin on the device
and uses a high-bandwidth wireless personal network while at home or a
comparable public network while outside.
ノ Expand table
Microsoft Defender Application Guard (MDAG) for Edge standalone mode license
entitlements are granted by the following licenses:
ノ Expand table
For more information about Windows licensing, see Windows licensing overview.
For more information about Microsoft Defender Application Guard (MDAG) for Edge
enterprise mode, Configure Microsoft Defender Application Guard policy settings.
Related articles
ノ Expand table
Article Description
System requirements for Microsoft Specifies the prerequisites necessary to install and use
Defender Application Guard Application Guard.
Prepare and install Microsoft Provides instructions about determining which mode to
Defender Application Guard use, either Standalone or Enterprise-managed, and how to
install Application Guard in your organization.
Article Description
Configure the Group Policy settings Provides info about the available Group Policy and MDM
for Microsoft Defender Application settings.
Guard
Testing scenarios using Microsoft Provides a list of suggested testing scenarios that you can
Defender Application Guard in your use to test Application Guard in your organization.
business or organization
Microsoft Defender Application Describes the Application Guard extension for Chrome
Guard Extension for web browsers and Firefox, including known issues, and a
troubleshooting guide
Use a network boundary to add Network boundary, a feature that helps you protect your
trusted sites on Windows devices in environment from sites that aren't trusted by your
Microsoft Intune organization.
Feedback
Was this page helpful? Yes No
7 Note
The threat landscape is continually evolving. While hackers are busy developing new
techniques to breach enterprise networks by compromising workstations, phishing
schemes remain one of the top ways to lure employees into social engineering attacks.
Microsoft Defender Application Guard is designed to help prevent old, and newly
emerging attacks, to help keep employees productive.
7 Note
Hardware requirements
Your environment must have the following hardware to run Microsoft Defender
Application Guard.
7 Note
ノ Expand table
Hardware Description
64-bit CPU A 64-bit computer with minimum four cores (logical processors) is
required for hypervisor and virtualization-based security (VBS). For more
info about Hyper-V, see Hyper-V on Windows Server 2016 or
Introduction to Hyper-V on Windows 10. For more info about hypervisor,
see Hypervisor Specifications.
CPU virtualization Extended page tables, also called Second Level Address Translation (SLAT)
extensions
AND
Hard disk 5-GB free space, solid state disk (SSD) recommended
Software requirements
Your environment must have the following software to run Microsoft Defender
Application Guard.
ノ Expand table
Software Description
OR
Software Description
Group Policy
OR
Feedback
Was this page helpful? Yes No
7 Note
Before you continue, review System requirements for Microsoft Defender Application
Guard to review the hardware and software installation requirements for Microsoft
Defender Application Guard.
7 Note
Standalone mode
Employees can use hardware-isolated browsing sessions without any administrator or
management policy configuration. In this mode, you must install Application Guard and
then the employee must manually start Microsoft Edge in Application Guard while
browsing untrusted sites. For an example of how this works, see the Application Guard
in standalone mode testing scenario.
Enterprise-managed mode
You and your security department can define your corporate boundaries by explicitly
adding trusted domains and by customizing the Application Guard experience to meet
and enforce your needs on employee devices. Enterprise-managed mode also
automatically redirects any browser requests to add non-enterprise domain(s) in the
container.
The following diagram shows the flow between the host PC and the isolated container.
Install Application Guard
Application Guard functionality is turned off by default. However, you can quickly install
it on your employee's devices through the Control Panel, PowerShell, or your mobile
device management (MDM) solution.
2. Select the check box next to Microsoft Defender Application Guard and then
select OK to install Application Guard and its underlying dependencies.
7 Note
Ensure your devices have met all system requirements prior to this step. PowerShell
will install the feature without checking system requirements. If your devices don't
meet the system requirements, Application Guard may not work. This step is
recommended for enterprise managed scenarios only.
1. Select the Search icon in the Windows taskbar and type PowerShell.
PowerShell
4. Restart the device to install Application Guard and its underlying dependencies.
) Important
Make sure your organization's devices meet requirements and are enrolled in
Intune.
2. Select Endpoint security > Attack surface reduction > Create Policy, and do the
following:
3. In the Basics tab, specify the Name and Description for the policy. Select Next.
5. In the Scope tags tab, if your organization is using scope tags, choose + Select
scope tags, and then select the tags you want to use. Select Next.
To learn more about scope tags, see Use role-based access control (RBAC) and
scope tags for distributed IT.
6. In the Assignments page, select the users or groups that will receive the policy.
Select Next.
To learn more about assigning policies, see Assign policies in Microsoft Intune.
After the policy is created, any devices to which the policy should apply will have
Microsoft Defender Application Guard enabled. Users might have to restart their devices
in order for protection to be in place.
Feedback
Was this page helpful? Yes No
7 Note
Microsoft Defender Application Guard (Application Guard) works with Group Policy to
help you manage your organization's computer settings. By using Group Policy, you can
configure a setting once, and then copy it onto many computers. For example, you can
set up multiple security settings in a Group Policy Object, which is linked to a domain,
and then apply all those settings to every endpoint in the domain.
ノ Expand table
No Yes No Yes
Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise
management license entitlements are granted by the following licenses:
ノ Expand table
For more information about Microsoft Defender Application Guard (MDAG) for Edge in
stand-alone mode, see Microsoft Defender Application Guard overview.
7 Note
For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have
KB5014668 installed, you don't need to configure network isolation policy to
enable Application Guard for Microsoft Edge in managed mode.
7 Note
You must configure either the Enterprise resource domains hosted in the cloud or
Private network ranges for apps settings on your employee devices to successfully
turn on Application Guard using enterprise mode. Proxy servers must be a neutral
resource listed in the Domains categorized as both work and personal policy.
ノ Expand table
Private network At least Windows A comma-separated list of IP address ranges that are in
ranges for apps Server 2012, your corporate network. Included endpoints or
Windows 8, or endpoints that are included within a specified IP
Windows RT address range, are rendered using Microsoft Edge and
won't be accessible from the Application Guard
environment.
.contoso.com 1 Trust any domain that ends with the text contoso.com .
Matching sites include spearphishingcontoso.com ,
contoso.com , and www.contoso.com .
..contoso.com 2 Trust all levels of the domain hierarchy that are to the left of
the dot. Matching sites include shop.contoso.com ,
us.shop.contoso.com , www.us.shop.contoso.com , but NOT
contoso.com itself.
Application-specific settings
These settings, located at Computer Configuration\Administrative Templates\Windows
Components\Microsoft Defender Application Guard , can help you to manage your
ノ Expand table
Name Supported Description Options
versions
Allow auditing Windows 10 This policy Enabled. This is effective only in managed
events in Enterprise, setting allows mode. Application Guard inherits auditing
Microsoft 1709 or you to decide policies from your device and logs system
Defender higher whether events from the Application Guard container
Application Windows 10 auditing events to your host.
Guard Education, can be collected
1809 or from Microsoft Disabled or not configured. Event logs aren't
higher Defender collected from your Application Guard
Application container.
Windows 11 Guard.
Enterprise
and
Education
dialog box. By default, this dialog box only contains the error information and a button
for you to report it to Microsoft via the feedback hub. However, it's possible to provide
additional information in the dialog box.
Feedback
Was this page helpful? Yes No
Provide product feedback
Application Guard testing scenarios
Article • 12/12/2023 • Applies to: ✅ Windows 11, ✅ Windows 10
7 Note
We've come up with a list of scenarios that you can use to test hardware-based isolation
in your organization.
2. Restart the device, start Microsoft Edge, and then select New Application Guard
window from the menu.
7 Note
Starting Application Guard too quickly after restarting the device might cause
it to take a bit longer to load. However, subsequent starts should occur
without any perceivable delays.
4. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the
new Microsoft Edge window, making sure you see the Application Guard visual
cues.
a. Select the Windows icon, type Group Policy , and then select Edit Group Policy.
c. For the purposes of this scenario, type .microsoft.com into the Enterprise cloud
resources box.
e. For the purposes of this scenario, type bing.com into the Neutral resources box.
4. Go to the Computer Configuration\Administrative Templates\Windows
Components\Microsoft Defender Application Guard\Turn on Microsoft Defender
Application Guard in Managed Mode setting.
Enabling this setting verifies that all the necessary settings are properly
configured on your employee devices, including the network isolation settings
set earlier in this scenario.
After you submit the URL, Application Guard determines the URL is trusted
because it uses the domain you've marked as trusted and shows the site directly
on the host PC instead of in Application Guard.
7. In the same Microsoft Edge browser, type any URL that isn't part of your trusted or
neutral site lists.
After you submit the URL, Application Guard determines the URL is untrusted and
redirects the request to the hardware-isolated environment.
Application Guard provides the following default behavior for your employees:
No copying and pasting between the host PC and the isolated container.
You have the option to change each of these settings to work with your enterprise from
within Group Policy.
Applies to:
Only text can be copied between the host PC and the isolated container.
Only images can be copied between the host PC and the isolated container.
Both text and images can be copied between the host PC and the isolated
container.
5. Select OK.
Print options
1. Go to the Computer Configuration\Administrative Templates\Windows
Components\Microsoft Defender Application Guard\Configure Microsoft
Defender Application Guard print settings.
3. Based on the list provided in the setting, choose the number that best represents
what type of printing should be available to your employees. You can allow any
combination of local, network, PDF, and XPS printing.
4. Select OK.
4. Add the site to your Favorites list and then close the isolated session.
5. Sign out and back in to your device, opening Microsoft Edge in Application Guard
again.
The previously added site should still appear in your Favorites list.
7 Note
If you turn on data persistence, but later decide to stop supporting it for your
employees, you can use our Windows-provided utility to reset the container
and to discard any personal data.
Applies to:
Download options
1. Go to the Computer Configuration\Administrative Templates\Windows
Components\Microsoft Defender Application Guard\Allow files to download and
save to the host operating system from Microsoft Defender Application Guard
setting.
5. Check to see the file has been downloaded into This PC > Downloads > Untrusted
files.
Once a user has the extension and its companion app installed on their enterprise
device, you can run through the following scenarios.
1. Open either Firefox or Chrome, whichever browser you have the extension installed
on.
Feedback
Was this page helpful? Yes No
7 Note
Microsoft Defender Application Guard, including the Windows Isolated App Launcher APIs, will be
deprecated for Microsoft Edge for Business and will no longer be updated. Please download the
Microsoft Edge For Business Security Whitepaper to learn more about Edge for Business security
capabilities.
Microsoft Defender Application Guard Extension is a web browser add-on available for Chrome and
Firefox .
Microsoft Defender Application Guard provides Hyper-V isolation on Windows 10 and Windows 11, to
protect users from potentially harmful content on the web. The extension helps Application Guard protect
users running other web browsers.
Tip
Application Guard, by default, offers native support to both Microsoft Edge and Internet Explorer.
These browsers do not need the extension described here for Application Guard to protect them.
Microsoft Defender Application Guard Extension defends devices in your organization from advanced
attacks, by redirecting untrusted websites to an isolated version of Microsoft Edge . If an untrusted
website turns out to be malicious, it remains within Application Guard's secure container, keeping the
device protected.
Prerequisites
Microsoft Defender Application Guard Extension works with the following editions of Windows 10, version
1809 or later:
Windows 10 Professional
Windows 10 Enterprise
Windows 10 Education
Windows 11
Application Guard itself is required for the extension to work. It has its own set of requirements. Check the
Application Guard installation guide for further steps, if you don't have it installed already.
Enterprise administrators running Application Guard under managed mode should first define Application
Guard's network isolation settings, so a set of enterprise sites is already in place.
From there, the steps for installing the extension are similar whether Application Guard is running in
managed or standalone mode.
1. On the local device, download and install the Application Guard extension for Google Chrome
and/or Mozilla Firefox .
2. Install the Microsoft Defender Application Guard companion app from the Microsoft Store. This
companion app enables Application Guard to work with web browsers other than Microsoft Edge or
Internet Explorer.
3. Restart the device.
Chrome policies
These policies can be found along the filepath, Software\Policies\Google\Chrome\ , with each policy name
corresponding to the file name. For example, IncognitoModeAvailability is located at
Software\Policies\Google\Chrome\IncognitoModeAvailability .
ノ Expand table
ExtensionSettings This policy accepts a dictionary Include an entry This policy prevents users
that configures multiple other for from manually removing
management settings for Chrome. force_installed the extension.
See the Google Cloud
documentation for complete
schema.
Firefox policies
These policies can be found along the filepath, Software\Policies\Mozilla\Firefox\ , with each policy name
corresponding to the file name. Foe example, DisableSafeMode is located at
Software\Policies\Mozilla\Firefox\DisableSafeMode .
ノ Expand table
DisableSafeMode false or 0 = Safe mode is The policy is enabled and Safe mode isn't allowed to Safe mode
enabled run. can allow
true or 1 = Safe mode is users to
disabled circumvent
Application
Guard
BlockAboutConfig false or 0 = User access to The policy is enabled and access to about:config isn't About:config
about:config is allowed allowed. is a special
true or 1 = User access to page within
about:config isn't allowed Firefox that
offers control
over many
settings that
may
compromise
security
Troubleshooting guide
ノ Expand table
Application Guard The extension was unable to communicate with the 1. Install the companion app
undetermined state companion app during the last information request. and reboot
2. If the companion app is
already installed, reboot and
see if that resolves the error
3. If you still see the error after
rebooting, uninstall and
reinstall the companion app
4. Check for updates in both
the Microsoft store and the
respective web store for the
affected browser
Error message Cause Actions
Failed to determine if The extension was able to communicate with the 1. Restart the browser
Application Guard is enabled companion app, but the information request failed in 2. Check for updates in both
the app. the Microsoft store and the
respective web store for the
affected browser
Launch in WDAG failed with The extension couldn't talk to the companion app, but 1. Make sure the companion
a companion was able to at the beginning of the session. This error app is installed
communication error can be caused by the companion app being 2. If the companion app is
uninstalled while Chrome was running. installed, reboot and see if that
resolves the error
3. If you still see the error after
rebooting, uninstall and
reinstall the companion app
4. Check for updates in both
the Microsoft store and the
respective web store for the
affected browser
Main page navigation An unexpected exception was thrown during the main 1. File a bug
caught an unexpected error page navigation. 2. Retry the operation
Process trust response failed The extension couldn't talk to the companion app, but 1. Make sure the companion
with a companion was able to at the beginning of the session. This error app is installed.
communication error can be caused by the companion app being 2. If the companion app is
uninstalled while Chrome was running. installed, reboot and see if that
resolves the error
3. If you still see the error after
rebooting, uninstall and
reinstall the companion app
4. Check for updates in both
the Microsoft store and the
respective web store for the
affected browser
Protocol out of sync The extension and native app can't communicate with Check for updates in both the
each other. This error is likely caused by one being Microsoft store, and the web
updated without supporting the protocol of the other. store for the affected browser
Security patch level doesn't Microsoft determined that there was a security issue Check for updates in both the
match with either the extension or the companion app, and Microsoft store, and the web
has issued a mandatory update. store for the affected browser
Unexpected response while The extension was able to communicate with the 1. File a bug
processing trusted state companion app, but the API failed and a failure 2. Check if Microsoft Edge is
response code was sent back to the extension. working
3. Retry the operation
Related articles
Microsoft Defender Application Guard overview
Testing scenarios using Microsoft Defender Application Guard in your business or organization
Feedback
Was this page helpful? Yes No
7 Note
This article lists frequently asked questions with answers for Microsoft Defender
Application Guard (Application Guard). Questions span features, integration with the
Windows operating system, and general configuration.
To ensure the FQDNs (Fully Qualified Domain Names) for the “PAC file” and the “proxy
servers the PAC file redirects to” are added as Neutral Resources in the Network
Isolation policies used by Application Guard, you can:
Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error:
0x00000000 Location: 0x00000000
dot represents the strings for the subdomain name (mail or news), and the second dot
recognizes the start of the domain name ( contoso.com ). These two dots prevent sites
such as fakesitecontoso.com from being trusted.
Application Guard accesses files from a VHD mounted on the host that needs to be
written during setup. If an encryption driver prevents a VHD from being mounted or
from being written to, Application Guard doesn't work and results in an error message
(0x80070013 ERROR_WRITE_PROTECT).
Protocol UDP
Port 67
8. The new rule should show up in the user interface. Right click on the rule >
properties.
9. In the Programs and services tab, under the Services section, select settings.
10. Choose Apply to this Service and select Internet Connection Sharing (ICS) Shared
Access.
1. In the Group Policy setting, Prohibit use of Internet Connection Sharing on your
DNS domain network, set it to Disabled.
Policy: Allow installation of devices that match any of the following device IDs:
SCSI\DiskMsft____Virtual_Disk____
{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba
VMS_VSF
root\Vpcivsp
root\VMBus
vms_mp
VMS_VSP
ROOT\VKRNLINTVSP
ROOT\VID
root\storvsp
vms_vsmp
VMS_PP
Policy: Allow installation of devices using drivers that match these device setup classes
{71a27cdd-812a-11d0-bec7-08002be2092f}
See also
Configure Microsoft Defender Application Guard policy settings
Feedback
Was this page helpful? Yes No
TRAINING OVERVIEW
Advance your security posture Security features licensing and
with Microsoft Intune from chip edition requirements
to cloud
Get started