Configuring Microsoft Application Guard Policy Settings
Start course

This course explores Microsoft Defender Application Guard. You'll get a fundamental understanding of the service and learn how to configure and manage the service. You also follow along with a practical demonstration to learn how to create a policy that can be used to automate the installation of Application Guard, using InTune.

Learning Objectives

  • Obtain a foundation understanding of Microsoft Defender Application Guard including what it is, what it does, and which endpoints and apps that can targeted with the service
  • Understanding the requirements for installing Application Guard
  • Learn about Application Guard policies and how to create them

Intended Audience

This quick course is intended for anyone who wishes to learn about Microsoft Defender Application Guard.


To get the most out of this course, you should already have some knowledge of Microsoft Defender.



Welcome back. Once you have Application Guard installed, it works with Group Policy to help manage computer settings within the organization. As you would expect, leveraging Group Policy allows you to configure a setting one time, and then have that setting go out to all machines it applies to.

Application Guard uses two types of settings. It uses network isolation settings, and application-specific settings.

Network isolation settings are used to define and manage network boundaries. These settings are located in Computer Configuration\Administrative Templates\Network\Network Isolation – and they are used by Application Guard to transfer requests for non-corporate resources into the Application Guard container.

I should mention that you have to configure either the Enterprise resource domains hosted in the cloud setting, or the Private network ranges for apps setting on the users’ devices before you can turn on Application Guard in enterprise mode. Any necessary proxy servers have to be defined as neutral resources in the Domains categorized as both work and personal policy.

The table on your screen highlights the network isolation settings that need to be configured.

Application-specific settings also need to be configured. These settings, which you can see on your screen, are located in Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard. These are used to manage the implementation of Application Guard.


Join me in the next lesson, where I’ll walk you through the process of creating a profile in InTune that installs Defender Application Guard on user machines.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.