Installing Microsoft Defender Application Guard with Intune - Demo
Start course

This course explores Microsoft Defender Application Guard. You'll get a fundamental understanding of the service and learn how to configure and manage the service. You also follow along with a practical demonstration to learn how to create a policy that can be used to automate the installation of Application Guard, using InTune.

Learning Objectives

  • Obtain a foundation understanding of Microsoft Defender Application Guard including what it is, what it does, and which endpoints and apps that can targeted with the service
  • Understanding the requirements for installing Application Guard
  • Learn about Application Guard policies and how to create them

Intended Audience

This quick course is intended for anyone who wishes to learn about Microsoft Defender Application Guard.


To get the most out of this course, you should already have some knowledge of Microsoft Defender.



Hello, and welcome back. What we're going to do here in this quick demonstration is walk through the process of installing Application Guard on devices through Intune or Microsoft Endpoint Manager. Essentially, what we're gonna do here is create a profile that pushes this out to our devices. Now, on the screen here, I'm logged into my Microsoft Endpoint Manager admin center, and that's located at 

I'm logged in as my global admin. And to make this happen, what I'm going to do is browse over to Devices in the left pane here, in the navigation pane, and then from the Devices Overview page here, we're gonna go down into Configuration profiles because that's what we're doing here. We're essentially creating a configuration profile.

So we'll go ahead and select Configuration profiles. And from here, we can see all of the existing configuration profiles that exist. What we're gonna do here is create a new one. And this is going to be for Windows 10, so we'll go down into Windows 10 and later, and then for Profile type here, we can select either of the Settings catalog, which is in preview, or choose a Template. What we'll do here is choose a Template. And the template we're gonna use is Endpoint protection, so we'll go ahead and select that and create it. And then we have to complete some basic information.

We need to set our configuration settings, do any kind of scope tagging, which we're probably not gonna do here. We can assign it. And then we can specify any specific applicability rules, which we're not gonna do here. We'll review, and then create the policy, or profile, I should say. So what we're gonna do here for this Endpoint protection configuration profile here, we're just gonna call it Application Guard. And since description here is not required, we'll leave it alone for now. We'll go ahead and Next it. And then in Configuration settings, we see all the different options we have here.

Since we do want to deploy Defender Application Guard, we'll select the Application Guard dropdown. And when we do that, we have some pieces of information here that we can configure. Not everything is mandatory, but what is mandatory is the Application Guard option, since this is what we're going to deploy. So we'll select the dropdown here, and we'll enable it for Edge. And once we do that, all of these other features light up, so to speak, and allow us to configure them. What we'll do here for this demonstration is just configure the Clipboard behavior.

Now, once we select this dropdown, we have a couple of different options. We can allow copy and paste from PC to browser only, copy and paste from browser to PC only, and then allow copy and paste between PC and browser, and copy and paste between PC, or block copy and paste between PC and browser. What we'll do here is we'll just select the first option here to allow copy and paste from PC to browser only. And when we do that, we do have a piece of information we do have to configure here.

If we select the dropdown for Clipboard content, we have to specify what Clipboard content we're gonna allow. And for this demonstration here, we'll allow text and images, and we'll leave the rest of our options at their defaults here. And then what we'll do is we'll Next it. We'll leave the default Scope tag in place. We'll Next it again. And then what we'll do here for Assignments is we'll just assign this to all users. We'll Next through. And now what we can do here with Applicability Rules is use these to specify how the profile gets assigned within a group.

So we're assigning this profile to all users. What we could do with the Applicability Rules is specify rules that would kind of allow us to filter it down or further branch out who should get these. We're gonna leave this alone. We'll go ahead and Next it. We can review our settings, and then go ahead and create our Application Guard device configuration profile. Now, this is telling me to assign the profile to at least one group. We've already done that by going to All Users. And there you have it. That's how you create a device configuration profile in Microsoft Endpoint Manager admin center that can go out and install Application Guard.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.