Welcome back. In this brief lesson here, we are going to look at some of the system requirements for Application Guard and at the different modes it can be installed in.

As far as hardware requirements go, to run Microsoft Defender Application Guard, your machine must be a 64-bit computer with a minimum four cores for the hypervisor and virtualization-based security, AND it must support extended page tables, or Second Level Address Translation. It must also support the VT-x or AMD-V virtualization extensions for virtualization-based security.

A minimum of 8GB RAM and 5GB of free space is also necessary. SSD storage is recommended.

As far as software requirements go, you need to be running Windows 10, version 1809 or higher. This includes Windows 10 Enterprise edition, Professional edition, Windows 10 Professional for Workstations edition, Professional Education edition, and Windows 10 Education edition.

I should point out, though, that the Professional editions are only supported for non-managed devices. I should also mention that neither Intune, nor other 3rd-party mobile device management solutions, are supported with Application Guard for the Windows 10 Professional editions.

Microsoft Edge is the supported browser and as far as management systems go, provided the device is managed, InTune is supported, Microsoft Endpoint Configuration Manager is supported, Group Policy is supported, as are existing 3rd party mobile device management solutions. 

Now, before you install Microsoft Defender Application Guard, you need to decide how you’ll use it. It can be used in Standalone mode, or in Enterprise-managed mode.

Standalone mode can be used with version 1709 and higher of Windows 10 Enterprise edition, or with Windows 10 Pro edition, version 1803.

When installed in Standalone mode, users can use hardware-isolated browsing sessions without any administrator or management policy configuration. To run Application Guard in standalone mode, users have to manually start Microsoft Edge in Application Guard while browsing untrusted sites. 

Enterprise-managed mode requires Windows 10 Enterprise edition, version 1709 or higher.

To run in enterprise-managed mode, you explicitly add trusted domains and you customize the Application Guard experience to enforce your organizational requirements on employee devices. 

I should point out that when run in Enterprise-managed mode, Application Guard will also automatically redirect browser requests to add non-enterprise domain in the container.

The image on your screen shows how Microsoft Edge and Application Guard work together.

Notice here, how, when the user launches Edge and opens a URL, if the URL is in the allowed list, it’s opened on the host device. If the URL is NOT in the allowed list, Edge renders the URL in the Windows Defender Application Guard container, rather than on the host machine. 

This is how Application Guard protects devices. If something goes bad when the URL is launched in the container, its access is limited to that container, which is essentially anonymous – so the enterprise is protected.

Application Guard can be installed manually, via the Control Panel.

via PowerShell, using the command you see on your screen or via InTune.

 

In the next lesson, we’ll look at some important info to know about configuring Application Guard policy settings.