Installing Microsoft Defender Application Guard
Start course

This course explores Microsoft Defender Application Guard. You'll get a fundamental understanding of the service and learn how to configure and manage the service. You also follow along with a practical demonstration to learn how to create a policy that can be used to automate the installation of Application Guard, using InTune.

Learning Objectives

  • Obtain a foundation understanding of Microsoft Defender Application Guard including what it is, what it does, and which endpoints and apps that can targeted with the service
  • Understanding the requirements for installing Application Guard
  • Learn about Application Guard policies and how to create them

Intended Audience

This quick course is intended for anyone who wishes to learn about Microsoft Defender Application Guard.


To get the most out of this course, you should already have some knowledge of Microsoft Defender.



Welcome back. In this brief lesson here, we are going to look at some of the system requirements for Application Guard and at the different modes it can be installed in.

As far as hardware requirements go, to run Microsoft Defender Application Guard, your machine must be a 64-bit computer with a minimum four cores for the hypervisor and virtualization-based security, AND it must support extended page tables, or Second Level Address Translation. It must also support the VT-x or AMD-V virtualization extensions for virtualization-based security.

A minimum of 8GB RAM and 5GB of free space is also necessary. SSD storage is recommended.

As far as software requirements go, you need to be running Windows 10, version 1809 or higher. This includes Windows 10 Enterprise edition, Professional edition, Windows 10 Professional for Workstations edition, Professional Education edition, and Windows 10 Education edition.

I should point out, though, that the Professional editions are only supported for non-managed devices. I should also mention that neither Intune, nor other 3rd-party mobile device management solutions, are supported with Application Guard for the Windows 10 Professional editions.

Microsoft Edge is the supported browser and as far as management systems go, provided the device is managed, InTune is supported, Microsoft Endpoint Configuration Manager is supported, Group Policy is supported, as are existing 3rd party mobile device management solutions. 

Now, before you install Microsoft Defender Application Guard, you need to decide how you’ll use it. It can be used in Standalone mode, or in Enterprise-managed mode.

Standalone mode can be used with version 1709 and higher of Windows 10 Enterprise edition, or with Windows 10 Pro edition, version 1803.

When installed in Standalone mode, users can use hardware-isolated browsing sessions without any administrator or management policy configuration. To run Application Guard in standalone mode, users have to manually start Microsoft Edge in Application Guard while browsing untrusted sites. 

Enterprise-managed mode requires Windows 10 Enterprise edition, version 1709 or higher.

To run in enterprise-managed mode, you explicitly add trusted domains and you customize the Application Guard experience to enforce your organizational requirements on employee devices. 

I should point out that when run in Enterprise-managed mode, Application Guard will also automatically redirect browser requests to add non-enterprise domain in the container.

The image on your screen shows how Microsoft Edge and Application Guard work together.

Notice here, how, when the user launches Edge and opens a URL, if the URL is in the allowed list, it’s opened on the host device. If the URL is NOT in the allowed list, Edge renders the URL in the Windows Defender Application Guard container, rather than on the host machine. 

This is how Application Guard protects devices. If something goes bad when the URL is launched in the container, its access is limited to that container, which is essentially anonymous – so the enterprise is protected.

Application Guard can be installed manually, via the Control Panel.

via PowerShell, using the command you see on your screen or via InTune.


In the next lesson, we’ll look at some important info to know about configuring Application Guard policy settings.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.