Hello and welcome to Microsoft Defender Application Guard.  In this lesson, we’ll take a look at what Application Guard is, and at what role it plays.

Application Guard is a Defender offering that can be used to prevent existing AND emerging attacks on Windows 10 endpoints. It takes a hardware isolation approach to security that makes current attack methods obsolete.

Application Guard protects users as they browse the internet, by isolating enterprise-defined untrusted sites in Microsoft Edge. Administrators can define the trusted websites, cloud resources, and internal networks that users should be able to use. Anything not included in the list is then considered untrusted. So, what happens is, when a user browses to an untrusted site or resource via Microsoft Edge or Internet Explorer, the site or resource opens the site in an isolated Hyper-V-enabled container.

There is also a Defender Application Guard Extension that’s available for Chrome and Firefox. It redirects untrusted websites to an isolated version of Microsoft Edge, and, in turn, if that untrusted website turns out to be a malicious site, it’s kept within Application Guard's secure container, keeping the host device protected.

To use the Microsoft Defender Application Guard Extension, you need to be running version 1803 or later of either Windows 10 Professional, Windows 10 Enterprise, or Windows 10 Education. Of course, it also requires Application Guard itself to be installed to work.

Now, for Microsoft Office, what Application Guard does, is prevent untrusted Word, PowerPoint, and Excel files from accessing trusted resources. In other words, Application Guard will open untrusted files in an isolated Hyper-V-enabled container, in much the same way it causes Edge to open untrusted sites. 

Now, I should clarify that this isolated Hyper-V container is completely separate from the host operating system. So, what this means is, is that if an untrusted site or file is malicious, the host device itself is protected. This prevents the attacker from accessing enterprise data.

Application Guard can target enterprise desktops, enterprise mobile laptops, BYOD mobile laptops, and personal laptops and desktops.

Enterprise desktops are desktops that are domain-joined and managed by your organization. Configuration management for these is typically handled with Microsoft Endpoint Manager or Microsoft Intune. Users of these devices will usually have Standard User privileges and use a high-bandwidth, wired, corporate network.

Enterprise mobile laptops are domain-joined, and they are managed by your organization. Like enterprise desktops, configuration management  for enterprise mobile laptops is usually handled by Microsoft Endpoint Manager or Microsoft Intune. Users of these devices will usually have Standard User privileges and use a high-bandwidth, wired, corporate network.

BYOD mobile laptops are personally-owned laptops that are NOT domain-joined. However, they ARE managed by your organization, using tools like Intune. The user of a BYOD laptop is usually an admin on the device itself and typically uses a high-bandwidth wireless corporate network while at work, and a high-bandwidth WiFi network while at home.

Personal devices are personally-owned desktops or mobile laptops. They are not domain-joined, nor are the managed by the organization. The user of this type of device is almost always an admin on the device and uses high-bandwidth wireless personal networks at home and similar high-bandwidth public networks while outside the home.

You aren’t likely to encounter much on the exam when it comes to hardware and software requirements for Application Guard, BUT, just in case, be sure to visit the URL that you see on your screen:

 

https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard