Intro to Microsoft Defender Application Guard
Intro to Microsoft Defender Application Guard

This course explores Microsoft Defender Application Guard. You'll get a fundamental understanding of the service and learn how to configure and manage the service. You also follow along with a practical demonstration to learn how to create a policy that can be used to automate the installation of Application Guard, using InTune.

Learning Objectives

  • Obtain a foundation understanding of Microsoft Defender Application Guard including what it is, what it does, and which endpoints and apps that can targeted with the service
  • Understanding the requirements for installing Application Guard
  • Learn about Application Guard policies and how to create them

Intended Audience

This quick course is intended for anyone who wishes to learn about Microsoft Defender Application Guard.


To get the most out of this course, you should already have some knowledge of Microsoft Defender.



Hello and welcome to Microsoft Defender Application Guard.  In this lesson, we’ll take a look at what Application Guard is, and at what role it plays.

Application Guard is a Defender offering that can be used to prevent existing AND emerging attacks on Windows 10 endpoints. It takes a hardware isolation approach to security that makes current attack methods obsolete.

Application Guard protects users as they browse the internet, by isolating enterprise-defined untrusted sites in Microsoft Edge. Administrators can define the trusted websites, cloud resources, and internal networks that users should be able to use. Anything not included in the list is then considered untrusted. So, what happens is, when a user browses to an untrusted site or resource via Microsoft Edge or Internet Explorer, the site or resource opens the site in an isolated Hyper-V-enabled container.

There is also a Defender Application Guard Extension that’s available for Chrome and Firefox. It redirects untrusted websites to an isolated version of Microsoft Edge, and, in turn, if that untrusted website turns out to be a malicious site, it’s kept within Application Guard's secure container, keeping the host device protected.

To use the Microsoft Defender Application Guard Extension, you need to be running version 1803 or later of either Windows 10 Professional, Windows 10 Enterprise, or Windows 10 Education. Of course, it also requires Application Guard itself to be installed to work.

Now, for Microsoft Office, what Application Guard does, is prevent untrusted Word, PowerPoint, and Excel files from accessing trusted resources. In other words, Application Guard will open untrusted files in an isolated Hyper-V-enabled container, in much the same way it causes Edge to open untrusted sites. 

Now, I should clarify that this isolated Hyper-V container is completely separate from the host operating system. So, what this means is, is that if an untrusted site or file is malicious, the host device itself is protected. This prevents the attacker from accessing enterprise data.

Application Guard can target enterprise desktops, enterprise mobile laptops, BYOD mobile laptops, and personal laptops and desktops.

Enterprise desktops are desktops that are domain-joined and managed by your organization. Configuration management for these is typically handled with Microsoft Endpoint Manager or Microsoft Intune. Users of these devices will usually have Standard User privileges and use a high-bandwidth, wired, corporate network.

Enterprise mobile laptops are domain-joined, and they are managed by your organization. Like enterprise desktops, configuration management  for enterprise mobile laptops is usually handled by Microsoft Endpoint Manager or Microsoft Intune. Users of these devices will usually have Standard User privileges and use a high-bandwidth, wired, corporate network.

BYOD mobile laptops are personally-owned laptops that are NOT domain-joined. However, they ARE managed by your organization, using tools like Intune. The user of a BYOD laptop is usually an admin on the device itself and typically uses a high-bandwidth wireless corporate network while at work, and a high-bandwidth WiFi network while at home.

Personal devices are personally-owned desktops or mobile laptops. They are not domain-joined, nor are the managed by the organization. The user of this type of device is almost always an admin on the device and uses high-bandwidth wireless personal networks at home and similar high-bandwidth public networks while outside the home.

You aren’t likely to encounter much on the exam when it comes to hardware and software requirements for Application Guard, BUT, just in case, be sure to visit the URL that you see on your screen:

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.