In Windows 10 1709 there is a lot of new security features in the Windows Defender stack, one is Windows Defender Application Guard. Windows Defender Application requires Microsoft Configuration Manager 1710 or Microsoft Intune to manage the feature.

What is Windows Defender Application Guard:

While using Microsoft Edge, Windows Defender Application Guard protects your environment from sites that haven’t been defined as trusted by your organization. When users visit sites that aren’t listed in your isolated network boundary, the sites will be opened in a virtual browsing session in Hyper-V. Trusted sites are defined by a network boundary, which can be configured in Device Configuration.

Note this feature is only available for Windows 10 (64-bit) devices.

How to deploy Windows Defender Application Guard

Go to the Intune blade of

Click Device configuration – Profiles – Create profile

Intune - Enable Application Guard - 01

  1. Name : Windows 10 – Endpoint Protection WDAG
  2. Select Windows 10 and later
  3. Select Endpoint protection
  4. Select Configure
  5. Select Windows Defender Application Guard
  6. Select Enable
  7. Select Clipboard behavior – “Allow copy and paste from PC to browser only”
  8. Select Clipboard content – “Text and images”
  9. Select External content on enterprise sites – “Block”
  10. Select Print from virtual browser – “Allow”
  11. Select * Printing type(s) – “PDF”
  12. Select Collect logs – “Allow”
  13. Select Retain user-generated browser data – “Allow”

The settings of the profile you need to mach to your company security policies.

Intune - Enable Application Guard - 02

After the profile has been deployed to devices and the devices has done a sync with Intune – they need to be restarted.  After the restart the Windows Defender Application Guard feature is enabled on the devices.

Intune - Enable Application Guard - 03


How is the user experience of Windows Defender Application Guard

When a user is in the Microsoft Edge browser they can open Windows Defender Application Guard by selection “New Application Guard windows”

Intune - Enable Application Guard - 03a

First time Windows Defender Application Guard starts it will take some time to prepare

Intune - Enable Application Guard - 04

Then the user is ready to browse the internet in the most secure way ever.

Intune - Enable Application Guard - 05

More info on Windows Defender Application Guard

Windows Defender Application Guard overview

System requirements for Windows Defender Application Guard