What Is Microsoft Defender Application Guard And How To Enable It

Microsoft Defender Application GuardMicrosoft Defender Application Guard

If you are a Windows user, then it is likely that you are familiar with Windows Security, formerly known as “Microsoft Defender.” Windows Security is a Windows-native application that protects your PC from malware and attacks – a replacement for third-party antivirus software.

An integral part of Windows Security is Microsoft Defender Application Guard. This is a component of Windows Security that keeps you protected from online threats while browsing in Microsoft Edge, or from opening malicious files in Microsoft office.

That said, this feature needs to be installed and enabled manually on our computer. Only when will you be able to provide additional security for your computer and time spent online.

Moreover, the Microsoft Defender Application Guard can be used in enterprise environments so that the network is not penetrated due to an employee’s negligence while surfing the web.

In this article, you will find all there is to know about the Microsoft Defender Application Guard, how to enable it, how it works, and how to manage it.

What is Microsoft Defender Application Guard

Microsoft Defender Application Guard is a security feature in Windows 11 and Windows 10 that helps prevent old and new cyberattacks. This utility works with Microsoft Office, Internet Explorer (deprecated), and Microsoft Edge.

In the case of Microsoft Edge, Application Guard isolates all websites running that are not mentioned in the whitelist created by the IT administrator by running them in a virtualized bubble using a Hyper-V container.

In other words, any URL not mentioned in the whitelist will automatically run in an isolated environment. This way, if an attacker attempts to penetrate your session, and then tries to gain access t your computer or network, they would not be able to. This is due to the fact that the online session would be in standalone mode.

Similarly, in the case of Microsoft Office, if an employee opens a malicious file in Word or Excel (or any other Office application), it would be isolated from the rest of the network, hence securing it from threats.

Microsoft Defender Application Guard can be installed on your Windows 10/11 PC to be used in Edge or Office, or you can install its extension for Chrome and Firefox (links shared below). But before we show you how to install and configure it, the question you should be asking is do you really need it?

Which Devices should Run Microsoft Defender Application Guard

Although the Application Guard can be installed on any supported device, you should know whether you need it or not.

Of course, no amount of digital security is sufficient these days, but not all security parameters should be used simultaneously.

Here is a list of the supported devices that can run Application Guard:

  • Standalone devices:

    • Windows 10 Enterprise edition, version 1709 or higher
    • Windows 10 Pro edition, version 1803 or higher
    • Windows 11
  • Domain-controlled devices:

    • Windows 10 Enterprise edition, version 1709 or higher
    • Windows 11
  • System requirements:

    • 64-Bit CPU architecture
    • Supports virtualization
    • Minimum 8 GB of RAM
    • Minimum 5 GB of free storage space

We believe that all enterprise devices, may it be desktops, laptops, mobile devices, or tablets, should be running Application Guard.

Since these devices are usually joined to a domain, they are more likely at risk as they can lead to greater enterprise secrets and data sources. Therefore, all necessary security features ought to be enabled on enterprise devices.

In the case an enterprise allows you to connect your own device to their network, Application Guar should be enabled beforehand. Even though it is obvious why, connecting to an enterprise network gives access to any non-isolated devices.

In case you have a personal device, like a private laptop, then the decision comes down to an individual user. If they have sensitive information stored on their computer, such as financial passwords, client information, etc., then enabling Microsoft Defender Application Guard is recommended.

However, if they only use it for casual work, then the Application Guard might be overkill.

Now that you know what Microsoft Defender Application Guard is and where it can be used, let us discuss how it works.

How Microsoft Defender Application Guard Works

How Application Guard works with Microsoft Edge
How Application Guard works with Microsoft Edge. Source: Microsoft

Considering Microsoft Edge as an example, the process starts when a user clicks on a link or enters a URL. If the URL is found within the whitelist created by the sysadmin, then it runs in a regular Edge instance without isolating it.

However, if the URL is not in the whitelist, then Microsoft Edge automatically opens the URL inside a Hyper-V container and remains there till the URL is open.

This is a simple mechanism that Microsoft Defender Application Guard uses to protect your devices and networks.

How to Enable/Install Microsoft Defender Application Guard

As we mentioned earlier, Microsoft Defender Application Guard needs to be installed manually. Once it is installed, you can configure it to allow or restrict further functionality.

You can enable Application Guard using the Optional Features applet, or from Windows PowerShell.

From Optional Features

Here are the steps to enable the feature using the Optional Features applet:

  1. Open the Optional Features window by typing in “optionalfeatures” in the Run Command box.

    optionalfeatures
    Open Windows Optional Features
  2. Select “Microsoft Defender Application Guard” and click Ok.

    Enable Microsoft Defender Application Guard
    Enable Microsoft Defender Application Guard

    The feature will now install on your PC.

  3. Click “Restart now” to finalize the installation.

    Restart computer
    Restart computer

Using PowerShell

Perform these steps to install Microsoft Defender Application Guard using PowerShell:

  1. Launch an elevated PowerShell instance.

  2. Now run the following cmdlet:

    Enable-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard
    Enable Microsoft Defender Application Guard using PowerShell
    Enable Microsoft Defender Application Guard using PowerShell

    When asked to restart the computer, enter “Y” for Yes.

When the computer reboots, Microsoft Defender Application Guard will be enabled. By default, it will have the maximum restriction mode, which means that you would not be able to copy, data, save data, print files, or access the camera or microphone while running the Edge browser inside Application Guard.

However, these features can be enabled on demand.

Allow Copy, Paste, Saving, Printing, Camera, Mic Access in Application Guard

Once Microsoft Defender Application Guard is enabled, it is pretty restrictive towards resource access. It blocks all URLs inside the protective bubble from accessing your storage, RAM, connected peripherals, network, etc. However, you can allow certain access. Here is how:

  1. Navigate to:

    Settings app >> Privacy & security >> Windows Security >> App & browser control
    App and browser control in Windows Security
    App and browser control in Windows Security
  2. Click “Change Application Guard settings” under the Isolated browsing section.

    Change Application Guard settings
    Change Application Guard settings
  3. Here, toggle the slider into the On position under the setting that you want to allow.

    Allow changes to Application Guard settings
    Allow changes to Application Guard settings
  4. When done, restart the computer for the changes to take effect.

Alternatively, you can also manage Microsoft Defender Application Guard from Group Policy settings. These settings can be found at the following path within the Group Policy editor:

Local Computer Policy >> Computer Configuration >> Administrative Templates >> Windows Components >> Microsoft Defender Application Guard
Manage Application Guard from Group Policy settings
Manage Application Guard from Group Policy settings

Open Application Guard in Microsoft Edge

Although Edge automatically isolates the tabs/windows for the URLs that are not found inside the whitelist, you can also optionally open a new, isolated Edge window manually.

Inside Edge, click on the 3 dots in the top-right corner of the browser, then click “New Application Guard window.”

New Application Guard window
New Application Guard window

Alternatively, you can also use the CTRL + Shift + Q shortcut keys to open a new Application Guard window in Edge.

Inside the new window, you may scroll through the different website URLs as they will now be isolated from the rest of your environment.

Additionally, if you use Google Chrome or Mozilla Firefox, then you may use the Application Guard browser extension to keep your systems safe:

Download Microsoft Defender Application Guard extension for Chrome

Download Microsoft Defender Application Guard extension for Firefox

Final Thoughts

Microsoft Defender Application Guard uses Hyper-V virtualization technology to isolate web URLs in Edge from the rest of your environment, keeping it safe in case of an attack.

This functionality can be useful for both enterprise users as well as individuals. Additionally, you can also get Application Guard on your mobile devices, which we recommend you should use.

After closing an Application Guard instance, all data is deleted and removed from your PC, with zero chance of infiltration.

If you liked this post, Share it on:
Subhan Zafar is an established IT professional with interests in Windows and Server infrastructure testing and research, and is currently working with Itechtics as a research consultant. He has studied Electrical Engineering and is also certified by Huawei (HCNA & HCNP Routing and Switching).

Get Updates in Your Inbox

Sign up for the regular updates and be the first to know about the latest tech information