How to manage Windows Defender Application Guard

Ensure your system meets the requirements: Windows 10/11 Enterprise or Education (64-bit), 6th-gen Intel Core or equivalent AMD with virtualization enabled, at least 8 GB RAM, Hyper-V available and enabled. 2. Enable WDAG via Group Policy (navigate to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Application Guard and set to Enabled), PowerShell (run Enable-WindowsOptionalFeature with HypervisorPlatform and Windows-Defender-ApplicationGuard features), or Windows Features GUI (enable Windows Defender Application Guard and Virtual Machine Platform, then restart). 3. Configure WDAG for Microsoft Edge and Office apps using Group Policy to define trusted and untrusted sites and files, ensuring untrusted content opens in isolated containers while trusted content opens normally. 4. Monitor WDAG through Event Viewer under Microsoft > Windows > AppLocker and Hypervisor-Debug logs or via Microsoft Defender for Endpoint, and troubleshoot issues like "Application Guard not available" by verifying virtualization settings and Windows edition, address performance issues by ensuring sufficient RAM and excluding trusted sites, resolve Office file issues by checking file properties and policies, and manage Hyper-V conflicts by adjusting third-party virtualization software usage. 5. Follow best practices: integrate with Microsoft Defender for Endpoint, define clear trust policies, educate users about isolated windows, test deployment in a pilot group, and keep systems updated. Managing WDAG effectively enhances protection against web and document-based threats by isolating untrusted content in a lightweight virtual machine, provided prerequisites are met and configurations are correctly applied.

Windows Defender Application Guard (WDAG) is a security feature in Windows 10 and Windows 11 Enterprise and Education editions that helps protect your system by isolating untrusted websites and documents in a lightweight virtual machine. This prevents potentially malicious content from reaching your host operating system. Managing WDAG effectively involves enabling, configuring, monitoring, and troubleshooting it appropriately.

Here’s how to manage Windows Defender Application Guard:

1. Check System and Edition Requirements

Before managing WDAG, ensure your system meets the requirements:

• Supported editions: Windows 10/11 Enterprise or Education (64-bit)
• Processor: 6th generation Intel Core or later (or equivalent AMD with virtualization support)
• Virtualization-based security (VBS): Must be supported and enabled in BIOS/UEFI
• RAM: At least 8 GB recommended
• Hyper-V: Must be available and enabled

? You can check your Windows edition by going to Settings > System > About.

2. Enable or Disable Application Guard

Option A: Using Group Policy (Recommended for Organizations)

1. Open the Group Policy Management Console (GPMC) or Local Group Policy Editor (gpedit.msc).

   

2. Navigate to:
   Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Application Guard

3. Configure one or more of the following:

   • Turn on Microsoft Defender Application Guard: Set to Enabled
   • Allow WDAG on computers with unsupported processors: Only enable if necessary (not recommended)
   • Configure Windows Defender Application Guard for Office applications: Enable isolation for untrusted documents

4. Apply and run gpupdate /force in Command Prompt to refresh policies.

Option B: Using PowerShell (For IT Admins)

To enable WDAG:

Enable-WindowsOptionalFeature -Online -FeatureName "HypervisorPlatform", "Windows-Defender-ApplicationGuard"

To disable:

Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-ApplicationGuard"

⚠️ You’ll need to restart the computer after enabling or disabling.

Option C: Using Windows Features (GUI)

1. Open Control Panel > Programs > Turn Windows features on or off
2. Check:
   • Windows Defender Application Guard
   • Virtual Machine Platform (and possibly Windows Hypervisor Platform)
3. Click OK and restart.

3. Configure Application Guard for Browsers and Office

Once enabled, WDAG works primarily with:

• Microsoft Edge (Chromium-based): Automatically uses Application Guard for untrusted sites if configured.
• Microsoft Office apps (Word, Excel, PowerPoint): Can open untrusted documents in isolated containers.

Configure Edge Integration

1. Use Group Policy:

   • Go to:
     Computer Configuration > Administrative Templates > Microsoft Edge > Application Guard
   • Set Enable Application Guard in Microsoft Edge to Enabled
   • Define Allow sites to load in the container or Block sites from loading in the container via URL lists

2. Trusted sites will open normally; untrusted sites launch in a secure container.

Configure Office Integration

1. In Group Policy, go to:
   Computer Configuration > Administrative Templates > Microsoft Office > Security > Application Guard
2. Enable Control application guard in Office apps
3. Define:
   • Files from the internet and email are opened in isolation
   • Files from trusted locations (e.g., internal network paths) open normally

4. Monitor and Troubleshoot WDAG

Monitoring

• Check Event Viewer:
  Look under Applications and Services Logs > Microsoft > Windows > AppLocker and Hypervisor-Debug for WDAG-related events.
• Use Microsoft Defender for Endpoint: Provides visibility into WDAG usage and security events.

Common Issues & Fixes

• "Application Guard is not available on this machine"
  → Ensure virtualization is enabled in BIOS (Intel VT-x / AMD-V).
  → Confirm your Windows edition supports WDAG.

• Performance slowdowns
  → WDAG uses system resources. Ensure sufficient RAM (16 GB ideal).
  → Exclude trusted internal sites from containerization.

• Office files not opening in container
  → Verify policy settings and that files are marked as "from the internet" (check file properties).

• Hyper-V conflicts with other virtualization software (e.g., VMware, Docker)
  → Some apps may not work when WDAG is enabled due to exclusive hypervisor access.

5. Best Practices for Managing WDAG

• Use with Microsoft Defender for Endpoint for centralized monitoring.
• Define clear trusted site and file policies to balance security and usability.
• Educate users that some sites or files may open in a separate, isolated window.
• Test in a pilot group before enterprise-wide deployment.
• Keep Windows and drivers updated to avoid compatibility issues.

Managing Windows Defender Application Guard effectively enhances protection against web and document-based threats. While setup requires planning and compatible hardware, the isolation benefits are strong for high-risk environments.

Basically, it’s about enabling it correctly, defining what’s trusted, and keeping an eye on how it integrates with Edge and Office. Not overly complex—but easy to misconfigure if you skip the prerequisites.

The above is the detailed content of How to manage Windows Defender Application Guard. For more information, please follow other related articles on the PHP Chinese website!