Ensure your system meets the requirements: Windows 10/11 Enterprise or Education (64-bit), 6th-gen Intel Core or equivalent AMD with virtualization enabled, at least 8 GB RAM, Hyper-V available and enabled. 2. Enable WDAG via Group Policy (navigate to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Application Guard and set to Enabled), PowerShell (run Enable-WindowsOptionalFeature with HypervisorPlatform and Windows-Defender-ApplicationGuard features), or Windows Features GUI (enable Windows Defender Application Guard and Virtual Machine Platform, then restart). 3. Configure WDAG for Microsoft Edge and Office apps using Group Policy to define trusted and untrusted sites and files, ensuring untrusted content opens in isolated containers while trusted content opens normally. 4. Monitor WDAG through Event Viewer under Microsoft > Windows > AppLocker and Hypervisor-Debug logs or via Microsoft Defender for Endpoint, and troubleshoot issues like "Application Guard not available" by verifying virtualization settings and Windows edition, address performance issues by ensuring sufficient RAM and excluding trusted sites, resolve Office file issues by checking file properties and policies, and manage Hyper-V conflicts by adjusting third-party virtualization software usage. 5. Follow best practices: integrate with Microsoft Defender for Endpoint, define clear trust policies, educate users about isolated windows, test deployment in a pilot group, and keep systems updated. Managing WDAG effectively enhances protection against web and document-based threats by isolating untrusted content in a lightweight virtual machine, provided prerequisites are met and configurations are correctly applied.
Windows Defender Application Guard (WDAG) is a security feature in Windows 10 and Windows 11 Enterprise and Education editions that helps protect your system by isolating untrusted websites and documents in a lightweight virtual machine. This prevents potentially malicious content from reaching your host operating system. Managing WDAG effectively involves enabling, configuring, monitoring, and troubleshooting it appropriately.
Here’s how to manage Windows Defender Application Guard:
1. Check System and Edition Requirements
Before managing WDAG, ensure your system meets the requirements:
- Supported editions: Windows 10/11 Enterprise or Education (64-bit)
- Processor: 6th generation Intel Core or later (or equivalent AMD with virtualization support)
- Virtualization-based security (VBS): Must be supported and enabled in BIOS/UEFI
- RAM: At least 8 GB recommended
- Hyper-V: Must be available and enabled
? You can check your Windows edition by going to Settings > System > About.
2. Enable or Disable Application Guard
Option A: Using Group Policy (Recommended for Organizations)
-
Open the Group Policy Management Console (GPMC) or Local Group Policy Editor (
gpedit.msc).
Navigate to:
Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Application Guard-
Configure one or more of the following:
- Turn on Microsoft Defender Application Guard: Set to Enabled
- Allow WDAG on computers with unsupported processors: Only enable if necessary (not recommended)
- Configure Windows Defender Application Guard for Office applications: Enable isolation for untrusted documents
Apply and run
gpupdate /forcein Command Prompt to refresh policies.
Option B: Using PowerShell (For IT Admins)
To enable WDAG:
Enable-WindowsOptionalFeature -Online -FeatureName "HypervisorPlatform", "Windows-Defender-ApplicationGuard"
To disable:
Disable-WindowsOptionalFeature -Online -FeatureName "Windows-Defender-ApplicationGuard"
?? You’ll need to restart the computer after enabling or disabling.
Option C: Using Windows Features (GUI)
- Open Control Panel > Programs > Turn Windows features on or off
- Check:
- Windows Defender Application Guard
- Virtual Machine Platform (and possibly Windows Hypervisor Platform)
- Click OK and restart.
3. Configure Application Guard for Browsers and Office
Once enabled, WDAG works primarily with:
- Microsoft Edge (Chromium-based): Automatically uses Application Guard for untrusted sites if configured.
- Microsoft Office apps (Word, Excel, PowerPoint): Can open untrusted documents in isolated containers.
Configure Edge Integration
-
Use Group Policy:
- Go to:
Computer Configuration > Administrative Templates > Microsoft Edge > Application Guard - Set Enable Application Guard in Microsoft Edge to Enabled
- Define Allow sites to load in the container or Block sites from loading in the container via URL lists
- Go to:
Trusted sites will open normally; untrusted sites launch in a secure container.
Configure Office Integration
- In Group Policy, go to:
Computer Configuration > Administrative Templates > Microsoft Office > Security > Application Guard - Enable Control application guard in Office apps
- Define:
- Files from the internet and email are opened in isolation
- Files from trusted locations (e.g., internal network paths) open normally
4. Monitor and Troubleshoot WDAG
Monitoring
- Check Event Viewer:
Look under Applications and Services Logs > Microsoft > Windows > AppLocker and Hypervisor-Debug for WDAG-related events. - Use Microsoft Defender for Endpoint: Provides visibility into WDAG usage and security events.
Common Issues & Fixes
"Application Guard is not available on this machine"
→ Ensure virtualization is enabled in BIOS (Intel VT-x / AMD-V).
→ Confirm your Windows edition supports WDAG.Performance slowdowns
→ WDAG uses system resources. Ensure sufficient RAM (16 GB ideal).
→ Exclude trusted internal sites from containerization.Office files not opening in container
→ Verify policy settings and that files are marked as "from the internet" (check file properties).Hyper-V conflicts with other virtualization software (e.g., VMware, Docker)
→ Some apps may not work when WDAG is enabled due to exclusive hypervisor access.
5. Best Practices for Managing WDAG
- Use with Microsoft Defender for Endpoint for centralized monitoring.
- Define clear trusted site and file policies to balance security and usability.
- Educate users that some sites or files may open in a separate, isolated window.
- Test in a pilot group before enterprise-wide deployment.
- Keep Windows and drivers updated to avoid compatibility issues.
Managing Windows Defender Application Guard effectively enhances protection against web and document-based threats. While setup requires planning and compatible hardware, the isolation benefits are strong for high-risk environments.
Basically, it’s about enabling it correctly, defining what’s trusted, and keeping an eye on how it integrates with Edge and Office. Not overly complex—but easy to misconfigure if you skip the prerequisites.
The above is the detailed content of How to manage Windows Defender Application Guard. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
Windows 11 slow boot time fix
Jul 04, 2025 am 02:04 AM
The problem of slow booting can be solved by the following methods: 1. Check and disable unnecessary booting programs; 2. Turn off the quick boot function; 3. Update the driver and check disk health; 4. Adjust the number of processor cores (only for advanced users). For Windows 11 systems, first, the default self-start software such as QQ and WeChat are disabled through the task manager to improve the startup speed; if you use dual systems or old hardware, you can enter the power option to turn off the quick boot function; second, use the device manager to update the driver and run the chkdsk command to fix disk errors, and it is recommended to replace the mechanical hard disk with SSD; for multi-core CPU users, the kernel parameters can be adjusted through bcdedit and msconfig to optimize the startup efficiency. Most cases can be corrected by basic investigation
How to Change Font Color on Desktop Icons (Windows 11)
Jul 07, 2025 pm 12:07 PM
If you're having trouble reading your desktop icons' text or simply want to personalize your desktop look, you may be looking for a way to change the font color on desktop icons in Windows 11. Unfortunately, Windows 11 doesn't offer an easy built-in
Fixed Windows 11 Google Chrome not opening
Jul 08, 2025 pm 02:36 PM
Fixed Windows 11 Google Chrome not opening Google Chrome is the most popular browser right now, but even it sometimes requires help to open on Windows. Then follow the on-screen instructions to complete the process. After completing the above steps, launch Google Chrome again to see if it works properly now. 5. Delete Chrome User Profile If you are still having problems, it may be time to delete Chrome User Profile. This will delete all your personal information, so be sure to back up all relevant data. Typically, you delete the Chrome user profile through the browser itself. But given that you can't open it, here's another way: Turn on Windo
How to fix second monitor not detected in Windows?
Jul 12, 2025 am 02:27 AM
When Windows cannot detect a second monitor, first check whether the physical connection is normal, including power supply, cable plug-in and interface compatibility, and try to replace the cable or adapter; secondly, update or reinstall the graphics card driver through the Device Manager, and roll back the driver version if necessary; then manually click "Detection" in the display settings to identify the monitor to confirm whether it is correctly identified by the system; finally check whether the monitor input source is switched to the corresponding interface, and confirm whether the graphics card output port connected to the cable is correct. Following the above steps to check in turn, most dual-screen recognition problems can usually be solved.
Want to Build an Everyday Work Desktop? Get a Mini PC Instead
Jul 08, 2025 am 06:03 AM
Mini PCs have undergone
Fixed the failure to upload files in Windows Google Chrome
Jul 08, 2025 pm 02:33 PM
Have problems uploading files in Google Chrome? This may be annoying, right? Whether you are attaching documents to emails, sharing images on social media, or submitting important files for work or school, a smooth file upload process is crucial. So, it can be frustrating if your file uploads continue to fail in Chrome on Windows PC. If you're not ready to give up your favorite browser, here are some tips for fixes that can't upload files on Windows Google Chrome 1. Start with Universal Repair Before we learn about any advanced troubleshooting tips, it's best to try some of the basic solutions mentioned below. Troubleshooting Internet connection issues: Internet connection
How to clear the print queue in Windows?
Jul 11, 2025 am 02:19 AM
When encountering the problem of printing task stuck, clearing the print queue and restarting the PrintSpooler service is an effective solution. First, open the "Device and Printer" interface to find the corresponding printer, right-click the task and select "Cancel" to clear a single task, or click "Cancel all documents" to clear the queue at one time; if the queue is inaccessible, press Win R to enter services.msc to open the service list, find "PrintSpooler" and stop it before starting the service. If necessary, you can manually delete the residual files under the C:\Windows\System32\spool\PRINTERS path to completely solve the problem.
