System requirements for Windows Defender Application Guard
The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Windows Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive.
Windows Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host.
Your environment needs the following hardware to run Windows Defender Application Guard.
|64-bit CPU||A 64-bit computer with minimum 4 cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see Hyper-V on Windows Server 2016 or Introduction to Hyper-V on Windows 10. For more info about hypervisor, see Hypervisor Specifications.|
|CPU virtualization extensions||Extended page tables, also called Second Level Address Translation (SLAT)
One of the following virtualization extensions for VBS:
|Hardware memory||Microsoft requires a minimum of 8GB RAM|
|Hard disk||5 GB free space, solid state disk (SSD) recommended|
|Input/Output Memory Management Unit (IOMMU) support||Not required, but strongly recommended|
Your environment needs the following software to run Windows Defender Application Guard.
|Operating system||Windows 10 Enterprise edition, version 1709 or higher
Windows 10 Professional edition, version 1803 or higher
Windows 10 Professional for Workstations edition, version 1803 or higher
Windows 10 Professional Education edition version 1803 or higher
Windows 10 Education edition, version 1903 or higher
Professional editions are only supported for non-managed devices; Intune or any other 3rd party mobile device management (MDM) solutions are not supported with WDAG for Professional editions.
|Browser||Microsoft Edge and Internet Explorer|
(only for managed devices)
Microsoft Endpoint Configuration Manager
Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.
|Windows Defender Exploit Protection settings||The following settings should be configured or verified in the Windows Security app under App & browser control > Exploit protection > Exploit protection settings > System Settings.
Control flow guard (CFG) must be set to Use default (On) or Off by default. If set to On by default, Windows Defender Application Guard will not launch.
Randomize memory allocations (Bottom-up ASLR) must be set to Use default (On) or Off by default. If set to "On by default", the