Windows Defender Application Guard (WDAG) provides unprecedented protection against targeted threats using Microsoft's industry leading Hyper-V virtualization technology. We have expanded this new defense-in-depth protection to Windows 10 Professional and Enterprise in our RS4 update. Now both Enterprise and Pro users can navigate the Internet in Application Guard knowing their systems are safe from common web based attacks.

Prerequisites:

• Windows 10 (or 10 S) Professional or Enterprise
• Builds 17134+ (Professional), 16299+ (Enterprise)
• Hypervisor capabilities enabled in BIOS
• At least 8GB of RAM
• At least 5GB free disk space
• At least 4 CPU cores

Installation Steps:

1. Open the Optional Features menu (Windows key and search for Turn Windows features on or off), select Windows Defender Application Guard, and restart your PC.

2. Open Edge, and in the Edge menu (three dots in the upper right), select New Application Guard window to open a WDAG window. WDAG windows have an orange outline and Edge taskbar icon with a shield.

Note: if you manually enabled WDAG in the Optional Features menu, you are in Standalone mode and can try out the additional features below. However, if WDAG was enabled by your IT department, you are in Enterprise mode and WDAG features are managed by their policies. In this case, changing the registry keys below won’t have any effect.

Try out WDAG:

1. Click Application Guard box in the top-left of the window, and click Learn more for WDAG information.
2. Navigate to some Websites in WDAG. Browsing and performance in WDAG should be as smooth as browsing in Edge. There should be no lag or delays due to WDAG.
3. Open as many tabs and windows as you like. WDAG and your system should continue to perform well.
4. Try the following scenarios:

• Play a video in WDAG: Navigate to a video-playing site like www.bing.com/videos. Audio and video quality should be as smooth as in Edge.
• Try Flash Player in WDAG: Navigate to a site with Flash content like www.ultrasounds.com. You may have to enable Flash Player from the puzzle-piece icon in the URL bar.
• Try the Narrator in WDAG: Click Settings > Ease of Access > Narrator and turn it On. Navigate to www.nytimes.com in WDAG and ensure that the Narrator reads the page.
• Try downloading files in WDAG: Since WDAG has its own file system for security, these files should be inaccessible by the host file system, and your host file system should be inaccessible by WDAG.
• Try to copy and paste text to and from the WDAG window: This should NOT work, unless you added the EnableClipboard regkey described in the next section or your policies are managed by your IT department.
• Try to print a webpage in WDAG: Printing should NOT work, unless you added the EnablePrinters regkey described in the next section or your policies are managed by your IT department.
• Try adding to Favorites a Website in WDAG: This should NOT work, unless you added the EnablePersistence regkey described in the next section or your policies are managed by your IT department.

Note: if you manually enabled WDAG in the Optional Features menu, you are in Standalone mode and can try out the additional features below. However, if WDAG was enabled by your IT department, you are in Enterprise mode and WDAG features are managed by their policies. In this case, changing the registry keys below won’t have any effect.

Additional WDAG Features (available to Enterprise and Pro users in WDAG Standalone mode):

WDAG blocks some capabilities to provide the most secure default configuration. It does not allow copying and pasting between your host machine and WDAG, printing from the WDAG container, or any persistent storage of favorites, browsing history, or downloads between login sessions. If you would like to relax these policies, you can configure them via the registry.

1. Open the Registry Editor (windows key, search for “regedit”).

2. Under “HKLM\software\microsoft\HVSI”, change the values of any of following the registry keys from 0 to 1.

3. Restart your device to enable the feature(s).