PRACTITIONER GUIDE | ENDPOINT SECURITY
Practitioner GuideUpdated 9 min read

Windows Defender Application Guard: How to Deploy Isolated Browsing and Office Document Protection

Hyper-V
Hardware virtualization used by WDAG to isolate untrusted content from the host OS
Office WDAG
Requires Microsoft 365 E5 or Defender for Office 365 Plan 2 license
8 GB RAM
Minimum recommended for WDAG on endpoints -- containers consume 2-4 GB while active

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Drive-by browser exploits and malicious Office documents are the two most common client-side initial access vectors. WDAG addresses both by making the container the execution environment for untrusted content -- if the attack succeeds, it succeeds inside a throwaway container with no persistent access to the host. The container is destroyed after the browsing session or document is closed. This guide covers the prerequisites, deployment via GPO, the Edge and Office WDAG configurations, and the performance considerations.

Prerequisites: Hardware and License Requirements

WDAG requires: hardware virtualization support (Intel VT-x with EPT or AMD-V with RVI -- verify in BIOS/UEFI that virtualization is enabled), 64-bit Windows 10 Enterprise or Education (1709 or later) or Windows 11. Windows 10/11 Pro supports WDAG in standalone mode but not in enterprise managed mode. Office WDAG additionally requires Microsoft 365 Apps for Enterprise and a Microsoft 365 E5 or Defender for Office 365 Plan 2 license. Minimum RAM: 8 GB (4 GB for the host, 2-4 GB for the WDAG container). SSD storage is strongly recommended -- WDAG containers on spinning disks are noticeably slow to launch (20-45 seconds vs 3-8 seconds on SSD). Enable the Windows feature: Enable-WindowsOptionalFeature -Online -FeatureName 'Windows-Defender-ApplicationGuard' -NoRestart. Deploy the feature via GPO: Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Application Guard > Turn on Microsoft Defender Application Guard in Managed Mode = 1 (Enabled for Edge and Microsoft Office). Verify hardware compatibility: Get-WinEvent -LogName 'Microsoft-Windows-WDAG-UM-Driver/Operational' | Select-Object -First 10 -- no errors indicates compatible hardware.

Configure Edge Application Guard via GPO

Edge WDAG configuration is under Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Application Guard. Key settings: Allow users to trust files that open in Application Guard (set to 0 -- do not allow -- prevents users from bypassing WDAG by 'trusting' a document to open outside the container). Allow clipboard operations in Application Guard (set to 0 -- no clipboard sharing between host and container, or 1 for one-way clipboard from container to host only). Allow Printing from Application Guard (set to 0 unless required). Enterprise network isolation: define trusted networks in Computer Configuration > Windows Settings > Security Settings > Network Isolation > Enterprise Resource Domains. URLs matching these definitions open in normal Edge; all other URLs open in the WDAG container. Configure trusted domains conservatively -- only your organization's known corporate applications should be trusted. Explicitly untrusted sites (configured via Windows Defender SmartScreen or network filtering) force WDAG launch for those specific URLs.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Configure Office Application Guard

Office WDAG requires the WDAG feature enabled (above) plus the Office WDAG add-in. Deploy via Intune or SCCM: the Office Application Guard feature is included in Microsoft 365 Apps for Enterprise 2019 or later. Enable via registry: HKLM\SOFTWARE\Microsoft\Office\Common\Security\EnableApplicationGuard = 1 (DWORD). Or via GPO (Office Administrative Templates): User Configuration > Administrative Templates > Microsoft Office 2016 > Security Settings > Application Guard: Enable Application Guard = Enabled. After enabling, Office documents from external sources (email attachments, downloaded files, files from non-trusted SharePoint sites) open automatically in the WDAG container. Users see a yellow banner indicating the document is open in Application Guard. To exit Application Guard and edit the document, users must click 'Enable Editing' which re-opens the document on the host (after confirming it is trusted). Configure what triggers WDAG for Office: Computer Configuration > Administrative Templates > Microsoft Office 2016 > Security Settings > Application Guard > Define which files trigger Application Guard. Default: files from outside the organization (internet zone), files from email attachments, files from unknown network shares.

Known Limitations and Performance Considerations

WDAG container launch time: the first container launch after system boot takes 15-30 seconds on SSD (the Hyper-V container starts cold). Subsequent launches in the same session are faster (5-8 seconds) because the container base image is kept warm. On HDD systems, expect 45-90 seconds for initial launch. This latency is the primary user experience friction -- set expectations with users before deployment. Features unavailable in WDAG container: saved passwords (the WDAG container has no access to the host's credential store), browser extensions (most extensions do not run in WDAG Edge), clipboard access to/from host (if disabled), file downloads that persist after session (WDAG containers are ephemeral -- downloads are deleted when the container closes unless configured otherwise). Hardware compatibility: devices with specific anticheat or DRM software (some gaming anti-cheat), certain VPN drivers, and some hypervisor conflicts may fail to launch WDAG. Test on representative device models before broad deployment. Memory: on devices with exactly 8 GB RAM, WDAG container activation can cause memory pressure for memory-intensive tasks running on the host. 16 GB RAM is the practical minimum for a smooth experience with WDAG active.

Monitor WDAG Container Activity

WDAG activity is logged in the Windows Event Log under Applications and Services Logs > Microsoft > Windows > Windows Defender Application Guard > Admin. Event ID 15 (container started), Event ID 40 (container destroyed), Event ID 87 (file opened in WDAG). Forward these events to your SIEM for visibility. Integration with MDE (Defender for Endpoint): WDAG container activity is surfaced in the MDE Threat and Vulnerability Management and in the Device timeline. If a process inside the WDAG container attempts malicious behavior (network reconnaissance, shellcode execution), MDE generates an alert scoped to the WDAG container. These alerts are valuable because they indicate a user opened a malicious document that attempted exploitation -- even though the container contained the exploit, it is a high-quality indicator of a phishing attempt targeting the user. Alert on: WDAG container events where a process attempts a network connection to an external IP, WDAG container events where a suspicious child process is created, and any WDAG container escape attempt (extremely rare but high severity).

The bottom line

WDAG is the most effective client-side control for malicious document and drive-by exploit protection because it makes a successful exploit irrelevant -- the attacker owns the container, not the host. Deploy Office WDAG for all endpoints that receive external email attachments. Prioritize SSD endpoints for WDAG to minimize launch latency. Monitor WDAG container security events in MDE -- a WDAG alert on a user's device means they encountered a genuine attempted exploit.

Frequently asked questions

Does WDAG interfere with legitimate work, like opening trusted documents?

WDAG only activates for documents from untrusted sources (internet zone, email attachments, external network locations). Documents opened from SharePoint, Teams (internal), or local trusted network shares open normally on the host without WDAG. Users who regularly open external documents will see WDAG activate for those -- they can read the document in WDAG and if they determine it is safe, click 'Enable Editing' to re-open it on the host. The friction is intentional and appropriate for untrusted content. Internal documents from trusted sources are unaffected.

Can WDAG be combined with Controlled Folder Access for defense-in-depth?

Yes. WDAG and Controlled Folder Access protect against different attack scenarios and complement each other. WDAG protects against malicious documents and web exploits by containing the execution. Controlled Folder Access protects host folders from unauthorized writes by applications (including ransomware that executes via other means). Use both: WDAG for external content isolation, Controlled Folder Access for ransomware protection of key folders, and Credential Guard for credential protection. The combination significantly raises the cost for an attacker to achieve meaningful persistence after initial access.

Does WDAG protect against macro-based malware in Office documents?

Yes. If a Word document with a malicious macro is opened in WDAG, the macro executes inside the container. It can download payloads, run PowerShell, and attempt persistence -- but all within the isolated container. The host is unaffected. After the document is closed, the container and all executed malware within it are destroyed. Note: Block macros via GPO (Computer Configuration > Administrative Templates > Microsoft Office 2016 > Security Settings > Trust Center > Block macros from running in Office files from the Internet = Enabled) as a complementary control -- WDAG contains the damage if macros run, blocking macros prevents them from running at all.

Is WDAG available on Windows 11 Home?

No. WDAG (in enterprise managed mode) requires Windows 10/11 Enterprise or Education editions. Windows 11 Pro includes a limited version of Application Guard for Edge in 'standalone mode' where users manually launch WDAG sessions, but the automatic, policy-driven enterprise mode requires Enterprise or Education editions. For organizations with Windows Pro endpoints, alternative controls include: Enhanced Phishing Protection in Windows 11 22H2+, Microsoft Defender SmartScreen, and application isolation via Defender for Endpoint's behavioral blocking.

What is the performance impact of WDAG on endpoints and how can I minimize it?

WDAG uses Hyper-V lightweight VM containers which require hardware virtualization support and memory allocation. On cold launch (first document opened in WDAG), users experience a 15 to 30 second delay while the container starts. Subsequent documents in the same session open much faster (under 5 seconds) if the container is still running. The minimum hardware recommendation is 8 GB RAM and an SSD -- spinning disk machines experience significantly longer WDAG startup times. On modern hardware (16 GB RAM, NVMe SSD, Intel VT-x enabled), the launch delay is typically under 10 seconds. To minimize user friction: enable 'Windows Defender Application Guard extension' in Edge preferences so users see when WDAG is activating, and pre-warm the container via scheduled task in your WDAG deployment policy.

What threats does Windows Defender Application Guard not protect against and where should it be used alongside other controls?

WDAG provides strong isolation for browser and document content, but has defined scope limitations. It does not protect against: social engineering attacks where the user is tricked into copying content from the WDAG container to the host (users can copy text and some images between container and host depending on policy configuration). Kernel-level vulnerabilities in the Hyper-V hypervisor itself could theoretically escape the container, though the hypervisor attack surface is significantly smaller than a full OS. WDAG does not protect against malicious attachments that the user saves from the WDAG container to a shared network drive -- the file exits the container into the normal filesystem. Clipboard sharing policy (controlled via GPO, default disabled) must remain disabled to prevent a compromised container from pasting malicious content to the host clipboard. Complementary controls: use WDAG alongside Microsoft Defender Application Control (WDAC) to restrict what can execute on the host after content exits the container, and deploy Safe Links/Safe Attachments in Microsoft Defender for Office 365 to pre-detonate attachments before they reach WDAG at all.

Sources & references

  1. Microsoft: Windows Defender Application Guard Overview
  2. Microsoft: WDAG for Office

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.