none
Windows Defender Application Guard - Does hyper V needs to be enabled on every machine in enterprise

    Question

  • I was reading the requirements for Windows Defender Application service and it talks about hyper V:

    https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard

    My questions:

    1). Do we need to enable or install hyper V on every machine if we want to use WDAG on an enterprise environment?

    2). What is the way to install hyper V and WDAG on all machines?

    3). Is it supporting apps that work on IE OR Edge?

    4). Any time line of when it can be implemented on another browsers?

    Any help on the above questions is appreciated. 

    Thanks.

    Thursday, February 22, 2018 6:12 PM

Answers

  • Hi Raj, 

    Thank you for your interest in Windows Defender Application Guard.

    1). Do we need to enable or install hyper V on every machine if we want to use WDAG on an enterprise environment?

    >> You don't have to install Hyper-V OS component. Application Guard installation will take care of enabling underlying dependencies on Hyper-V and other OS components. That said, please make sure virtualization support is enabled on the device (check BIOS).

    2). What is the way to install hyper V and WDAG on all machines?

    >> Explicit Hyper-V installation is not required to use WDAG. For more details on Hyper-V installation, please refer to the following documentation. [Hyper-V Installation]

    3). Is it supporting apps that work on IE OR Edge?

    >> Once WDAG is enabled in the enterprise managed mode, all untrusted browsing sessions in IE and Edge will be redirected to Edge running inside the WDAG container.

    4). Any time line of when it can be implemented on another browsers?

    >> We don't have timelines/ ETA for supporting other applications inside WDAG.

    Hope that helps.

    Thanks, 

    Chintan

    • Marked as answer by Raj Gera Saturday, March 10, 2018 12:12 AM
    Wednesday, March 7, 2018 6:41 PM

All replies

  • Hi Raj Gera,

    >1). Do we need to enable or install hyper V on every machine if we want to use WDAG on an enterprise environment?

    No, the article says WDAG is not supported on VMs(virtual machine in Hyper V) by default, but for common machines meet the hardware and software requirements, WDAG is supported.

    If it is a Hyper V host with many virtual machines running on the Hyper V host, you want to install WDAG on the VMs, then we need to enable nested virtualization for the VMs to support WDAG.

    2. What are the machines you want to install WDAG, here is an article about how to install WDAG:

    https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-guard/install-wd-app-guard

    Best Regards,

    Anne


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, February 23, 2018 9:38 AM
    Moderator
  • Hello Anne, 

    Thanks for the update and doc. When i see the hardware requirement for WDAG, it says:

    64-bit CPU A 64-bit computer with minimum 4 cores is required for hypervisor and virtualization-based security (VBS). 

    So thats why i asked if we need to install hyper v on all client machines. The doc you shared talks about stand alone installations. I am not getting a doc for installing it on enterprise. 

    Thanks, 

    Raj

    Friday, February 23, 2018 6:01 PM
  • Hi Raj, 

    Thank you for your interest in Windows Defender Application Guard.

    1). Do we need to enable or install hyper V on every machine if we want to use WDAG on an enterprise environment?

    >> You don't have to install Hyper-V OS component. Application Guard installation will take care of enabling underlying dependencies on Hyper-V and other OS components. That said, please make sure virtualization support is enabled on the device (check BIOS).

    2). What is the way to install hyper V and WDAG on all machines?

    >> Explicit Hyper-V installation is not required to use WDAG. For more details on Hyper-V installation, please refer to the following documentation. [Hyper-V Installation]

    3). Is it supporting apps that work on IE OR Edge?

    >> Once WDAG is enabled in the enterprise managed mode, all untrusted browsing sessions in IE and Edge will be redirected to Edge running inside the WDAG container.

    4). Any time line of when it can be implemented on another browsers?

    >> We don't have timelines/ ETA for supporting other applications inside WDAG.

    Hope that helps.

    Thanks, 

    Chintan

    • Marked as answer by Raj Gera Saturday, March 10, 2018 12:12 AM
    Wednesday, March 7, 2018 6:41 PM
  • ----------BEGIN QUOTE----------

    1). Do we need to enable or install hyper V on every machine if we want to use WDAG on an enterprise environment?

    >> You don't have to install Hyper-V OS component. Application Guard installation will take care of enabling underlying dependencies on Hyper-V and other OS components. That said, please make sure virtualization support is enabled on the device (check BIOS).

    2). What is the way to install hyper V and WDAG on all machines?

    >> Explicit Hyper-V installation is not required to use WDAG. For more details on Hyper-V installation, please refer to the following documentation. [Hyper-V Installation]

    ----------END QUOTE----------

    I am not seeing both (1 and 2) behaviors described above in my environment:

    Site: SCCM 1802

    Client: Windows 10 1803

    Hardware: Surface Pro 4 (which mean virtualization support is on by default and cannot be turned off, right?)

    Any ideas about how I should attempt to troubleshoot why my SCCM WDAG policy is not turning on Hyper-V and WDAG as features on my Win10 1803 Surface Pro 4?


    Monday, August 27, 2018 6:41 PM