Search This Blog

Wednesday, February 13, 2019

Testing Windows Defender Application Guard on a VM

If you want to test Windows Defender Application Guard your test environment must meet the requirements:

A 64-bit computer with minimum 4 cores (logical processors) with CPU virtualization extension, minimum 8GB RAM and 5 GB free space.

But what if we want to test this on a virtual Windows 10 running on Hyper-v?

When you try to enable Windows Defender Application Guard you might see warnings like these.

Windows Defender Application Guard cannot be installed: The Processor does not have required virtualization capabilities:


Windows Defender Application Guard is not supported on this device configuration:


But we can still test on hyper-V, let me show a working configuration, you will be able to use lower settings, but it order to test this will work:

Use a Generation 2 VM with at least 4 GB RAM:


Use at least 2 virtual processors:


I have TPM and secure boot enabled, but it seems to work without, but enabling both will not hurt:


Then we need to enable nested virtualization on the VM, with PowerShell on the Hyper-v host:

Set-VMProcessor -VMName <VMName> -ExposeVirtualizationExtensions $true


Next since we do not fulfill the requirements, let’s lower requirements with use of registry settings as explained in the WDAG FAQ:

I have lowered the processor requirement (SpecRequiredProcessorCount) and the memory requirement (SpecRequiredMemoryInGB)




And now we are able to enable Windows Defender Application Guard:


A reboot is required:


We are now ready to test, stay tuned for the next article about Windows Defender Application Guard.

1 comment:

  1. Never thought that Microsoft's built-in app like windows Defender could be useful. However, looks like it is one of the best solutions (also free). Thanks for the guide!