Drew Robinson's Blog

Azure, Powershell and Security things

WDAGUtilityAccount

If you see an alert in your log solution for a new local account created for username: WDAGUtilityAccount (event id 4720 or 4722).

This account is part of Windows Defender Application Guard which is included with RS3 (aka windows 10 fall update). The account is disabled also WDAG is not enabled.

Basically you have user enrolled in the Windows 10 insider program and their box was updated with a new build that includes the WDAG bits.

More on this coming later.