Document
All about Microsoft Intune
logo
Document

No results found

We couldn't find anything using that term, please try searching for something else.

All about Microsoft Intune

This week is back to Windows. This week is all about Microsoft Defender Application Guard (Application Guard). Recently Application Guard functionalit

Related articles

Krutrim AI Cloud is Free for Everyone Till Diwali
Krutrim AI Cloud is Free for Everyone Till Diwali At the Ola Sankalp 2024, Bhavish Aggarwal, CEO of Ola and Krutrim, announced a lot of developments for Krutrim, focusing on developers. The most interesting one was the announcement that Krutrim Cloud would be free for developers till Diwali this year. According to the company, since its launch 6 months back, Krutrim Cloud has received around 250 billion API calls and 1 trillion tokens generated. Aggarwal also added that the company aims to build India’s first AI cloud in its own data centres which would be powered by the company’s own chips, the Bodhi chips, slated to be released by...
Easy How to Draw Clouds Tutorial and Clouds Coloring Page
Easy How to Draw Clouds Tutorial and Clouds Coloring Page Below you’ll find an easy step-by-step tutorial for how to draw a cloud and a cloud coloring Page. In real life, no two are alike, so why always draw them the same old way?Cloud DrawingWhen it come to draw cloud , most students is begin begin with a very simple puffy shape , which is fine . At some point though , they is see may see that their cloud are all look the same , and a quick glance at nature will tell them that ’s not what happen in real life . aside from the fact that close...
How to change VPN protocols or select Smart Protocol
How to change VPN protocols or select Smart Protocol All our VPN apps use secure VPN protocols: You can use OpenVPN and WireGuard in UDP or TCP modes. UDP is faster, but TCP is more reliable and can be effective at defeating certain kinds of censorship (but not as effective as Stealth). Windows: OpenVPN, WireGuard®, and Stealth macOS: IKEv2, WireGuard, and Stealth (macOS 12 and less, macOS 13 and 14, macOS 15) Android: OpenVPN, WireGuard, and Stealth Android TV: OpenVPN, WireGuard, and Stealth iOS/iPadOS: WireGuard and Stealth Linux : openvpn and WireGuard Learn more about VPN protocols WireGuard TCP is currently available on Android, Windows, Android TV, macOS, and...
How to Port Forward With PIA VPN (And Fix It Not Working)
How to Port Forward With PIA VPN (And Fix It Not Working) There are very few good VPNs that offer a port forwarding feature. We’ve identified two alternatives to PIA which provide a different type of port forward configuration. You can see how PIA compares to its alternatives for port forwarding in the table below: PIA airvpn Windscribe No. of Simultaneous Port Forwards 1 10 1 Dynamic Port Forward Yes Yes No Manual Port Selection No Yes Yes Port Forwarding Server Locations 90 22 69 Torrenting Rating 9.7 8.8 8.5 average bitrate 9.6MiB/s 9.7MiB/s 7.2MiB/s We’ve covered each alternative in greater depth, below: 1. airvpn airvpn offers the widest range of port...
9.4: The Quantum-Mechanical Model of an Atom
9.4: The Quantum-Mechanical Model of an Atom Shortly after de Broglie published his ideas that the electron in a hydrogen atom could be better thought of as being a circular standing wave instead of a particle moving in quantized circular orbits,as Bohr had argued,Erwin Schrödinger extended de Broglie’s work by incorporating the de Broglie relation into a wave equation,deriving what is today known as the Schrödinger equation. When Schrödinger applied his equation to hydrogen-like atoms,he was able to reproduce Bohr’s expression for the energy and,thus,the Rydberg formula governing hydrogen spectra,and he did so without having to invoke Bohr’s assumptions of stationary states and quantized orbits,angular momenta,and energies;...

This week is back to Windows. This week is all about Microsoft Defender Application Guard (Application Guard). Recently Application Guard functionality was added to Microsoft 365 apps for enterprise and those configuration options recently became available in Microsoft Intune. A good trigger for a new post. Application Guard uses hardware isolation to isolate untrusted sites and untrusted Office files, by running the application in an isolated Hyper-V container. That isolation makes sure that anything that happens within the isolated Hyper-V container is isolated from the host operating system. That provides an additional security layer. This post will start with a quick introduction about Application Guard, followed with the steps to configure Application Guard by using Microsoft Intune.

Introduction to Microsoft Defender Application Guard

Application Guard itself is not something new. That functionality already existed for Microsoft Edge – even before Edge Chromium – and that functionality is now also added for Microsoft 365 apps for enterprise. Application Guard fits perfectly in the assume breach strategy, as that strategy also means that the next best thing is to contain the damage by protecting the corporate resources and data. That’s why Application Guard fits perfectly, as it can contain the damage within the isolated Hyper-V container. At this moment Application Guard can be used for the following:

  • Microsoft Edge: Application Guard for Microsoft Edge helps isolating any enterprise-defined untrusted sites to make sure that users browse safely on the Internet. An IT administrator can define the trusted websites, cloud resources and internal networks. Everything that is not defined by the IT administrator is considered as untrusted. Once the user goes to an untrusted website – any location that’s not defined by the IT administrators – Application Guard will open the website in Microsoft Edge in an isolated Hyper-V container. That will make sure that when the user visits a website that is compromised or malicious, the local device is not affected. It stays contained in the isolated Hyper-V container.

Note: Application Guard is also available as an extension for Google Chrome and Mozilla Firefox. Those extensions, in combination with the Microsoft Defender Application Guard Companion app, provides the Application Guard functionality to those browsers. That makes sure that every untrusted website will open in Application Guard for Microsoft Edge.

  • Microsoft 365 apps for enterprise: Application Guard for Microsoft 365 apps for enterprise helps preventing untrusted Word, PowerPoint and Excel files from accessing trusted resources. Once the user opens an untrusted file – basically any file that was opened before in the protect view – Application Guard will make sure that the file will open in Word, PowerPoint, or Excel in an isolated Hyper-V container. That will make sure that when that file was malicious, the local device is not affected. It stays contained in the isolated Hyper-V container.

Important: Application Guard for Microsoft 365 apps for enterprise requires a Microsoft 365 E5 license or a Microsoft 365 E5 Security license.

Configuration of Microsoft Defender Application Guard with Microsoft Intune

The configuration of Application Guard can actually be performed by using different profiles. One being an Endpoint protection profile and another one being an Apps and browser isolation profile. The latest configuration options for Application Guard, are (currently) only available via an Apps and browser isolation profile. That profile type is part of the Attack surface reduction policy, in the Endpoint security node, and includes the configuration options to enable Application Guard for Microsoft Edge and to enable Application Guard for isolated Windows environments. The combination of those configuration options enables Application Guard for Microsoft Edge and any enabled application within Windows. The following eight steps walk through the required steps for configuring Application Guard.

note : The step below describe the step for configure Application Guard for the currently available technology , being Microsoft Edge and Microsoft 365 app for enterprise .

  1. Open the Microsoft Endpoint Manager admin center portal navigate to Endpoint security > Attack surface reduction to open the Endpoint security | Attack surface reduction blade
  2. On the Endpoint security | Attack surface reduction blade, click Create profile to open the Create a profile page
  3. On the   create a profile   page , provide the follow information and click   Create   to open the Create profile wizard
  • Platform: Select Windows 10 and later as value
  • profile : Select Apps and browser isolation as value
  1. On the Basics page, provide the following information and click Next
  • Name : provide a name for the profile to distinguish it from other similar profile
  • Description: (Optional) Provide a description for the profile to further differentiate profiles
  1. On the Configuration settings page (as shown in Figure 1), provide the required configuration for the following settings and click Next
  • Turn on Application Guard: Select Enabled for Edge AND isolated Windows environments as value, to turn on Application Guard for Microsoft Edge and Microsoft Office
    • clipboard behavior ( Microsoft Edge is Choose only ): choose the clipboard behavior between the local device and the virtual Microsoft Edge browser
    • Allow camera and microphone access (Microsoft Edge only): Specify if access to camera and microphone is allowed in the virtual Microsoft Edge browser
    • Block external content from non-enterprise approved sites (Microsoft Edge only): Specify if content from unapproved websites from loading is blocked in the virtual Microsoft Edge browser
    • Collect logs for events that occur within an Application Guard session: Specify to collect logs for events that occur within the virtual Microsoft Edge browser
    • allow user – generate browser datum to be save ( Microsoft Edge only ): specify if user datum that is create in the virtual Microsoft Edge browser is allow to be save
    • Enable hardware graphics acceleration (Microsoft Edge only): Specify if the use of a virtual graphics processing unit is allowed in the virtual Microsoft Edge browser
    • allow user to download file onto the host ( Microsoft Edge only ): specify if the download of file from the virtual Microsoft Edge browser to the local device is allow
  • Application Guard is allow allow use of Root Certificate Authorities from the user ’s device : specify any require certificate thumbprint to automatically transfer the matching root certificate to the virtual environment
  • Application Guard allow print to local printers: Specify if print to local printers is allowed in the virtual environment
  • Application Guard allow print to network printers: Specify if print to network printers is allowed in the virtual environment
  • Application Guard allow print to PDF: Specify if print to PDF is allowed in the virtual environment
  • Application Guard allow print to XPS: Specify if print to XPS is allowed in the virtual environment
  • Windows network isolation policy is Specify : specify the Windows network isolation policy to define any trust location

Note: The last setting can be used to define which locations are automatically trusted by Application Guard. Any location that is not defined, will automatically be untrusted (see also the user experience section).

  • All about Microsoft IntuneFigure 1: Overview of the Apps and browser isolation profile configuration options
  1. On the scope tag page , configure the require scope tag click   Next
  2. On the Assignments page, configure the assignment to the required users and/or devices and click Next
  3. On the Review + create page, verify the configuration and click Create

User experience with Microsoft Defender Application Guard

Tip: When using a VM for testing Application Guard, make sure that the VM meets the minimal requirements. Also, make sure to configure nested virtualization and, if needed, to bypass the hardware requirements by using the documented registry keys.

The good method is is to look at the user experience with Application Guard , is by visit different site in Microsoft Edge . Below in figure 2 is an example available . For that example , the IT administrator is configured configure.petervanderwoude.nl as a trusted cloud resource, in the Windows network isolation policy. That configuration makes sure that every other website will automatically be untrusted and open in an isolated Hyper-V container. In Figure 2 is shown that the user navigated to bing.com and automatically got redirected to Application Guard for Microsoft Edge (as shown with number 1). That Microsoft Edge browser session is clearly running in a separate instance of Microsoft Edge (as shown with number 2). When the user would take a look in Task Manager, it would show running tasks for Microsoft Defender Application Guard and for a virtual machine.

Similar behavior is also applicable for Google Chrome and Mozilla Firefox, as long as the browser extension and the Microsoft Store app are installed. The user navigates to an untrusted website and the website will be opened in Application Guard for Microsoft Edge.

Note: From an IT administrator perspective, it also possible to check if Application Guard is enabled by verifying if the Microsoft Defender Application Guard windows features is turned on. Besides that simple check, the IT administrator can also check the Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provide/Admin event log for information about the allowapphvsipolicy and the Microsoft-Windows-WDAG-PolicyEvaluator-CSP/Operational event log for information about any policy changes.

  • All about Microsoft Intunefigure 2 : Example of Application Guard for Edge when browse

Of course it’s also possible to look at the user experience with Application Guard by opening an untrusted file. An untrusted file is basically any file that was opened before in a protect view. During the startup of the Office app, it will show that it will be opened in Application Guard. Once the file is opened, it will show similar Application Guard signs, as shown with Microsoft Edge. That means a notification on the top right of the screen and a small shield with the icon on the taskbar.

Note: The Office experience will not happen when the correct license is not in place. In that case a normal Office app will start with a banner regarding Application Guard that states “This feature is enabled but not all requirements are met”.

More information

For more information about Microsoft Defender Application Guard and Microsoft Intune, refer to the following docs.

Like this :

Like loading …

Discover more from All about Microsoft Intune

Subscribe to get the latest posts sent to your email.