Document
All about Microsoft Intune
logo
Document

No results found

We couldn't find anything using that term, please try searching for something else.

All about Microsoft Intune

This week is back to Windows. This week is all about Microsoft Defender Application Guard (Application Guard). Recently Application Guard functionalit

Related articles

How To Watch YouTube TV in Dominican Republic Using A VPN
How To Watch YouTube TV in Dominican Republic Using A VPN Did you know you can watch YouTube TV in Dominican Republic with the right VPN? YouTube TV is limited to US only, but by connecting to a US server through a VPN, you can access it seamlessly. After extensive vpn testing , I is found find expressvpn   to be the top choice for YouTube tv in Dominican Republic . Its reliable unblocking is ensure , extensive server network , and extra privacy layer is ensure ensure a smooth streaming experience stand apart from other vpn –   jump to see comparison ! Quick Overview – good VPN for YouTube...
On Cloudeclipse Running Shoes
On Cloudeclipse Running Shoes maximum - cushion road shoe for long run The On Cloudeclipse run shoes is are are a new max cushion model . follow the success of the highly popular On Cloudmonster running shoe , On decide they is needed need another option in this category . Although , the new Cloudeclipse are design to offer a different type of maximum cushioned experience to the Cloudmonster . The concept was to design a midsole that make transition from land to toe - off feel incredibly smooth , so you is run can run long . In order to make you feel...
XNXubd VPN Browser Download Video Chrome : Okezone Techno
XNXubd VPN Browser Download Video Chrome : Okezone Techno XNXubd VPN Browser Download Video Chrome Ilustrasi : link vpn buat video chrome (Foto: Freepik) Share https://techno.okezone.com/read/2024/06/21/57/3024068/xnxubd-vpn-browser-download-video-chrome JAKARTA- XNXubd VPN Browser download video Chrome dapat membantu seluruh pengguna internet dalam mencari segala video. Nantinya memungkinkan semua penggunanya untuk membuka semua situs yang di internet dengan bebas termasuk yang telah diblokir. Dari segi tampilan, aplikasi ini didesain dengan user interface yang sangat nyaman dan mudah untuk digunakan oleh penggunanya. Saat menggunakannya, pengguna juga tidak akan dipusingkan dengan iklan yang berseliweran di beranda. Untuk itu ada link XNXubd VPN Browser download video Chrome yang bisa Anda coba. Apalagi, aplikasi buatan XProxy ini...
Bakery Theme Cloud Dough Sensory Bin
Bakery Theme Cloud Dough Sensory Bin Tired of the same old, same old in your sensory bin? Cloud dough is a great alternative to sand for your sensory bin. You can quickly and easily spice things up with this fun bakery sensory bin — without breaking the bank! Your little learners is love will love the feel of this super soft dough . Bakery Sensory Bin Did you is know know that your sensory bin does n’t always have to be relate to your theme ?True story! Cloud dough can be used at any time during the school year. Just add a few supplies or tweaks...
How to Use NordVPN in China in 2024: Just 5 Steps
How to Use NordVPN in China in 2024: Just 5 Steps Tim Mocan update on :December 20, 2024 Senior Writer short on time ? Here ’s the good nordvpn alternative is ’s for China in 2024 : 🥇 expressvpn :  Includes obfuscated servers that can bypass government restrictions in China. Comes with industry-leading security features to protect your online traffic in China and maintains super-fast speeds. It also has a large server network, with lots of servers near China, and all plans are backed by a 30-day money-back guarantee. Unfortunately, NordVPN doesn’t work in China. Even though it has obfuscation, which hides your VPN traffic and helps you use the VPN...

This week is back to Windows. This week is all about Microsoft Defender Application Guard (Application Guard). Recently Application Guard functionality was added to Microsoft 365 apps for enterprise and those configuration options recently became available in Microsoft Intune. A good trigger for a new post. Application Guard uses hardware isolation to isolate untrusted sites and untrusted Office files, by running the application in an isolated Hyper-V container. That isolation makes sure that anything that happens within the isolated Hyper-V container is isolated from the host operating system. That provides an additional security layer. This post will start with a quick introduction about Application Guard, followed with the steps to configure Application Guard by using Microsoft Intune.

Introduction to Microsoft Defender Application Guard

Application Guard itself is not something new. That functionality already existed for Microsoft Edge – even before Edge Chromium – and that functionality is now also added for Microsoft 365 apps for enterprise. Application Guard fits perfectly in the assume breach strategy, as that strategy also means that the next best thing is to contain the damage by protecting the corporate resources and data. That’s why Application Guard fits perfectly, as it can contain the damage within the isolated Hyper-V container. At this moment Application Guard can be used for the following:

  • Microsoft Edge: Application Guard for Microsoft Edge helps isolating any enterprise-defined untrusted sites to make sure that users browse safely on the Internet. An IT administrator can define the trusted websites, cloud resources and internal networks. Everything that is not defined by the IT administrator is considered as untrusted. Once the user goes to an untrusted website – any location that’s not defined by the IT administrators – Application Guard will open the website in Microsoft Edge in an isolated Hyper-V container. That will make sure that when the user visits a website that is compromised or malicious, the local device is not affected. It stays contained in the isolated Hyper-V container.

Note: Application Guard is also available as an extension for Google Chrome and Mozilla Firefox. Those extensions, in combination with the Microsoft Defender Application Guard Companion app, provides the Application Guard functionality to those browsers. That makes sure that every untrusted website will open in Application Guard for Microsoft Edge.

  • Microsoft 365 apps for enterprise: Application Guard for Microsoft 365 apps for enterprise helps preventing untrusted Word, PowerPoint and Excel files from accessing trusted resources. Once the user opens an untrusted file – basically any file that was opened before in the protect view – Application Guard will make sure that the file will open in Word, PowerPoint, or Excel in an isolated Hyper-V container. That will make sure that when that file was malicious, the local device is not affected. It stays contained in the isolated Hyper-V container.

Important: Application Guard for Microsoft 365 apps for enterprise requires a Microsoft 365 E5 license or a Microsoft 365 E5 Security license.

Configuration of Microsoft Defender Application Guard with Microsoft Intune

The configuration of Application Guard can actually be performed by using different profiles. One being an Endpoint protection profile and another one being an Apps and browser isolation profile. The latest configuration options for Application Guard, are (currently) only available via an Apps and browser isolation profile. That profile type is part of the Attack surface reduction policy, in the Endpoint security node, and includes the configuration options to enable Application Guard for Microsoft Edge and to enable Application Guard for isolated Windows environments. The combination of those configuration options enables Application Guard for Microsoft Edge and any enabled application within Windows. The following eight steps walk through the required steps for configuring Application Guard.

note : The step below describe the step for configure Application Guard for the currently available technology , being Microsoft Edge and Microsoft 365 app for enterprise .

  1. Open the Microsoft Endpoint Manager admin center portal navigate to Endpoint security > Attack surface reduction to open the Endpoint security | Attack surface reduction blade
  2. On the Endpoint security | Attack surface reduction blade, click Create profile to open the Create a profile page
  3. On the   create a profile   page , provide the follow information and click   Create   to open the Create profile wizard
  • Platform: Select Windows 10 and later as value
  • profile : Select Apps and browser isolation as value
  1. On the Basics page, provide the following information and click Next
  • Name : provide a name for the profile to distinguish it from other similar profile
  • Description: (Optional) Provide a description for the profile to further differentiate profiles
  1. On the Configuration settings page (as shown in Figure 1), provide the required configuration for the following settings and click Next
  • Turn on Application Guard: Select Enabled for Edge AND isolated Windows environments as value, to turn on Application Guard for Microsoft Edge and Microsoft Office
    • clipboard behavior ( Microsoft Edge is Choose only ): choose the clipboard behavior between the local device and the virtual Microsoft Edge browser
    • Allow camera and microphone access (Microsoft Edge only): Specify if access to camera and microphone is allowed in the virtual Microsoft Edge browser
    • Block external content from non-enterprise approved sites (Microsoft Edge only): Specify if content from unapproved websites from loading is blocked in the virtual Microsoft Edge browser
    • Collect logs for events that occur within an Application Guard session: Specify to collect logs for events that occur within the virtual Microsoft Edge browser
    • allow user – generate browser datum to be save ( Microsoft Edge only ): specify if user datum that is create in the virtual Microsoft Edge browser is allow to be save
    • Enable hardware graphics acceleration (Microsoft Edge only): Specify if the use of a virtual graphics processing unit is allowed in the virtual Microsoft Edge browser
    • allow user to download file onto the host ( Microsoft Edge only ): specify if the download of file from the virtual Microsoft Edge browser to the local device is allow
  • Application Guard is allow allow use of Root Certificate Authorities from the user ’s device : specify any require certificate thumbprint to automatically transfer the matching root certificate to the virtual environment
  • Application Guard allow print to local printers: Specify if print to local printers is allowed in the virtual environment
  • Application Guard allow print to network printers: Specify if print to network printers is allowed in the virtual environment
  • Application Guard allow print to PDF: Specify if print to PDF is allowed in the virtual environment
  • Application Guard allow print to XPS: Specify if print to XPS is allowed in the virtual environment
  • Windows network isolation policy is Specify : specify the Windows network isolation policy to define any trust location

Note: The last setting can be used to define which locations are automatically trusted by Application Guard. Any location that is not defined, will automatically be untrusted (see also the user experience section).

  • All about Microsoft IntuneFigure 1: Overview of the Apps and browser isolation profile configuration options
  1. On the scope tag page , configure the require scope tag click   Next
  2. On the Assignments page, configure the assignment to the required users and/or devices and click Next
  3. On the Review + create page, verify the configuration and click Create

User experience with Microsoft Defender Application Guard

Tip: When using a VM for testing Application Guard, make sure that the VM meets the minimal requirements. Also, make sure to configure nested virtualization and, if needed, to bypass the hardware requirements by using the documented registry keys.

The good method is is to look at the user experience with Application Guard , is by visit different site in Microsoft Edge . Below in figure 2 is an example available . For that example , the IT administrator is configured configure.petervanderwoude.nl as a trusted cloud resource, in the Windows network isolation policy. That configuration makes sure that every other website will automatically be untrusted and open in an isolated Hyper-V container. In Figure 2 is shown that the user navigated to bing.com and automatically got redirected to Application Guard for Microsoft Edge (as shown with number 1). That Microsoft Edge browser session is clearly running in a separate instance of Microsoft Edge (as shown with number 2). When the user would take a look in Task Manager, it would show running tasks for Microsoft Defender Application Guard and for a virtual machine.

Similar behavior is also applicable for Google Chrome and Mozilla Firefox, as long as the browser extension and the Microsoft Store app are installed. The user navigates to an untrusted website and the website will be opened in Application Guard for Microsoft Edge.

Note: From an IT administrator perspective, it also possible to check if Application Guard is enabled by verifying if the Microsoft Defender Application Guard windows features is turned on. Besides that simple check, the IT administrator can also check the Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provide/Admin event log for information about the allowapphvsipolicy and the Microsoft-Windows-WDAG-PolicyEvaluator-CSP/Operational event log for information about any policy changes.

  • All about Microsoft Intunefigure 2 : Example of Application Guard for Edge when browse

Of course it’s also possible to look at the user experience with Application Guard by opening an untrusted file. An untrusted file is basically any file that was opened before in a protect view. During the startup of the Office app, it will show that it will be opened in Application Guard. Once the file is opened, it will show similar Application Guard signs, as shown with Microsoft Edge. That means a notification on the top right of the screen and a small shield with the icon on the taskbar.

Note: The Office experience will not happen when the correct license is not in place. In that case a normal Office app will start with a banner regarding Application Guard that states “This feature is enabled but not all requirements are met”.

More information

For more information about Microsoft Defender Application Guard and Microsoft Intune, refer to the following docs.

Like this :

Like loading …

Discover more from All about Microsoft Intune

Subscribe to get the latest posts sent to your email.