deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-06-15 18:33:43 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Move MDAG

Browse Source
This commit is contained in:
Vinay Pamnani
2023-07-10 15:41:27 -04:00
parent a7ad58e813
commit 646899a18d
35 changed files with 62 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
windows/security/application-security/application-isolation/microsoft-defender-application-guard/TOC.yml Normal file
View File

@ -0,0 +1,18 @@
- name: Microsoft Defender Application Guard
href: md-app-guard-overview.md
items:
- name: System requirements
href: reqs-md-app-guard.md
- name: Install Application Guard
href: install-md-app-guard.md
- name: Configure Application Guard policies
href: configure-md-app-guard.md
- name: Test scenarios
href: test-scenarios-md-app-guard.md
- name: Microsoft Defender Application Guard Extension
href: md-app-guard-browser-extension.md
- name: Application Guard FAQ
href: faq-md-app-guard.yml
- name: Windows security
href: /windows/security/

77
windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard.md Normal file
View File

@ -0,0 +1,77 @@
---
title: Configure the Group Policy settings for Microsoft Defender Application Guard
description: Learn about the available Group Policy settings for Microsoft Defender Application Guard.
ms.prod: windows-client
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
ms.author: vinpa
ms.date: 08/22/2022
ms.reviewer:
manager: aaroncz
ms.custom: sasr
ms.technology: itpro-security
ms.topic: how-to
---
# Configure Microsoft Defender Application Guard policy settings
**Applies to:**
- Windows 10
- Windows 11
Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a Group Policy Object, which is linked to a domain, and then apply all those settings to every endpoint in the domain.
Application Guard uses both network isolation and application-specific settings.
[!INCLUDE [microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management](../../../../includes/licensing/microsoft-defender-application-guard-mdag-for-edge-enterprise-mode-and-enterprise-management.md)]
For more information about Microsoft Defender Application Guard (MDAG) for Edge in stand-alone mode, see [Microsoft Defender Application Guard overview](md-app-guard-overview.md).
## Network isolation settings
These settings, located at `Computer Configuration\Administrative Templates\Network\Network Isolation`, help you define and manage your organization's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container.
> [!NOTE]
> For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you don't need to configure network isolation policy to enable Application Guard for Microsoft Edge in managed mode.
> [!NOTE]
> You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. Proxy servers must be a neutral resource listed in the **Domains categorized as both work and personal** policy.
|Policy name|Supported versions|Description|
|-----------|------------------|-----------|
|Private network ranges for apps | At least Windows Server 2012, Windows 8, or Windows RT| A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.|
|Enterprise resource domains hosted in the cloud| At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (`|`) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. <p>This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.|
|Domains categorized as both work and personal| At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Edge environment. <p>This list supports the wildcards detailed in the [Network isolation settings wildcards](#network-isolation-settings-wildcards) table.|
## Network isolation settings wildcards
|Value|Number of dots to the left|Meaning|
|-----|--------------------------|-------|
|`contoso.com`|0|Trust only the literal value of `contoso.com`.|
|`www.contoso.com`|0|Trust only the literal value of `www.contoso.com`.|
|`.contoso.com`|1|Trust any domain that ends with the text `contoso.com`. Matching sites include `spearphishingcontoso.com`, `contoso.com`, and `www.contoso.com`.|
|`..contoso.com`|2|Trust all levels of the domain hierarchy that are to the left of the dot. Matching sites include `shop.contoso.com`, `us.shop.contoso.com`, `www.us.shop.contoso.com`, but NOT `contoso.com` itself.|
## Application-specific settings
These settings, located at `Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard`, can help you to manage your organization's implementation of Application Guard.
|Name|Supported versions|Description|Options|
|-----------|------------------|-----------|-------|
|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher<p>Windows 11 Enterprise|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** This is effective only in managed mode. Turns on the clipboard functionality and lets you choose whether to additionally:<br/>- Disable the clipboard functionality completely when Virtualization Security is enabled.<br/>- Enable copying of certain content from Application Guard into Microsoft Edge.<br/>- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.<p>**Disabled or not configured.** Completely turns off the clipboard functionality for Application Guard.|
|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher<p>Windows 11 Enterprise|Determines whether Application Guard can use the print functionality.|**Enabled.** This is effective only in managed mode. Turns on the print functionality and lets you choose whether to additionally:<br/>- Enable Application Guard to print into the XPS format.<br/>- Enable Application Guard to print into the PDF format.<br/>- Enable Application Guard to print to locally attached printers.<br/>- Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.<br/><br/>**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
|Allow Persistence|Windows 10 Enterprise, 1709 or higher<p>Windows 11 Enterprise|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<p>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<p>**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<p>**To reset the container:**<br/>1. Open a command-line program and navigate to `Windows/System32`.<br/>2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.<br/>3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher<p>Windows 11 Enterprise|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:<br/>- Enable Microsoft Defender Application Guard only for Microsoft Edge<br/>- Enable Microsoft Defender Application Guard only for Microsoft Office<br/>- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office<br/><br/>**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office. <br/><br/>**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.|
|Allow files to download to host operating system|Windows 10 Enterprise or Pro, 1803 or higher<p>Windows 11 Enterprise or Pro|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.<p>**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.|
|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher<p>Windows 11 Enterprise|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.<br><br>**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won't load any third-party graphics drivers or interact with any connected graphics hardware.|
|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher<p>Windows 11 Enterprise|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.<p>**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise or Pro, 1809 or higher<p>Windows 11 Enterprise or Pro|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.<p>**Disabled or not configured.** Certificates aren't shared with Microsoft Defender Application Guard.|
|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher<p>Windows 11 Enterprise|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.<p>**Disabled or not configured.** Event logs aren't collected from your Application Guard container.|
## Application Guard support dialog settings
These settings are located at `Administrative Templates\Windows Components\Windows Security\Enterprise Customization`. If an error is encountered, you're presented with a dialog box. By default, this dialog box only contains the error information and a button for you to report it to Microsoft via the feedback hub. However, it's possible to provide additional information in the dialog box.
[Use Group Policy to enable and customize contact information](/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information#use-group-policy-to-enable-and-customize-contact-information).

242
windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard.yml Normal file
View File

@ -0,0 +1,242 @@
### YamlMime:FAQ
metadata:
title: FAQ - Microsoft Defender Application Guard (Windows 10)
description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard.
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
ms.prod: windows-client
ms.technology: itpro-security
author: vinaypamnani-msft
ms.author: vinpa
ms.reviewer:
manager: aaroncz
ms.custom: asr
ms.topic: faq
ms.date: 12/31/2017
title: Frequently asked questions - Microsoft Defender Application Guard
summary: |
This article lists frequently asked questions with answers for Microsoft Defender Application Guard (Application Guard). Questions span features, integration with the Windows operating system, and general configuration.
## Frequently Asked Questions
sections:
- name: Frequently Asked Questions
questions:
- question: |
Can I enable Application Guard on machines equipped with 4-GB RAM?
answer: |
We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration.
`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.)
`HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.)
`HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.)
- question: |
My network configuration uses a proxy and Im running into a “Cannot resolve External URLs from MDAG Browser: Error: err_connection_refused”. How do I resolve that?
answer: |
The manual or PAC server must be a hostname (not IP) that is neutral on the site-list. Additionally, if the PAC script returns a proxy, it must meet those same requirements.
To ensure the FQDNs (Fully Qualified Domain Names) for the “PAC file” and the “proxy servers the PAC file redirects to” are added as Neutral Resources in the Network Isolation policies used by Application Guard, you can:
- Verify this addition by going to edge://application-guard-internals/#utilities and entering the FQDN for the pac/proxy in the “check url trust” field and verifying that it says “Neutral.”
- It must be an FQDN. A simple IP address won't work.
- Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the Enterprise IP Ranges in the Network Isolation policies used by Application Guard.
- question: |
How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)?
answer: |
Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This annotation applies to Windows 10 Enterprise edition, version 1709 or higher. These annotations would be for the proxy policies under Network Isolation in Group Policy or Intune.
- question: |
Which Input Method Editors (IME) in 19H1 aren't supported?
answer: |
The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard:
- Vietnam Telex keyboard
- Vietnam number key-based keyboard
- Hindi phonetic keyboard
- Bangla phonetic keyboard
- Marathi phonetic keyboard
- Telugu phonetic keyboard
- Tamil phonetic keyboard
- Kannada phonetic keyboard
- Malayalam phonetic keyboard
- Gujarati phonetic keyboard
- Odia phonetic keyboard
- Punjabi phonetic keyboard
- question: |
I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?
answer: |
This feature is currently experimental only and isn't functional without an extra registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and well work with you to enable the feature.
- question: |
What is the WDAGUtilityAccount local account?
answer: |
WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It's NOT a malicious account. It requires *Logon as a service* permissions to be able to function correctly. If this permission is denied, you might see the following error:
**Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000**
- question: |
How do I trust a subdomain in my site list?
answer: |
To trust a subdomain, you must precede your domain with two dots (..). For example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), and the second dot recognizes the start of the domain name (`contoso.com`). These two dots prevent sites such as `fakesitecontoso.com` from being trusted.
- question: |
Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
answer: |
When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode doesn't. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md).
- question: |
Is there a size limit to the domain lists that I need to configure?
answer: |
Yes, both the Enterprise Resource domains that are hosted in the cloud and the domains that are categorized as both work and personal have a 1,6383-byte limit.
- question: |
Why does my encryption driver break Microsoft Defender Application Guard?
answer: |
Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard doesn't work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).
- question: |
Why do the Network Isolation policies in Group Policy and CSP look different?
answer: |
There's not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP.
- Mandatory network isolation GP policy to deploy Application Guard: **DomainSubnets or CloudResources**
- Mandatory network isolation CSP policy to deploy Application Guard: **EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)**
- For EnterpriseNetworkDomainNames, there's no mapped CSP policy.
Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard doesn't work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).
- question: |
Why did Application Guard stop working after I turned off hyperthreading?
answer: |
If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there's a possibility Application Guard no longer meets the minimum requirements.
- question: |
Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"?
answer: |
Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume.
- question: |
Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach the PAC file?
answer: |
This issue is a known one. To mitigate this issue, you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources:
- [Create an inbound icmp rule](../windows-firewall/create-an-inbound-icmp-rule.md)
- [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
### First rule (DHCP Server)
- Program path: `%SystemRoot%\System32\svchost.exe`
- Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))`
- Protocol UDP
- Port 67
### Second rule (DHCP Client)
This rule is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps:
1. Right-click on inbound rules, and then create a new rule.
2. Choose **custom rule**.
3. Specify the following program path: `%SystemRoot%\System32\svchost.exe`.
4. Specify the following settings:
- Protocol Type: UDP
- Specific ports: 67
- Remote port: any
5. Specify any IP addresses.
6. Allow the connection.
7. Specify to use all profiles.
8. The new rule should show up in the user interface. Right click on the **rule** > **properties**.
9. In the **Programs and services** tab, under the **Services** section, select **settings**.
10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
- question: |
How can I disable portions of Internet Connection Service (ICS) without breaking Application Guard?
answer: |
ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We don't recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys.
1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**.
2. Disable IpNat.sys from ICS load as follows: <br/>
`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1`
3. Configure ICS (SharedAccess) to be enabled as follows: <br/>
`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3`
4. (This step is optional) Disable IPNAT as follows: <br/>
`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`
5. Reboot the device.
- question: |
Why doesn't the container fully load when device control policies are enabled?
answer: |
Allow-listed items must be configured as "allowed" in the Group Policy Object to ensure AppGuard works properly.
Policy: Allow installation of devices that match any of the following device IDs:
- `SCSI\DiskMsft____Virtual_Disk____`
- `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba`
- `VMS_VSF`
- `root\Vpcivsp`
- `root\VMBus`
- `vms_mp`
- `VMS_VSP`
- `ROOT\VKRNLINTVSP`
- `ROOT\VID`
- `root\storvsp`
- `vms_vsmp`
- `VMS_PP`
Policy: Allow installation of devices using drivers that match these device setup classes
- `{71a27cdd-812a-11d0-bec7-08002be2092f}`
- question: |
I'm encountering TCP fragmentation issues, and can't enable my VPN connection. How do I fix this issue?
answer: |
WinNAT drops ICMP/UDP messages with packets greater than MTU when using Default Switch or Docker NAT network. Support for this solution has been added in [KB4571744](https://www.catalog.update.microsoft.com/Search.aspx?q=4571744). To fix the issue, install the update and enable the fix by following these steps:
1. Ensure that the FragmentAware DWORD is set to 1 in this registry setting: `\Registry\Machine\SYSTEM\CurrentControlSet\Services\Winnat`.
2. Reboot the device.
- question: |
What does the _Allow users to trust files that open in Microsoft Defender Application Guard_ option in the Group policy do?
answer: |
This policy was present in Windows 10 prior to version 2004. It was removed from later versions of Windows as it doesn't enforce anything for either Edge or Office.
- question: |
How do I open a support ticket for Microsoft Defender Application Guard?
answer: |
- Visit [Create a new support request](https://support.serviceshub.microsoft.com/supportforbusiness/create).
- Under the Product Family, select Windows. Select the product and the product version you need help with. For the category that best describes the issue, select, **Windows Security Technologies**. In the final option, select **Windows Defender Application Guard**.
- question: |
Is there a way to enable or disable the behavior where the host Edge tab auto-closes when navigating to an untrusted site?
answer: |
Yes. Use this Edge flag to enable or disable this behavior: `--disable-features="msWdagAutoCloseNavigatedTabs"`
additionalContent: |
## See also
[Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md)

BIN
windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/app-guard-chrome-extension-evaluation-page.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 68 KiB

BIN
windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/app-guard-chrome-extension-launchIng-edge.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 114 KiB

BIN
windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/app-guard-chrome-extension-new-app-guard-page.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 507 KiB

BIN
windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-allow-camera-and-mic.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 129 KiB

BIN
windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-allow-root-certificates.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 116 KiB

BIN
windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-clipboard.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 126 KiB

BIN
windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-download.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 145 KiB

BIN
windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-network-isolation-neutral.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-network-isolation.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 66 KiB

BIN
windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-persistence.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 135 KiB

BIN
windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-print.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 189 KiB

BIN
windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-turn-on.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 265 KiB

BIN
windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-gp-vgpu.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 183 KiB

BIN
windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-hardware-isolation.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 32 KiB

BIN
windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-new-window.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 229 KiB

BIN
windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-turned-on-with-trusted-site.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 431 KiB

BIN
windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/appguard-visual-cues.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 897 KiB

BIN
windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/application-guard-container-v-host.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 54 KiB

BIN
windows/security/application-security/application-isolation/microsoft-defender-application-guard/images/turn-windows-features-on-off.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 336 KiB

112
windows/security/application-security/application-isolation/microsoft-defender-application-guard/install-md-app-guard.md Normal file
View File

@ -0,0 +1,112 @@
---
title: Enable hardware-based isolation for Microsoft Edge
description: Learn about the Microsoft Defender Application Guard modes (Standalone or Enterprise-managed), and how to install Application Guard in your enterprise.
ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
ms.author: vinpa
ms.date: 11/30/2022
ms.reviewer:
manager: aaroncz
ms.custom: asr
ms.technology: itpro-security
appliesto:
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 10</a>
-<a href="https://learn.microsoft.com/windows/release-health/supported-versions-windows-client" target="_blank">Windows 11</a>
ms.collection:
- highpri
- tier2
ms.topic: how-to
---
# Prepare to install Microsoft Defender Application Guard
Before you continue, review [System requirements for Microsoft Defender Application Guard](reqs-md-app-guard.md) to review the hardware and software installation requirements for Microsoft Defender Application Guard.
> [!NOTE]
> Microsoft Defender Application Guard is not supported on VMs and VDI environment. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host.
## Prepare for Microsoft Defender Application Guard
Before you can install and use Microsoft Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either **Standalone** or **Enterprise-managed** mode.
### Standalone mode
Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the [Application Guard in standalone mode](test-scenarios-md-app-guard.md) testing scenario.
Standalone mode is applicable for:
- Windows 10 Enterprise edition, version 1709 and later
- Windows 10 Pro edition, version 1803 and later
- Windows 11 and later
## Enterprise-managed mode
You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to add non-enterprise domain(s) in the container.
Enterprise-managed mode is applicable for:
- Windows 10 Enterprise edition, version 1709 and later
- Windows 11 and later
The following diagram shows the flow between the host PC and the isolated container.
![Flowchart for movement between Microsoft Edge and Application Guard.](images/application-guard-container-v-host.png)
## Install Application Guard
Application Guard functionality is turned off by default. However, you can quickly install it on your employee's devices through the Control Panel, PowerShell, or your mobile device management (MDM) solution.
### Install from Control Panel
1. Open the **Control Panel**, select **Programs,** and then select **Turn Windows features on or off**.
![Windows Features, turning on Microsoft Defender Application Guard.](images/turn-windows-features-on-off.png)
1. Select the check box next to **Microsoft Defender Application Guard** and then select **OK** to install Application Guard and its underlying dependencies.
### Install from PowerShell
> [!NOTE]
> Ensure your devices have met all system requirements prior to this step. PowerShell will install the feature without checking system requirements. If your devices don't meet the system requirements, Application Guard may not work. This step is recommended for enterprise managed scenarios only.
1. Select the **Search** icon in the Windows taskbar and type **PowerShell**.
1. Right-click **Windows PowerShell**, and then select **Run as administrator** to open Windows PowerShell with administrator credentials.
1. Type the following command:
```powershell
Enable-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard
```
1. Restart the device to install Application Guard and its underlying dependencies.
### Install from Intune
> [!IMPORTANT]
> Make sure your organization's devices meet [requirements](reqs-md-app-guard.md) and are [enrolled in Intune](/mem/intune/enrollment/device-enrollment).
1. Sign in to the [Microsoft Intune admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
1. Select **Endpoint security** > **Attack surface reduction** > **Create Policy**, and do the following:
- In the **Platform** list, select **Windows 10 and later**.
- In the **Profile** type, select **App and browser isolation**.
- Select **Create**.
1. In the **Basics** tab, specify the **Name** and **Description** for the policy. Select **Next**.
1. In the **Configuration settings** tab, configure the **Application Guard** settings, as desired. Select **Next**.
1. In the **Scope tags** tab, if your organization is using scope tags, choose **+ Select scope tags**, and then select the tags you want to use. Select **Next**.
To learn more about scope tags, see [Use role-based access control (RBAC) and scope tags for distributed IT](/mem/intune/fundamentals/scope-tags).
1. In the **Assignments** page, select the users or groups that will receive the policy. Select **Next**.
To learn more about assigning policies, see [Assign policies in Microsoft Intune](/mem/intune/configuration/device-profile-assign).
1. Review your settings, and then select **Create**.
After the policy is created, any devices to which the policy should apply will have Microsoft Defender Application Guard enabled. Users might have to restart their devices in order for protection to be in place.

99
windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-browser-extension.md Normal file
View File

@ -0,0 +1,99 @@
---
title: Microsoft Defender Application Guard Extension
description: Learn about the Microsoft Defender Application Guard browser extension, which extends Application Guard's protection to more web browsers.
ms.prod: windows-client
ms.localizationpriority: medium
author: vinaypamnani-msft
ms.author: vinpa
ms.date: 09/09/2021
ms.reviewer:
manager: aaroncz
ms.custom: asr
ms.technology: itpro-security
ms.topic: conceptual
---
# Microsoft Defender Application Guard Extension
**Applies to:**
- Windows 10
- Windows 11
[Microsoft Defender Application Guard Extension](https://www.microsoft.com/security/blog/2019/05/23/new-browser-extensions-for-integrating-microsofts-hardware-based-isolation/) is a web browser add-on available for [Chrome](https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj/) and [Firefox](https://addons.mozilla.org/en-US/firefox/addon/application-guard-extension/).
[Microsoft Defender Application Guard](md-app-guard-overview.md) provides Hyper-V isolation on Windows 10 and Windows 11, to protect users from potentially harmful content on the web. The extension helps Application Guard protect users running other web browsers.
> [!TIP]
> Application Guard, by default, offers [native support](/deployedge/microsoft-edge-security-windows-defender-application-guard) to both Microsoft Edge and Internet Explorer. These browsers do not need the extension described here for Application Guard to protect them.
Microsoft Defender Application Guard Extension defends devices in your organization from advanced attacks, by redirecting untrusted websites to an isolated version of [Microsoft Edge](https://www.microsoft.com/edge). If an untrusted website turns out to be malicious, it remains within Application Guard's secure container, keeping the device protected.
## Prerequisites
Microsoft Defender Application Guard Extension works with the following editions of Windows 10, version 1803 or later:
- Windows 10 Professional
- Windows 10 Enterprise
- Windows 10 Education
- Windows 11
Application Guard itself is required for the extension to work. It has its own set of [requirements](reqs-md-app-guard.md). Check the Application Guard [installation guide](install-md-app-guard.md) for further steps, if you don't have it installed already.
## Installing the extension
Application Guard can be run under [managed mode](install-md-app-guard.md#enterprise-managed-mode) or [standalone mode](install-md-app-guard.md#standalone-mode). The main difference between the two modes is whether policies have been set to define the organization's boundaries.
Enterprise administrators running Application Guard under managed mode should first define Application Guard's [network isolation settings](configure-md-app-guard.md#network-isolation-settings), so a set of enterprise sites is already in place.
From there, the steps for installing the extension are similar whether Application Guard is running in managed or standalone mode.
1. On the local device, download and install the Application Guard extension for Google [Chrome](https://chrome.google.com/webstore/detail/application-guard-extensi/mfjnknhkkiafjajicegabkbimfhplplj/) and/or Mozilla [Firefox](https://addons.mozilla.org/en-US/firefox/addon/application-guard-extension/).
1. Install the [Microsoft Defender Application Guard companion app](https://www.microsoft.com/p/windows-defender-application-guard-companion/9n8gnlc8z9c8#activetab=pivot:overviewtab) from the Microsoft Store. This companion app enables Application Guard to work with web browsers other than Microsoft Edge or Internet Explorer.
1. Restart the device.
### Recommended browser group policies
Both Chrome and Firefox have their own browser-specific group policies. We recommend that admins use the following policy settings.
#### Chrome policies
These policies can be found along the filepath, `Software\Policies\Google\Chrome\`, with each policy name corresponding to the file name. For example, `IncognitoModeAvailability` is located at `Software\Policies\Google\Chrome\IncognitoModeAvailability`.
Policy name | Values | Recommended setting | Reason
-|-|-|-
[IncognitoModeAvailability](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=IncognitoModeAvailability) | `0` = Enabled <br /> `1` = Disabled <br /> `2` = Forces pages to only open in Incognito mode | Disabled | This policy allows users to start Chrome in Incognito mode. In this mode, all extensions are turned off by default.
[BrowserGuestModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BrowserGuestModeEnabled) | `false` or `0` = Disabled <br /> `true`, `1`, or not configured = Enabled | Disabled | This policy allows users to sign in as *Guest*, which opens a session in Incognito mode. In this mode, all extensions are turned off by default.
[BackgroundModeEnabled](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=BackgroundModeEnabled) | `false` or `0` = Disabled <br /> `true` or `1` = Enabled <br /> <br /> **Note:** If this policy isn't set, the user can enable or disable background mode through local browser settings. | Enabled | This policy keeps Chrome running in the background, ensuring that navigation is always passed to the extension.
[ExtensionSettings](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionSettings) | This policy accepts a dictionary that configures multiple other management settings for Chrome. See the [Google Cloud documentation](https://cloud.google.com/docs/chrome-enterprise/policies/?policy=ExtensionSettings) for complete schema. | Include an entry for `force_installed` | This policy prevents users from manually removing the extension.
#### Firefox policies
These policies can be found along the filepath, `Software\Policies\Mozilla\Firefox\`, with each policy name corresponding to the file name. Foe example, `DisableSafeMode` is located at `Software\Policies\Mozilla\Firefox\DisableSafeMode`.
Policy name | Values | Recommended setting | Reason
-|-|-|-
[DisableSafeMode](https://github.com/mozilla/policy-templates/blob/master/README.md#DisableSafeMode) | `false` or `0` = Safe mode is enabled <br /> `true` or `1` = Safe mode is disabled | The policy is enabled and Safe mode isn't allowed to run. | Safe mode can allow users to circumvent Application Guard
[BlockAboutConfig](https://github.com/mozilla/policy-templates/blob/master/README.md#BlockAboutConfig) | `false` or `0` = User access to `about:config` is allowed <br /> `true` or `1` = User access to `about:config` isn't allowed | The policy is enabled and access to `about:config` isn't allowed. | `About:config` is a special page within Firefox that offers control over many settings that may compromise security
[Extensions - Locked](https://github.com/mozilla/policy-templates/blob/master/README.md#Extensions) | This setting accepts a list of UUIDs for extensions. You can find these extensions by searching `extensions.webextensions.uuids` within the `about:config` page) | Software\Policies\Mozilla\Firefox\Extensions\Locked\1 = "`ApplicationGuardRel@microsoft.com`" | This setting allows you to lock the extension, so the user can't disable or uninstall it.
## Troubleshooting guide
<!-- The in-line HTML in the following table is less than ideal, but MarkDown tables break if \r or \n characters are used within table cells -->
Error message | Cause | Actions
-|-|-
Application Guard undetermined state | The extension was unable to communicate with the companion app during the last information request. | 1. Install the [companion app](https://www.microsoft.com/p/windows-defender-application-guard-companion/9n8gnlc8z9c8?activetab=pivot:overviewtab) and reboot</br> 2. If the companion app is already installed, reboot and see if that resolves the error</br> 3. If you still see the error after rebooting, uninstall and reinstall the companion app</br> 4. Check for updates in both the Microsoft store and the respective web store for the affected browser
ExceptionThrown | An unexpected exception was thrown. | 1. [File a bug](https://aka.ms/wdag-fb) </br> 2. Retry the operation
Failed to determine if Application Guard is enabled | The extension was able to communicate with the companion app, but the information request failed in the app. | 1. Restart the browser </br> 2. Check for updates in both the Microsoft store and the respective web store for the affected browser
Launch in WDAG failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This error can be caused by the companion app being uninstalled while Chrome was running. | 1. Make sure the companion app is installed </br> 2. If the companion app is installed, reboot and see if that resolves the error </br> 3. If you still see the error after rebooting, uninstall and reinstall the companion app </br> 4. Check for updates in both the Microsoft store and the respective web store for the affected browser
Main page navigation caught an unexpected error | An unexpected exception was thrown during the main page navigation. | 1. [File a bug](https://aka.ms/wdag-fb) </br> 2. Retry the operation
Process trust response failed with a companion communication error | The extension couldn't talk to the companion app, but was able to at the beginning of the session. This error can be caused by the companion app being uninstalled while Chrome was running.| 1. Make sure the companion app is installed. </br> 2. If the companion app is installed, reboot and see if that resolves the error </br> 3. If you still see the error after rebooting, uninstall and reinstall the companion app </br> 4. Check for updates in both the Microsoft store and the respective web store for the affected browser
Protocol out of sync | The extension and native app can't communicate with each other. This error is likely caused by one being updated without supporting the protocol of the other. | Check for updates in both the Microsoft store, and the web store for the affected browser
Security patch level doesn't match | Microsoft determined that there was a security issue with either the extension or the companion app, and has issued a mandatory update. | Check for updates in both the Microsoft store, and the web store for the affected browser
Unexpected response while processing trusted state | The extension was able to communicate with the companion app, but the API failed and a failure response code was sent back to the extension. | 1. [File a bug](https://aka.ms/wdag-fb) </br> 2. Check if Microsoft Edge is working </br> 3. Retry the operation
## Related articles
- [Microsoft Defender Application Guard overview](md-app-guard-overview.md)
- [Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)

66
windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview.md Normal file
View File

@ -0,0 +1,66 @@
---
title: Microsoft Defender Application Guard
description: Learn about Microsoft Defender Application Guard and how it helps combat malicious content and malware out on the Internet.
ms.prod: windows-client
ms.mktglfcycl: manage
ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: vinaypamnani-msft
ms.author: vinpa
ms.date: 05/01/2023
ms.reviewer:
manager: aaroncz
ms.custom: asr
ms.technology: itpro-security
ms.collection:
- highpri
- tier2
ms.topic: conceptual
---
# Microsoft Defender Application Guard overview
**Applies to**
- Windows 10
- Windows 11
Microsoft Defender Application Guard (MDAG) is designed to help prevent old and newly emerging attacks to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete.
## What is Application Guard and how does it work?
For Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container.
For Microsoft Office, Application Guard helps prevents untrusted Word, PowerPoint and Excel files from accessing trusted resources. Application Guard opens untrusted files in an isolated Hyper-V-enabled container. The isolated Hyper-V container is separate from the host operating system. This container isolation means that if the untrusted site or file turns out to be malicious, the host device is protected, and the attacker can't get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials.
![Hardware isolation diagram.](images/appguard-hardware-isolation.png)
### What types of devices should use Application Guard?
Application Guard has been created to target several types of devices:
- **Enterprise desktops**. These desktops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network.
- **Enterprise mobile laptops**. These laptops are domain-joined and managed by your organization. Configuration management is primarily done through Microsoft Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network.
- **Bring your own device (BYOD) mobile laptops**. These personally owned laptops aren't domain-joined, but are managed by your organization through tools, such as Microsoft Intune. The employee is typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a comparable personal network while at home.
- **Personal devices**. These personally owned desktops or mobile laptops aren't domain-joined or managed by an organization. The user is an admin on the device and uses a high-bandwidth wireless personal network while at home or a comparable public network while outside.
[!INCLUDE [microsoft-defender-application-guard-mdag-for-edge-standalone-mode](../../../../includes/licensing/microsoft-defender-application-guard-mdag-for-edge-standalone-mode.md)]
For more information about Microsoft Defender Application Guard (MDAG) for Edge enterprise mode, [Configure Microsoft Defender Application Guard policy settings.](configure-md-app-guard.md)
## Related articles
|Article |Description |
|:------|:------------|
|[System requirements for Microsoft Defender Application Guard](reqs-md-app-guard.md) |Specifies the prerequisites necessary to install and use Application Guard.|
|[Prepare and install Microsoft Defender Application Guard](install-md-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.|
|[Configure the Group Policy settings for Microsoft Defender Application Guard](configure-md-app-guard.md) |Provides info about the available Group Policy and MDM settings.|
|[Testing scenarios using Microsoft Defender Application Guard in your business or organization](test-scenarios-md-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.|
| [Microsoft Defender Application Guard Extension for web browsers](md-app-guard-browser-extension.md) | Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide |
| [Microsoft Defender Application Guard for Microsoft Office](/microsoft-365/security/office-365-security/install-app-guard) | Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide |
|[Frequently asked questions - Microsoft Defender Application Guard](faq-md-app-guard.yml)|Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.|
|[Use a network boundary to add trusted sites on Windows devices in Microsoft Intune](/mem/intune/configuration/network-boundary-windows)|Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.|

50
windows/security/application-security/application-isolation/microsoft-defender-application-guard/reqs-md-app-guard.md Normal file
View File

@ -0,0 +1,50 @@
---
title: System requirements for Microsoft Defender Application Guard
description: Learn about the system requirements for installing and running Microsoft Defender Application Guard.
ms.prod: windows-client
ms.technology: itpro-security
ms.topic: overview
ms.localizationpriority: medium
author: vinaypamnani-msft
ms.author: vinpa
ms.date: 08/25/2022
ms.reviewer: sazankha
manager: aaroncz
---
# System requirements for Microsoft Defender Application Guard
**Applies to**
- Windows 10 Education, Enterprise, and Professional
- Windows 11 Education, Enterprise, and Professional
The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Microsoft Defender Application Guard is designed to help prevent old, and newly emerging attacks, to help keep employees productive.
> [!NOTE]
> Given the technological complexity, the security promise of Microsoft Defender Application Guard (MDAG) may not hold true on VMs and in VDI environments. Hence, MDAG is currently not officially supported on VMs and in VDI environments. However, for testing and automation purposes on non-production machines, you may enable MDAG on a VM by enabling Hyper-V nested virtualization on the host.
## Hardware requirements
Your environment must have the following hardware to run Microsoft Defender Application Guard.
> [!NOTE]
> Application Guard currently isn't supported on Windows 11 ARM64 devices.
| Hardware | Description |
|--------|-----------|
| 64-bit CPU|A 64-bit computer with minimum four cores (logical processors) is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](/virtualization/hyper-v-on-windows/reference/tlfs).|
| CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_ <p> **AND** <p> One of the following virtualization extensions for VBS:<br/>VT-x (Intel)<br/>**OR**<br/>AMD-V |
| Hardware memory | Microsoft requires a minimum of 8-GB RAM |
| Hard disk | 5-GB free space, solid state disk (SSD) recommended |
| Input/Output Memory Management Unit (IOMMU) support| Not required, but recommended |
## Software requirements
Your environment must have the following software to run Microsoft Defender Application Guard.
| Software | Description |
|--------|-----------|
| Operating system | Windows 10 Enterprise edition, version 1809 or later <br/> Windows 10 Professional edition, version 1809 or later <br/> Windows 10 Professional for Workstations edition, version 1809 or later <br/> Windows 10 Professional Education edition, version 1809 or later <br/> Windows 10 Education edition, version 1809 or later <br/> Windows 11 Education, Enterprise, and Professional editions |
| Browser | Microsoft Edge |
| Management system <br> (only for managed devices)| [Microsoft Intune](/intune/) <p> **OR** <p> [Microsoft Configuration Manager](/configmgr/) <p> **OR** <p> [Group Policy](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753298(v=ws.11)) <p> **OR** <p>Your current, company-wide, non-Microsoft mobile device management (MDM) solution. For info about non-Microsoft MDM solutions, see the documentation that came with your product. |

249
windows/security/application-security/application-isolation/microsoft-defender-application-guard/test-scenarios-md-app-guard.md Normal file
View File

@ -0,0 +1,249 @@
---
title: Testing scenarios with Microsoft Defender Application Guard
description: Suggested testing scenarios for Microsoft Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode.
ms.prod: windows-client
ms.technology: itpro-security
ms.localizationpriority: medium
author: vinaypamnani-msft
ms.author: vinpa
ms.reviewer: sazankha
manager: aaroncz
ms.date: 09/23/2022
ms.custom: asr
ms.topic: conceptual
---
# Application Guard testing scenarios
**Applies to:**
- Windows 10
- Windows 11
We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization.
## Application Guard in standalone mode
You can see how an employee would use standalone mode with Application Guard.
### To test Application Guard in Standalone mode
1. [Install Application Guard](install-md-app-guard.md).
2. Restart the device, start Microsoft Edge, and then select **New Application Guard window** from the menu.
![New Application Guard window setting option.](images/appguard-new-window.png)
3. Wait for Application Guard to set up the isolated environment.
>[!NOTE]
>Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However, subsequent starts should occur without any perceivable delays.
4. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the new Microsoft Edge window, making sure you see the Application Guard visual cues.
![Untrusted website running in Application Guard.](images/appguard-visual-cues.png)
## Application Guard in Enterprise-managed mode
How to install, set up, turn on, and configure Application Guard for Enterprise-managed mode.
### Install, set up, and turn on Application Guard
Before you can use Application Guard in managed mode, you must install Windows 10 Enterprise edition, version 1709, and Windows 11 which includes the functionality. Then, you must use Group Policy to set up the required settings.
1. [Install Application Guard](install-md-app-guard.md#install-application-guard).
2. Restart the device, and then start Microsoft Edge.
3. Set up the Network Isolation settings in Group Policy:
a. Select the **Windows** icon, type `Group Policy`, and then select **Edit Group Policy**.
b. Go to the **Administrative Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud** setting.
c. For the purposes of this scenario, type `.microsoft.com` into the **Enterprise cloud resources** box.
![Group Policy editor with Enterprise cloud resources setting.](images/appguard-gp-network-isolation.png)
d. Go to the **Administrative Templates\Network\Network Isolation\Domains categorized as both work and personal** setting.
e. For the purposes of this scenario, type `bing.com` into the **Neutral resources** box.
![Group Policy editor with Neutral resources setting.](images/appguard-gp-network-isolation-neutral.png)
4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Turn on Microsoft Defender Application Guard in Managed Mode** setting.
5. Select **Enabled**, choose Option **1**, and select **OK**.
![Group Policy editor with Turn On/Off setting.](images/appguard-gp-turn-on.png)
>[!NOTE]
>Enabling this setting verifies that all the necessary settings are properly configured on your employee devices, including the network isolation settings set earlier in this scenario.
6. Start Microsoft Edge and type `https://www.microsoft.com`.
After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you've marked as trusted and shows the site directly on the host PC instead of in Application Guard.
![Trusted website running on Microsoft Edge.](images/appguard-turned-on-with-trusted-site.png)
7. In the same Microsoft Edge browser, type any URL that isn't part of your trusted or neutral site lists.
After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment.
![Untrusted website running in Application Guard.](images/appguard-visual-cues.png)
### Customize Application Guard
Application Guard lets you specify your configuration, allowing you to create the proper balance between isolation-based security and productivity for your employees.
Application Guard provides the following default behavior for your employees:
- No copying and pasting between the host PC and the isolated container.
- No printing from the isolated container.
- No data persistence from one isolated container to another isolated container.
You have the option to change each of these settings to work with your enterprise from within Group Policy.
**Applies to:**
- Windows 10 Enterprise or Pro editions, version 1803 or later
- Windows 11 Enterprise or Pro editions
#### Copy and paste options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Configure Microsoft Defender Application Guard clipboard settings**.
2. Select **Enabled** and select **OK**.
![Group Policy editor clipboard options.](images/appguard-gp-clipboard.png)
3. Choose how the clipboard works:
- Copy and paste from the isolated session to the host PC
- Copy and paste from the host PC to the isolated session
- Copy and paste both directions
4. Choose what can be copied:
- Only text can be copied between the host PC and the isolated container.
- Only images can be copied between the host PC and the isolated container.
- Both text and images can be copied between the host PC and the isolated container.
5. Select **OK**.
#### Print options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Configure Microsoft Defender Application Guard print** settings.
2. Select **Enabled** and select **OK**.
![Group Policy editor Print options.](images/appguard-gp-print.png)
3. Based on the list provided in the setting, choose the number that best represents what type of printing should be available to your employees. You can allow any combination of local, network, PDF, and XPS printing.
4. Select **OK**.
#### Data persistence options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow data persistence for Microsoft Defender Application Guard** setting.
2. Select **Enabled** and select **OK**.
![Group Policy editor Data Persistence options.](images/appguard-gp-persistence.png)
3. Open Microsoft Edge and browse to an untrusted, but safe URL.
The website opens in the isolated session.
4. Add the site to your **Favorites** list and then close the isolated session.
5. Sign out and back in to your device, opening Microsoft Edge in Application Guard again.
The previously added site should still appear in your **Favorites** list.
> [!NOTE]
> Starting with Windows 11, version 22H2, data persistence is disabled by default. If you don't allow or turn off data persistence, restarting a device or signing in and out of the isolated container triggers a recycle event. This action discards all generated data, such as session cookies and Favorites, and removes the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10 and Windows 11.
>
> If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
> <!--- Inline HTML is used on the next several lines so that the ordinal numbers will be rendered correctly; Markdown would otherwise try to render them as letters (a, b, c...) because they would be treated as a nested list --->
> **To reset the container, follow these steps:**<br/>1. Open a command-line program and navigate to Windows/System32.<br/>2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.<br/>3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.
>
> _Microsoft Edge version 90 or later no longer supports `RESET_PERSISTENCE_LAYER`._
**Applies to:**
- Windows 10 Enterprise or Pro editions, version 1803
- Windows 11 Enterprise or Pro editions, version 21H2. Data persistence is disabled by default in Windows 11, version 22H2 and later.
#### Download options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow files to download and save to the host operating system from Microsoft Defender Application Guard** setting.
2. Select **Enabled** and select **OK**.
![Group Policy editor Download options.](images/appguard-gp-download.png)
3. Sign out and back in to your device, opening Microsoft Edge in Application Guard again.
4. Download a file from Microsoft Defender Application Guard.
5. Check to see the file has been downloaded into This PC > Downloads > Untrusted files.
#### Hardware acceleration options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow hardware-accelerated rendering for Microsoft Defender Application Guard** setting.
2. Select **Enabled** and Select **OK**.
![Group Policy editor hardware acceleration options.](images/appguard-gp-vgpu.png)
3. Once you have enabled this feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session.
4. Assess the visual experience and battery performance.
#### Camera and microphone options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow camera and microphone access in Microsoft Defender Application Guard** setting.
2. Select **Enabled** and select **OK**.
![Group Policy editor Camera and microphone options.](images/appguard-gp-allow-camera-and-mic.png)
3. Sign out and back in to your device, opening Microsoft Edge in Application Guard again.
4. Open an application with video or audio capability in Edge.
5. Check that the camera and microphone work as expected.
#### Root certificate sharing options
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device** setting.
2. Select **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and select **OK**.
![Group Policy editor Root certificate options.](images/appguard-gp-allow-root-certificates.png)
3. Sign out and back in to your device, opening Microsoft Edge in Application Guard again.
## Application Guard Extension for third-party web browsers
The [Application Guard Extension](md-app-guard-browser-extension.md) available for Chrome and Firefox allows Application Guard to protect users even when they are running a web browser other than Microsoft Edge or Internet Explorer.
Once a user has the extension and its companion app installed on their enterprise device, you can run through the following scenarios.
1. Open either Firefox or Chrome, whichever browser you have the extension installed on.
2. Navigate to an organizational website. In other words, an internal website maintained by your organization. You might see this evaluation page for an instant before the site is fully loaded.
![The evaluation page displayed while the page is being loaded, explaining that the user must wait.](images/app-guard-chrome-extension-evaluation-page.png)
3. Navigate to a non-enterprise, external website site, such as [www.bing.com](https://www.bing.com). The site should be redirected to Microsoft Defender Application Guard Edge.
![A non-enterprise website being redirected to an Application Guard container -- the text displayed explains that the page is being opened in Application Guard for Microsoft Edge.](images/app-guard-chrome-extension-launchIng-edge.png)
4. Open a new Application Guard window, by selecting the Microsoft Defender Application Guard icon, then **New Application Guard Window**
![The "New Application Guard Window" option is highlighted in red](images/app-guard-chrome-extension-new-app-guard-page.png)

2
windows/security/application-security/application-isolation/toc.yml
View File

@ -2,7 +2,7 @@ items:
- name: Microsoft Defender Application Guard (MDAG)
href: ../../threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md
- name: MDAG for Edge standalone mode
href: ../../threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
href: microsoft-defender-application-guard/md-app-guard-overview.md
- name: MDAG for Edge enterprise mode and enterprise management 🔗
href: /deployedge/microsoft-edge-security-windows-defender-application-guard
- name: MDAG for Microsoft Office