Update faq-md-app-guard.md

windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md

@@ -8,7 +8,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
-ms.date: 01/21/2021
+ms.date: 04/26/2021
 ms.reviewer: 
 manager: dansimp
 ms.custom: asr
@@ -19,11 +19,12 @@ ms.technology: mde
 
 **Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
 
-Answering frequently asked questions about Microsoft Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration.
+This article lists frequently asked questions with answers for Microsoft Defender Application Guard (Application Guard). Questions span features, integration with the Windows operating system, and general configuration.
 
 ## Frequently Asked Questions
 
 ### Can I enable Application Guard on machines equipped with 4-GB RAM?
+
 We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration.
 
 `HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.)                                                   
@@ -34,25 +35,25 @@ We recommend 8-GB RAM for optimal performance but you can use the following regi
 
 ### Can employees download documents from the Application Guard Edge session onto host devices? 
 
-In Windows 10 Enterprise edition 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy.
+In Windows 10 Enterprise edition, version 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy.
 
-In Windows 10 Enterprise edition 1709 or Windows 10 Professional edition 1803, it is not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device. 
+In Windows 10 Enterprise edition, version 1709, or Windows 10 Professional edition, version 1803, it is not possible to download files from the isolated Application Guard container to the host computer. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device. 
 
 ### Can employees copy and paste between the host device and the Application Guard Edge session? 
 
 Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container. 
 
-### Why don't employees see their Favorites in the Application Guard Edge session?
+### Why don't employees see their favorites in the Application Guard Edge session?
 
-To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device. 
+To help keep the Application Guard Edge session secure and isolated from the host device, favorites that are stored in the Application Guard Edge session are not copied back to the host device. 
 
-### Why aren’t employees able to see their Extensions in the Application Guard Edge session?
+### Why aren’t employees able to see their extensions in the Application Guard Edge session?
 
-Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this. 
+Currently, the Application Guard Edge session doesn't support extensions. However, we're closely monitoring your feedback about this. 
 
 ### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)? 
 
-Microsoft Defender Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune. 
+Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, version 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune. 
 
 ### Which Input Method Editors (IME) in 19H1 are not supported? 
 
@@ -102,7 +103,7 @@ Mandatory network isolation GP policy to deploy Application Guard: "DomainSubnet
 Mandatory network isolation CSP policy to deploy Application Guard: "EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)"
 For EnterpriseNetworkDomainNames, there is no mapped CSP policy.
 
-Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`). 
+Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`). 
 
 ### Why did Application Guard stop working after I turned off hyperthreading?
 
@@ -128,21 +129,24 @@ First rule (DHCP Server):
 Second rule (DHCP Client)
 This is the same as the first rule, but scoped to local port 68.
 In the Microsoft Defender Firewall user interface go through the following steps:
-1. Right click on inbound rules, create a new rule.
+1. Right-click on inbound rules, and then create a new rule.
 2. Choose **custom rule**.
-3. Program path: `%SystemRoot%\System32\svchost.exe`.
+3. Specify the following program path: `%SystemRoot%\System32\svchost.exe`.
-4. Protocol Type: UDP, Specific ports: 67, Remote port: any.
+4. Specify the following settings:
-5. Any IP addresses.
+    - Protocol Type: UDP
-6. Allow the connection.
+    - Specific ports: 67
-7. All profiles.
+    - Remote port: any
-8. The new rule should show up in the user interface. Right click on the **rule** > **properties**.
+6. Specify any IP addresses.
-9. In the **Programs and services** tab, Under the **Services** section click on **settings**. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
+7. Allow the connection.
+8. Specify to use all profiles.
+9. The new rule should show up in the user interface. Right click on the **rule** > **properties**.
+10. In the **Programs and services** tab, under the **Services** section, select **settings**. 
+11. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
 
 ### Why can I not launch Application Guard when Exploit Guard is enabled?
 
 There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**.
 
-
 ### How can I disable portions of ICS without breaking Application Guard?
 
 ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys.
@@ -161,6 +165,7 @@ ICS is enabled by default in Windows, and ICS must be enabled in order for Appli
 5. Reboot the device.
 
 ### Why doesn't the container fully load when device control policies are enabled?
+
 Allow-listed items must be configured as "allowed" in the Group Policy Object ensure AppGuard works properly. 
 
 Policy: Allow installation of devices that match any of these device IDs