deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-12 05:17:22 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity

Merge pull request #8973 from sazankha/patch-16

Browse Source 
Update faq-md-app-guard.md
This commit is contained in:
Denise Vangel-MSFT 2021-01-20 16:57:32 -08:00 committed by GitHub
commit 9d6b068f45
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 25 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
View File

@ -8,7 +8,7 @@ ms.pagetype: security
ms.localizationpriority: medium
author: denisebmsft
ms.author: deniseb
ms.date: 11/03/2020
ms.date: 01/21/2021
ms.reviewer:
manager: dansimp
ms.custom: asr
@ -146,7 +146,7 @@ There is a known issue such that if you change the Exploit Protection settings f
ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys.
1. In the Group Policy setting called, *Prohibit use of Internet Connection Sharing on your DNS domain network*, set it to **Disabled**.
1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**.
2. Disable IpNat.sys from ICS load as follows: <br/>
`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1`
@ -159,6 +159,28 @@ ICS is enabled by default in Windows, and ICS must be enabled in order for Appli
5. Reboot the device.
### Why doesn't the container fully load when device control policies are enabled?
Allow-listed items must be configured as "allowed" in the Group Policy Object ensure AppGuard works properly.
Policy: Allow installation of devices that match any of these device IDs
- `SCSI\DiskMsft____Virtual_Disk____`
- `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba`
- `VMS_VSF`
- `root\Vpcivsp`
- `root\VMBus`
- `vms_mp`
- `VMS_VSP`
- `ROOT\VKRNLINTVSP`
- `ROOT\VID`
- `root\storvsp`
- `vms_vsmp`
- `VMS_PP`
Policy: Allow installation of devices using drivers that match these device setup classes
- `{71a27cdd-812a-11d0-bec7-08002be2092f}`
## See also
[Configure Microsoft Defender Application Guard policy settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)
[Configure Microsoft Defender Application Guard policy settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)