deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-16 23:37:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Update faq-md-app-guard.md

Browse Source 
Added a known issue and it's mitigation
This commit is contained in:
Sunny Zankharia 2020-08-13 06:30:30 -07:00 committed by GitHub
parent 23e1e195a4
commit a96e50a8d1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
windows/security/threat-protection/microsoft-defender-application-guard/faq-md-app-guard.md
View File

@ -159,3 +159,15 @@ Step 2:
3. Disable IPNAT (Optional): 3. Disable IPNAT (Optional):
`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`. `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`.
4. Restart the device. 4. Restart the device.
### Why doesn't Application guard work, although it is enabled via GPO?
Application Guard must meet all these pre-requisites to be enabled in enterprise mode:
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-guard/reqs-md-app-guard
To understand why it is not being enabled in enterprise mode you need to check the status of the evaluation to find out what is missing.
For CSP (Intune) you can query the status node via a Get as mentioned in this document:
https://docs.microsoft.com/en-us/windows/client-management/mdm/windowsdefenderapplicationguard-csp
In this page you will see the “status” node as well as the meaning of each bit. If the status is not 63, you are missing a pre-requisite.
For Group Policy you need to look at the registry. Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HVSIGP Status. The meaning of each bit is the same as the CSP.