Merged PR 2695: Merge vs-appguard to master

Publishing content for the first time.

windows/threat-protection/TOC.md

@@ -147,6 +147,13 @@
 ### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen\windows-defender-smartscreen-available-settings.md)
 ### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen\windows-defender-smartscreen-set-individual-device.md)
 
+##[Windows Defender Application Guard](windows-defender-application-guard\wd-app-guard-overview.md)
+###[System requirements for Windows Defender Application Guard](windows-defender-application-guard\reqs-wd-app-guard.md)
+###[Prepare and install Windows Defender Application Guard](windows-defender-application-guard\install-wd-app-guard.md)
+###[Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard\configure-wd-app-guard.md)
+###[Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard\test-scenarios-wd-app-guard.md)
+###[Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard\faq-wd-app-guard.md)
+
 ## [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection\protect-enterprise-data-using-wip.md)
 ### [Create a Windows Information Protection (WIP) policy](windows-information-protection\overview-create-wip-policy.md)
 #### [Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune](windows-information-protection\create-wip-policy-using-intune.md)

windows/threat-protection/index.md

@@ -17,6 +17,7 @@ Learn more about how to help protect against threats in Windows 10 and Windows
 |[Windows Defender Security Center](windows-defender-security-center/windows-defender-security-center.md)|Learn about the easy-to-use app that brings together common Windows security features.|
 |[Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)|Provides info about Windows Defender Advanced Threat Protection (Windows Defender ATP), an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.|
 |[Windows Defender Antivirus in Windows 10](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)|Provides info about Windows Defender, a built-in antimalware solution that helps provide security and antimalware management for desktops, portable computers, and servers. Includes a list of system requirements and new features.|
+|[Windows Defender Application Guard](windows-defender-application-guard/wd-app-guard-overview.md)|Provides info about Windows Defender Application Guard, the hardware-based virtualization solution that helps to isolate a device and operating system from an untrusted browser session.|
 |[Windows Defender Smart​Screen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md) |Learn more about Windows Defender SmartScreen.|
 |[Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md)|Provides info about how to create a Windows Information Protection policy that can help protect against potential corporate data leakage.|
 |[Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) |Learn more about mitigating threats in Windows 10.|

windows/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md

@@ -0,0 +1,44 @@
+---
+title: Configure the Group Policy settings for Windows Defender Application Guard (Windows 10)
+description: Learn about the available Group Policy settings for Windows Defender Application Guard.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# Configure Windows Defender Application Guard policy settings
+
+**Applies to:**
+- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
+
+Windows Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain.
+
+Application Guard uses both network isolation and application-specific settings.
+
+### Network isolation settings
+These settings, located at **Computer Configuration\Administrative Templates\Network\Network Isolation**, help you define and manage your company's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container.
+
+>[!NOTE]
+>You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode.
+
+
+|Policy name|Supported versions|Description|
+|-----------|------------------|-----------|
+|Private network ranges for apps|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.|
+|Enterprise resource domains hosted in the cloud|At least Windows Server 2012, Windows 8, or Windows RT|A pipe-separated (\|) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.|
+|Domains categorized as both work and personal|At least Windows Server 2012, Windows 8, or Windows RT|A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment.|
+
+### Application-specific settings
+These settings, located at **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard**, can help you to manage your company's implementation of Application Guard.
+
+|Name|Supported versions|Description|Options|
+|-----------|------------------|-----------|-------|
+|Configure Windows Defender Application Guard clipboard settings|At least Windows 10 Enterprise|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:<ul><li>Disable the clipboard functionality completely when Virtualization Security is enabled.</li><li>Enable copying of certain content from Application Guard into Microsoft Edge.</li><li>Enable copying of certain content from Microsoft Edge into Application Guard.<br><br>**Important**<br>Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.</li></ul>**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
+|Configure Windows Defender Application Guard print settings|At least Windows 10 Enterprise|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:<ul><li>Enable Application Guard to print into the XPS format.</li><li>Enable Application Guard to print into the PDF format.</li><li>Enable Application Guard to print to locally attached printers.</li><li>Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.</ul>**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
+|Block enterprise websites to load non-enterprise content in IE and Edge|At least Windows 10 Enterprise|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.<br><br>**Disabled or not configured.** Allows Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard.|
+|Allow Persistence|At least Windows 10 Enterprise|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<br><br>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<br><br>**Note**<br>If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<br>**To reset the container:**<ol><li>Open a command-line program and navigate to Windows/System32.</li><li>Type `wdagtool.exe cleanup`.<br>The container environment is reset, retaining only the employee-generated data.</li><li>Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.<br>The container environment is reset, including discarding all employee-generated data.</li></ol>|
+|Turn On/Off Windows Defender Application Guard (WDAG)|At least Windows 10 Enterprise|Determines whether to turn on Application Guard for Microsoft Edge.|**Enabled.** Turns on Application Guard for Microsoft Edge, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device.<br><br>**Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge.|
+

windows/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md

@@ -0,0 +1,42 @@
+---
+title: Frequently asked questions - Windows Defender Application Guard (Windows 10)
+description: Learn about the commonly asked questions and answers for Windows Defender Application Guard.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# Frequently asked questions - Windows Defender Application Guard 
+
+**Applies to:**
+- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
+
+Answering frequently asked questions about Windows Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration.
+
+## Frequently Asked Questions
+
+| | |
+|---|----------------------------|
+|**Q:** |Can employees download documents from the Application Guard Edge session onto host devices?|
+|**A:** |It's not possible to download files from the isolated Application Guard container to the host PC. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.|
+<br>
+
+| | |
+|---|----------------------------|
+|**Q:** |Can employees copy and paste between the host device and the Application Guard Edge session?|
+|**A:** |Depending on your organization's settings, employees can copy and paste images and text (.bmp) to and from the isolated container.|
+<br>
+
+| | |
+|---|----------------------------|
+|**Q:** |Why don't employees see their Favorites in the Application Guard Edge session?|
+|**A:** |To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device.|
+<br>
+
+| | |
+|---|----------------------------|
+|**Q:** |Why aren’t employees able to see their Extensions in the Application Guard Edge session?|
+|**A:** |Currently, the Application Guard Edge session doesn't support Extensions. However, we're closely monitoring your feedback about this.|

windows/threat-protection/windows-defender-application-guard/install-wd-app-guard.md

@@ -0,0 +1,54 @@
+---
+title: Prepare and install Windows Defender Application Guard (Windows 10)
+description: Learn about the Windows Defender Application Guard modes (Standalone or Enterprise-managed) and how to install Application Guard in your enterprise.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# Prepare and install Windows Defender Application Guard
+
+**Applies to:**
+- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
+
+## Prepare to install Windows Defender Application Guard 
+Before you can install and use Windows Defender Application Guard, you must determine which way you intend to use it in your enterprise. You can use Application Guard in either **Standalone** or **Enterprise-managed** mode.
+
+- **Standalone mode.** Employees can use hardware-isolated browsing sessions without any administrator or management policy configuration. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. For an example of how this works, see the Application Guard in standalone mode testing scenario. <!--Need link after topic is created-->
+
+- **Enterprise-managed mode.** You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to load non-enterprise domain(s) in the container.
+
+The following diagram shows the flow between the host PC and the isolated container.
+![Flowchart for movement between Microsoft Edge and Application Guard](images/application-guard-container-v-host.png)
+
+## Install Application Guard
+Application Guard functionality is turned off by default. However, you can quickly install it on your employee’s devices through the Control Panel, PowerShell, or your mobile device management (MDM) solution.
+
+**To install by using the Control Panel**
+1. Open the **Control Panel**, click **Programs,** and then click **Turn Windows features on or off**.
+
+    ![Windows Features, turning on Windows Defender Application Guard](images/turn-windows-features-on.png)
+
+2. Select the check box next to **Windows Defender Application Guard** and then click **OK**.
+
+   Application Guard and its underlying dependencies are all installed.
+
+**To install by using PowerShell**
+1. Click the **Search** or **Cortana** icon in the Windows 10 taskbar and type **PowerShell**.
+   
+2. Right-click **Windows PowerShell**, and then click **Run as administrator**.
+
+   Windows PowerShell opens with administrator credentials.
+
+3. Type the following command:
+
+    ```
+    Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard
+    ```
+4. Restart the device.
+
+   Application Guard and its underlying dependencies are all installed.
+

windows/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md

@@ -0,0 +1,35 @@
+---
+title: System requirements for Windows Defender Application Guard (Windows 10)
+description: Learn about the system requirements for installing and running Windows Defender Application Guard.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# System requirements for Windows Defender Application Guard
+
+**Applies to:**
+- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
+
+The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks. Windows Defender Application Guard (Application Guard) is designed to help prevent old, and newly emerging attacks, to help keep employees productive.
+
+## Hardware requirements
+Your environment needs the following hardware to run Application Guard.
+
+|Hardware|Description|
+|--------|-----------|
+|64-bit CPU|A 64-bit computer is required for hypervisor and virtualization-based security (VBS). For more info about Hyper-V, see [Hyper-V on Windows Server 2016](https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/hyper-v-on-windows-server) or [Introduction to Hyper-V on Windows 10](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/about/). For more info about hypervisor, see [Hypervisor Specifications](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/reference/tlfs).|
+|CPU virtualization extensions|Extended page tables, also called _Second Level Address Translation (SLAT)_<br><br>**-AND-**<br><br>One of the following virtualization extensions for VBS:<br><br>VT-x (Intel)<br><br>**-OR-**<br><br>AMD-V|
+|Hardware memory|4 GB minimum, 8 GB recommended|
+
+## Software requirements
+Your environment needs the following hardware to run Application Guard.
+
+|Software|Description|
+|--------|-----------|
+|Operating system|Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)|
+|Browser|Microsoft Edge and Internet Explorer|
+|Management system|[Microsoft Intune](https://docs.microsoft.com/en-us/intune/)<br><br>**-OR-**<br><br>[System Center Configuration Manager](https://docs.microsoft.com/en-us/sccm/)<br><br>**-OR-**<br><br>[Group Policy](https://technet.microsoft.com/en-us/library/cc753298(v=ws.11).aspx)<br><br>**-OR-**<br><br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|

windows/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md

@@ -0,0 +1,157 @@
+---
+title: Testing scenarios using Windows Defender Application Guard in your business or organization (Windows 10)
+description: Suggested testing scenarios for Windows Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# Testing scenarios using Windows Defender Application Guard in your business or organization
+
+**Applies to:**
+- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
+
+We've come up with a list of suggested testing scenarios that you can use to test Windows Defender Application Guard (Application Guard) in your organization.
+
+## Application Guard in standalone mode
+You can see how an employee would use standalone mode with Application Guard.
+
+**To test Application Guard in Standalone mode**
+
+1.	Download the latest Windows Insider Program build (15257 or later).
+
+2.	Install Application Guard, using the [installation](#install-set-up-and-turn-on-application-guard) steps in this guide.
+
+3.	Restart the device, start Microsoft Edge, and then click **New Application Guard window** from the menu.
+
+    ![New Application Guard window setting option](images/appguard-new-window.png)
+ 
+4.	Wait for Application Guard to set up the isolated environment.
+
+    >[!NOTE]
+    >Starting Application Guard too quickly after restarting the device might cause it to take a bit longer to load. However, subsequent starts should occur without any perceivable delays. 
+ 
+5. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the new Microsoft Edge window, making sure you see the Application Guard visual cues.
+
+    ![Untrusted website running in Application Guard](images/appguard-visual-cues.png)
+
+## Application Guard in Enterprise-managed mode 
+How to install, set up, turn on, and configure Application Guard for Enterprise-managed mode.
+
+### Install, set up, and turn on Application Guard
+Before you can use Application Guard in enterprise mode, you must install a version of Windows 10 that includes the functionality. Then, you must use Group Policy to set up the required settings.
+
+1.	Download the latest Windows Insider Program build (15257 or later).
+
+2.	Install Application Guard, using the [installation](#install-set-up-and-turn-on-application-guard) steps in this guide.
+
+3.	Restart the device and then start Microsoft Edge.
+
+4.	Set up the Network Isolation settings in Group Policy:
+
+    a.	Click on the **Windows** icon, type _Group Policy_, and then click **Edit Group Policy**.
+    
+    b.	Go to the **Administrative Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud** setting.
+
+    c.	For the purposes of this scenario, type _.microsoft.com_ into the **Enterprise cloud resources** box.
+
+    ![Group Policy editor with Enterprise cloud resources setting](images/appguard-gp-network-isolation.png)
+
+    d. Go to the **Administrative Templates\Network\Network Isolation\Domains categorized as both work and personal** setting.
+
+    e. For the purposes of this scenario, type _bing.com_ into the **Neutral resources** box.
+
+    ![Group Policy editor with Neutral resources setting](images/appguard-gp-network-isolation-neutral.png)
+
+5.	Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Turn On/Off Windows Defender Application Guard (WDAG)** setting.
+
+6.	Click **Enabled**.
+
+    ![Group Policy editor with Turn On/Off setting](images/appguard-gp-turn-on.png)
+
+    >[!NOTE]
+    >Enabling this setting verifies that all the necessary settings are properly configured on your employee devices, including the network isolation settings set earlier in this scenario.
+
+7. Start Microsoft Edge and type _www.microsoft.com_.
+    
+    After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you’ve marked as trusted and shows the site directly on the host PC instead of in Application Guard.
+
+    ![Trusted website running on Microsoft Edge](images/appguard-turned-on-with-trusted-site.png)
+
+8.	In the same Microsoft Edge browser, type any URL that isn’t part of your trusted or neutral site lists.
+ 
+    After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment.
+
+    ![Untrusted website running in Application Guard](images/appguard-visual-cues.png)
+
+### Customize Application Guard
+Application Guard lets you specify your configuration, allowing you to create the proper balance between isolation-based security and productivity for your employees.
+
+Application Guard provides the following default behavior for your employees:
+
+- No copying and pasting between the host PC and the isolated container.
+
+- No printing from the isolated container.
+
+- No data persistence from one isolated container to another isolated container.
+
+You have the option to change each of these settings to work with your enterprise from within Group Policy.
+
+**To change the copy and paste options**
+1.	Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard clipboard settings**.
+
+2.	Click **Enabled**.
+ 
+    ![Group Policy editor clipboard options](images/appguard-gp-clipboard.png)
+
+3.	Choose how the clipboard works:
+    
+    - Copy and paste from the isolated session to the host PC
+    
+    - Copy and paste from the host PC to the isolated session
+    
+    - Copy and paste both directions
+
+4.	Choose what can be copied:
+    
+    - **1.** Only text can be copied between the host PC and the isolated container.
+
+    - **2.** Only images can be copied between the host PC and the isolated container.
+
+    - **3.** Both text and images can be copied between the host PC and the isolated container.
+
+5.	Click **OK**.
+
+**To change the print options**
+1.	Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard print** settings.
+
+2.	Click **Enabled**.
+
+    ![Group Policy editor Print options](images/appguard-gp-print.png)
+
+3.	Based on the list provided in the setting, choose the number that best represents what type of printing should be available to your employees. You can allow any combination of local, network, PDF, and XPS printing.
+
+4. Click **OK**.
+
+**To change the data persistence options**
+1.	Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow data persistence for Windows Defender Application Guard** setting.
+
+2.	Click **Enabled**.
+
+    ![Group Policy editor Data Persistence options](images/appguard-gp-persistence.png)
+ 
+3.	Open Microsoft Edge and browse to an untrusted, but safe URL.
+
+    The website opens in the isolated session. 
+
+4.	Add the site to your **Favorites** list and then close the isolated session.
+
+5.  Log out and back on to your device, opening Microsoft Edge in Application Guard again.
+
+    The previously added site should still appear in your **Favorites** list.
+
+    >[!NOTE]
+    >If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren’t shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10.<br><br>If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<br><br>**To reset the container:**<ol><li>Open a command-line program and navigate to Windows/System32.</li><li>Type `wdagtool.exe cleanup`.<br>The container environment is reset, retaining only the employee-generated data.</li><li>Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.<br>The container environment is reset, including discarding all employee-generated data.</li></ol>

windows/threat-protection/windows-defender-application-guard/wd-app-guard-overview.md

@@ -0,0 +1,45 @@
+---
+title: Windows Defender Application Guard (Windows 10)
+description: Learn about Windows Defender Application Guard and how it helps to combat malicious content and malware out on the Internet.
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+author: eross-msft
+localizationpriority: high
+---
+
+# Windows Defender Application Guard overview
+
+**Applies to:**
+- Windows 10, Windows Insider Program (Enterprise edition, Build 16188 or later)
+
+The threat landscape is continually evolving. While hackers are busy developing new techniques to breach enterprise networks by compromising workstations, phishing schemes remain one of the top ways to lure employees into social engineering attacks.
+ 
+Windows Defender Application Guard (Application Guard) is designed to help prevent old, and newly emerging attacks, to help keep employees productive. Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by rendering current attack methods obsolete. 
+
+
+## What is Application Guard and how does it work?
+Designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. Everything not on your list is considered untrusted.
+
+If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container, which is separate from the host operating system. This container isolation means that if the untrusted site turns out to be malicious, the host PC is protected, and the attacker can't get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials.
+
+![Hardware isolation diagram](images/appguard-hardware-isolation.png)
+
+### What types of devices should use Application Guard?
+Application Guard has been created to target 3 types of enterprise systems:
+
+- **Enterprise desktops.** These desktops are domain-joined and managed by your organization. Configuration management is primarily done through System Center Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network.
+
+- **Enterprise mobile laptops.** These laptops are domain-joined and managed by your organization. Configuration management is primarily done through System Center Configuration Manager or Microsoft Intune. Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network.
+
+- **Bring your own device (BYOD) mobile laptops.** These personally-owned laptops are not domain-joined, but are managed by your organization through tools like Microsoft Intune. The employee is typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a comparable personal network while at home.
+
+## In this section
+|Topic |Description |
+|------|------------|
+|[System requirements for Windows Defender Application Guard](reqs-wd-app-guard.md) |Specifies the pre-requisites necessary to install and use Application Guard. |
+|[Prepare and install Windows Defender Application Guard](install-wd-app-guard.md) |Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization. |
+|[Configure the Group Policy settings for Windows Defender Application Guard](configure-wd-app-guard.md) |Provides info about the available Group Policy and MDM settings.|
+|[Testing scenarios using Windows Defender Application Guard in your business or organization](test-scenarios-wd-app-guard.md)|Provides a list of suggested testing scenarios that you can use to test Windows Defender Application Guard (Application Guard) in your organization.|
+|[Frequently Asked Questions - Windows Defender Application Guard](faq-wd-app-guard.md)|Common questions and answers around the features and functionality of Application Guard.|

windows/threat-protection/windows-information-protection/create-wip-policy-using-sccm.md

@@ -342,14 +342,14 @@ If you're running into compatibility issues where your app is incompatible with
 ### Manage the WIP-protection level for your enterprise data
 After you've added the apps you want to protect with WIP, you'll need to apply a management and protection mode.
 
-We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Block**.
+We recommend that you start with **Silent** or **Override** while verifying with a small group that you have the right apps on your protected apps list. After you're done, you can change to your final enforcement policy, either **Override** or **Hide Overrides**.
 
 >[!NOTE]
 >For info about how to collect your audit log files, see [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md).
 
 |Mode |Description |
 |-----|------------|
-|Block |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
+|Hide Overrides |WIP looks for inappropriate data sharing practices and stops the employee from completing the action. This can include sharing info across non-enterprise-protected apps in addition to sharing enterprise data between other people and devices outside of your enterprise.|
 |Override |WIP looks for inappropriate data sharing, warning employees if they do something deemed potentially unsafe. However, this management mode lets the employee override the policy and share the data, logging the action to your audit log. |
 |Silent |WIP runs silently, logging inappropriate data sharing, without blocking anything that would’ve been prompted for employee interaction while in Override mode. Unallowed actions, like apps inappropriately trying to access a network resource or WIP-protected data, are still blocked.|
 |Off (not recommended) |WIP is turned off and doesn't help to protect or audit your data.<p>After you turn off WIP, an attempt is made to decrypt any WIP-tagged files on the locally attached drives. Be aware that your previous decryption and policy info isn’t automatically reapplied if you turn WIP protection back on.|