mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-16 19:03:46 +00:00
Merge branch 'main' into patch-4
This commit is contained in:
Angela Fleischmann
GitHub
@ -290,6 +290,8 @@ The BitLocker recovery screen that's shown by Windows RE has the accessibility t
|
||||
To activate the narrator during BitLocker recovery in Windows RE, press **Windows** + **CTRL** + **Enter**.
|
||||
To activate the on-screen keyboard, tap on a text input control.
|
||||
|
||||
:::image type="content" source="images/bl-narrator.png" alt-text="A screenshot of the BitLocker recovery screen showing Narrator activated.":::
|
||||
|
||||
## BitLocker recovery screen
|
||||
|
||||
During BitLocker recovery, Windows can display a custom recovery message and hints that identify where a key can be retrieved from. These improvements can help a user during BitLocker recovery.
|
||||
|
||||
@ -30,25 +30,25 @@ sections:
|
||||
|
||||
- question: Can an IT admin specify which files should be encrypted?
|
||||
answer: |
|
||||
Yes, but it can only be done using the PDE APIs.
|
||||
Yes, but it can only be done using the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
|
||||
|
||||
- question: Do I need to use OneDrive as my backup provider?
|
||||
answer: |
|
||||
No. PDE doesn't have a requirement for a backup provider including OneDrive. However, backups are strongly recommended in case the encryption keys used by PDE are lost. OneDrive is a recommended backup provider.
|
||||
No. PDE doesn't have a requirement for a backup provider including OneDrive. However, backups are strongly recommended in case the keys used by PDE to decrypt files are lost. OneDrive is a recommended backup provider.
|
||||
|
||||
- question: What is the relation between Windows Hello for Business and PDE?
|
||||
answer: |
|
||||
Windows Hello for Business unlocks PDE encryption keys during user sign on.
|
||||
During user sign-on, Windows Hello for Business unlocks the keys that PDE uses to decrypt files.
|
||||
|
||||
- question: Can a file be encrypted with both PDE and EFS at the same time?
|
||||
answer: |
|
||||
No. PDE and EFS are mutually exclusive.
|
||||
|
||||
- question: Can a PDE encrypted files be accessed after signing on via a Remote Desktop connection (RDP)?
|
||||
- question: Can PDE encrypted files be accessed after signing on via a Remote Desktop connection (RDP)?
|
||||
answer: |
|
||||
No. Accessing PDE encrypted files over RDP isn't currently supported.
|
||||
|
||||
- question: Can a PDE encrypted files be access via a network share?
|
||||
- question: Can PDE encrypted files be access via a network share?
|
||||
answer: |
|
||||
No. PDE encrypted files can only be accessed after signing on locally to Windows with Windows Hello for Business credentials.
|
||||
|
||||
@ -62,11 +62,11 @@ sections:
|
||||
|
||||
- question: If a user signs into Windows with a password instead of Windows Hello for Business, will they be able to access their PDE encrypted files?
|
||||
answer: |
|
||||
No. PDE encryption keys are protected Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
|
||||
No. The keys used by PDE to decrypt files are protected by Windows Hello for Business credentials and will only be unlocked when signing on with Windows Hello for Business PIN or biometrics.
|
||||
|
||||
- question: What encryption method and strength does PDE use?
|
||||
answer: |
|
||||
PDE uses AES-256 to encrypt files
|
||||
PDE uses AES-CBC with a 256-bit key to encrypt files
|
||||
|
||||
additionalContent: |
|
||||
## See also
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Personal Data Encryption (PDE)
|
||||
description: Personal Data Encryption unlocks user encrypted files at user sign in instead of at boot.
|
||||
description: Personal Data Encryption unlocks user encrypted files at user sign-in instead of at boot.
|
||||
|
||||
author: frankroj
|
||||
ms.author: frankroj
|
||||
@ -40,19 +40,19 @@ ms.date: 09/22/2022
|
||||
- [BitLocker Drive Encryption](../bitlocker/bitlocker-overview.md) enabled
|
||||
- Although PDE will work without BitLocker, it's recommended to also enable BitLocker. PDE is meant to supplement BitLocker and not replace it.
|
||||
- Backup solution such as [OneDrive](/onedrive/onedrive)
|
||||
- In certain scenarios such as TPM resets or destructive PIN resets, the PDE encryption keys can be lost. In such scenarios, any file encrypted with PDE will no longer be accessible. The only way to recover such files would be from backup.
|
||||
- In certain scenarios such as TPM resets or destructive PIN resets, the keys used by PDE to decrypt files can be lost. In such scenarios, any file encrypted with PDE will no longer be accessible. The only way to recover such files would be from backup.
|
||||
- [Windows Hello for Business PIN reset service](../../identity-protection/hello-for-business/hello-feature-pin-reset.md)
|
||||
- Destructive PIN resets will cause PDE encryption keys to be lost. The destructive PIN reset will make any file encrypted with PDE no longer accessible after a destructive PIN reset. Files encrypted with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
|
||||
- Destructive PIN resets will cause keys used by PDE to decrypt files to be lost. The destructive PIN reset will make any file encrypted with PDE no longer accessible after a destructive PIN reset. Files encrypted with PDE will need to be recovered from a backup after a destructive PIN reset. For this reason Windows Hello for Business PIN reset service is recommended since it provides non-destructive PIN resets.
|
||||
- [Windows Hello Enhanced Sign-in Security](/windows-hardware/design/device-experiences/windows-hello-enhanced-sign-in-security)
|
||||
- Provides additional security when authenticating with Windows Hello for Business via biometrics or PIN
|
||||
- [Kernel and user mode crash dumps disabled](/windows/client-management/mdm/policy-csp-memorydump)
|
||||
- Crash dumps can potentially cause the PDE encryption keys to be exposed. For greatest security, disable kernel and user mode crash dumps. For information on disabling crash dumbs via Intune, see [Disable crash dumps](configure-pde-in-intune.md#disable-crash-dumps).
|
||||
- Crash dumps can potentially cause the keys used by PDE decrypt files to be exposed. For greatest security, disable kernel and user mode crash dumps. For information on disabling crash dumbs via Intune, see [Disable crash dumps](configure-pde-in-intune.md#disable-crash-dumps).
|
||||
- [Hibernation disabled](/windows/client-management/mdm/policy-csp-power#power-allowhibernate)
|
||||
- Hibernation files can potentially cause the PDE encryption keys to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
|
||||
- Hibernation files can potentially cause the keys used by PDE to decrypt files to be exposed. For greatest security, disable hibernation. For information on disabling crash dumbs via Intune, see [Disable hibernation](configure-pde-in-intune.md#disable-hibernation).
|
||||
|
||||
## PDE protection levels
|
||||
|
||||
PDE uses AES-256 to encrypt files and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the PDE APIs.
|
||||
PDE uses AES-CBC with a 256-bit key to encrypt files and offers two levels of protection. The level of protection is determined based on the organizational needs. These levels can be set via the [PDE APIs](/uwp/api/windows.security.dataprotection.userdataprotectionmanager).
|
||||
|
||||
| Item | Level 1 | Level 2 |
|
||||
|---|---|---|
|
||||
@ -94,15 +94,15 @@ For information on enabling PDE via Intune, see [Enable Personal Data Encryption
|
||||
|
||||
| Item | PDE | BitLocker |
|
||||
|--|--|--|
|
||||
| Release of encryption keys | At user sign in via Windows Hello for Business | At boot |
|
||||
| Encryption keys discarded | At user sign out | At reboot |
|
||||
| Release of key | At user sign-in via Windows Hello for Business | At boot |
|
||||
| Keys discarded | At user sign-out | At reboot |
|
||||
| Files encrypted | Individual specified files | Entire volume/drive |
|
||||
| Authentication to access encrypted file | Windows Hello for Business | When BitLocker with PIN is enabled, BitLocker PIN plus Windows sign in |
|
||||
| Accessibility | Windows Hello for Business is accessibility friendly | BitLocker with PIN doesn't have accessibility features |
|
||||
|
||||
## Differences between PDE and EFS
|
||||
|
||||
The main difference between encrypting files with PDE instead of EFS is the method they use to encrypt the file. PDE uses Windows Hello for Business to secure the encryption keys that encrypts the files. EFS uses certificates to secure and encrypt the files.
|
||||
The main difference between encrypting files with PDE instead of EFS is the method they use to encrypt the file. PDE uses Windows Hello for Business to secure the keys to decrypt the files. EFS uses certificates to secure and encrypt the files.
|
||||
|
||||
To see if a file is encrypted with PDE or EFS:
|
||||
|
||||
@ -118,9 +118,7 @@ Encryption information including what encryption method is being used can be obt
|
||||
|
||||
## Disable PDE and decrypt files
|
||||
|
||||
Currently there's no method to disable PDE via MDM policy. However, PDE can be disabled locally and files can be decrypted using `cipher.exe`.
|
||||
|
||||
In certain scenarios a user may be able to manually decrypt a file using the following steps:
|
||||
Currently there's no method to disable PDE via MDM policy. However, in certain scenarios PDE encrypted files can be decrypted using `cipher.exe` using the following steps:
|
||||
|
||||
1. Open the properties of the file
|
||||
2. Under the **General** tab, select **Advanced...**
|
||||
@ -139,4 +137,4 @@ Certain Windows applications support PDE out of the box. If PDE is enabled on a
|
||||
|
||||
## See also
|
||||
- [Personal Data Encryption (PDE) FAQ](faq-pde.yml)
|
||||
- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)
|
||||
- [Configure Personal Data Encryption (PDE) polices in Intune](configure-pde-in-intune.md)
|
||||
|
||||
@ -56,15 +56,15 @@ These settings, located at `Computer Configuration\Administrative Templates\Wind
|
||||
|
||||
|Name|Supported versions|Description|Options|
|
||||
|-----------|------------------|-----------|-------|
|
||||
|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher<p>Windows 10 Pro, 1803 or higher<p>Windows 11|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** This is effective only in managed mode. Turns On the clipboard functionality and lets you choose whether to additionally:<br/>- Disable the clipboard functionality completely when Virtualization Security is enabled.<br/>- Enable copying of certain content from Application Guard into Microsoft Edge.<br/>- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.<p>**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
|
||||
|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher<p>Windows 10 Pro, 1803 or higher<p>Windows 11|Determines whether Application Guard can use the print functionality.|**Enabled.** This is effective only in managed mode. Turns On the print functionality and lets you choose whether to additionally:<br/>- Enable Application Guard to print into the XPS format.<br/>- Enable Application Guard to print into the PDF format.<br/>- Enable Application Guard to print to locally attached printers.<br/>- Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.<br/><br/>**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
|
||||
|Allow Persistence|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803 or higher<p>Windows 11|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<p>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<p>**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<p>**To reset the container:**<br/>1. Open a command-line program and navigate to `Windows/System32`.<br/>2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.<br/>3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
|
||||
|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher<p>Windows 11|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:<br/>- Enable Microsoft Defender Application Guard only for Microsoft Edge<br/>- Enable Microsoft Defender Application Guard only for Microsoft Office<br/>- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office<br/><br/>**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office. <br/><br/>**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.|
|
||||
|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher<p>Windows 11|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** This is effective only in managed mode. Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.<p>**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.|
|
||||
|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher<br><br>Windows 10 Pro, 1803 or higher<p>Windows 11|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.<br><br>**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.|
|
||||
|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher<p>Windows 11|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.<p>**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
|
||||
|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher<p>Windows 11|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.<p>**Disabled or not configured.** Certificates aren't shared with Microsoft Defender Application Guard.|
|
||||
|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher<p>Windows 11|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.<p>**Disabled or not configured.** Event logs aren't collected from your Application Guard container.|
|
||||
|Configure Microsoft Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher<p>Windows 11 Enterprise|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** This is effective only in managed mode. Turns on the clipboard functionality and lets you choose whether to additionally:<br/>- Disable the clipboard functionality completely when Virtualization Security is enabled.<br/>- Enable copying of certain content from Application Guard into Microsoft Edge.<br/>- Enable copying of certain content from Microsoft Edge into Application Guard. **Important:** Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.<p>**Disabled or not configured.** Completely turns off the clipboard functionality for Application Guard.|
|
||||
|Configure Microsoft Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher<p>Windows 11 Enterprise|Determines whether Application Guard can use the print functionality.|**Enabled.** This is effective only in managed mode. Turns on the print functionality and lets you choose whether to additionally:<br/>- Enable Application Guard to print into the XPS format.<br/>- Enable Application Guard to print into the PDF format.<br/>- Enable Application Guard to print to locally attached printers.<br/>- Enable Application Guard to print from previously connected network printers. Employees can't search for other printers.<br/><br/>**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
|
||||
|Allow Persistence|Windows 10 Enterprise, 1709 or higher<p>Windows 11 Enterprise|Determines whether data persists across different sessions in Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<p>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<p>**NOTE**: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<p>**To reset the container:**<br/>1. Open a command-line program and navigate to `Windows/System32`.<br/>2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.<br/>3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.|
|
||||
|Turn on Microsoft Defender Application Guard in Managed Mode|Windows 10 Enterprise, 1809 or higher<p>Windows 11 Enterprise|Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office.|**Enabled.** Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options:<br/>- Enable Microsoft Defender Application Guard only for Microsoft Edge<br/>- Enable Microsoft Defender Application Guard only for Microsoft Office<br/>- Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office<br/><br/>**Disabled.** Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office. <br/><br/>**Note:** For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you are no longer required to configure network isolation policy to enable Application Guard for Edge.|
|
||||
|Allow files to download to host operating system|Windows 10 Enterprise or Pro, 1803 or higher<p>Windows 11 Enterprise or Pro|Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.|**Enabled.** This is effective only in managed mode. Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container.<p>**Disabled or not configured.** Users aren't able to save downloaded files from Application Guard to the host operating system.|
|
||||
|Allow hardware-accelerated rendering for Microsoft Defender Application Guard|Windows 10 Enterprise, 1803 or higher<p>Windows 11 Enterprise|Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. **Important:** Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.<br><br>**Disabled or not configured.** Microsoft Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.|
|
||||
|Allow camera and microphone access in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher<p>Windows 11 Enterprise|Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. **Important:** Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.<p>**Disabled or not configured.** Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device.|
|
||||
|Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device|Windows 10 Enterprise or Pro, 1809 or higher<p>Windows 11 Enterprise or Pro|Determines whether Root Certificates are shared with Microsoft Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates.<p>**Disabled or not configured.** Certificates aren't shared with Microsoft Defender Application Guard.|
|
||||
|Allow auditing events in Microsoft Defender Application Guard|Windows 10 Enterprise, 1809 or higher<p>Windows 11 Enterprise|This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard.|**Enabled.** This is effective only in managed mode. Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host.<p>**Disabled or not configured.** Event logs aren't collected from your Application Guard container.|
|
||||
|
||||
## Application Guard support dialog settings
|
||||
|
||||
|
||||
@ -1,18 +1,15 @@
|
||||
---
|
||||
title: Testing scenarios with Microsoft Defender Application Guard (Windows 10 or Windows 11)
|
||||
title: Testing scenarios with Microsoft Defender Application Guard
|
||||
description: Suggested testing scenarios for Microsoft Defender Application Guard, showing how it works in both Standalone and Enterprise-managed mode.
|
||||
ms.prod: m365-security
|
||||
ms.mktglfcycl: manage
|
||||
ms.sitesec: library
|
||||
ms.pagetype: security
|
||||
ms.prod: windows-client
|
||||
ms.technology: itpro-security
|
||||
ms.localizationpriority: medium
|
||||
author: denisebmsft
|
||||
ms.author: deniseb
|
||||
ms.reviewer:
|
||||
manager: dansimp
|
||||
ms.date: 03/14/2022
|
||||
author: vinaypamnani-msft
|
||||
ms.author: vinpa
|
||||
ms.reviewer: sazankha
|
||||
manager: aaroncz
|
||||
ms.date: 09/23/2022
|
||||
ms.custom: asr
|
||||
ms.technology: windows-sec
|
||||
---
|
||||
|
||||
# Application Guard testing scenarios
|
||||
@ -59,7 +56,7 @@ Before you can use Application Guard in managed mode, you must install Windows 1
|
||||
|
||||
3. Set up the Network Isolation settings in Group Policy:
|
||||
|
||||
a. Click on the **Windows** icon, type `Group Policy`, and then click **Edit Group Policy**.
|
||||
a. Select the **Windows** icon, type `Group Policy`, and then select **Edit Group Policy**.
|
||||
|
||||
b. Go to the **Administrative Templates\Network\Network Isolation\Enterprise resource domains hosted in the cloud** setting.
|
||||
|
||||
@ -75,7 +72,7 @@ Before you can use Application Guard in managed mode, you must install Windows 1
|
||||
|
||||
4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Turn on Microsoft Defender Application Guard in Managed Mode** setting.
|
||||
|
||||
5. Click **Enabled**, choose Option **1**, and click **OK**.
|
||||
5. Select **Enabled**, choose Option **1**, and select **OK**.
|
||||
|
||||
|
||||
|
||||
@ -110,15 +107,14 @@ You have the option to change each of these settings to work with your enterpris
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10 Enterprise edition, version 1709 or higher
|
||||
- Windows 10 Professional edition, version 1803
|
||||
- Windows 11
|
||||
- Windows 10 Enterprise or Pro editions, version 1803 or later
|
||||
- Windows 11 Enterprise or Pro editions
|
||||
|
||||
#### Copy and paste options
|
||||
|
||||
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Configure Microsoft Defender Application Guard clipboard settings**.
|
||||
|
||||
2. Click **Enabled** and click **OK**.
|
||||
2. Select **Enabled** and select **OK**.
|
||||
|
||||
|
||||
|
||||
@ -138,25 +134,25 @@ You have the option to change each of these settings to work with your enterpris
|
||||
|
||||
- Both text and images can be copied between the host PC and the isolated container.
|
||||
|
||||
5. Click **OK**.
|
||||
5. Select **OK**.
|
||||
|
||||
#### Print options
|
||||
|
||||
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Configure Microsoft Defender Application Guard print** settings.
|
||||
|
||||
2. Click **Enabled** and click **OK**.
|
||||
2. Select **Enabled** and select **OK**.
|
||||
|
||||
|
||||
|
||||
3. Based on the list provided in the setting, choose the number that best represents what type of printing should be available to your employees. You can allow any combination of local, network, PDF, and XPS printing.
|
||||
|
||||
4. Click **OK**.
|
||||
4. Select **OK**.
|
||||
|
||||
#### Data persistence options
|
||||
|
||||
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow data persistence for Microsoft Defender Application Guard** setting.
|
||||
|
||||
2. Click **Enabled** and click **OK**.
|
||||
2. Select **Enabled** and select **OK**.
|
||||
|
||||
|
||||
|
||||
@ -166,32 +162,33 @@ You have the option to change each of these settings to work with your enterpris
|
||||
|
||||
4. Add the site to your **Favorites** list and then close the isolated session.
|
||||
|
||||
5. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
|
||||
5. Sign out and back in to your device, opening Microsoft Edge in Application Guard again.
|
||||
|
||||
The previously added site should still appear in your **Favorites** list.
|
||||
|
||||
> [!NOTE]
|
||||
> If you don't allow or turn off data persistence, restarting a device or logging in and out of the isolated container triggers a recycle event that discards all generated data, including session cookies, Favorites, and so on, removing the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10 and Windows 11.
|
||||
> Starting with Windows 11, version 22H2, data persistence is disabled by default. If you don't allow or turn off data persistence, restarting a device or signing in and out of the isolated container triggers a recycle event. This action discards all generated data, such as session cookies and Favorites, and removes the data from Application Guard. If you turn on data persistence, all employee-generated artifacts are preserved across container recycle events. However, these artifacts only exist in the isolated container and aren't shared with the host PC. This data persists after restarts and even through build-to-build upgrades of Windows 10 and Windows 11.
|
||||
>
|
||||
> If you turn on data persistence, but later decide to stop supporting it for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.
|
||||
> <!--- Inline HTML is used on the next several lines so that the ordinal numbers will be rendered correctly; Markdown would otherwise try to render them as letters (a, b, c...) because they would be treated as a nested list --->
|
||||
> **To reset the container, follow these steps:**<br/>1. Open a command-line program and navigate to Windows/System32.<br/>2. Type `wdagtool.exe cleanup`. The container environment is reset, retaining only the employee-generated data.<br/>3. Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`. The container environment is reset, including discarding all employee-generated data.
|
||||
>
|
||||
> _Microsoft Edge version 90 or later no longer supports `RESET_PERSISTENCE_LAYER`._
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10 Enterprise edition, version 1803
|
||||
- Windows 10 Professional edition, version 1803
|
||||
- Windows 11
|
||||
- Windows 10 Enterprise or Pro editions, version 1803
|
||||
- Windows 11 Enterprise or Pro editions, version 21H2. Data persistence is disabled by default in Windows 11, version 22H2 and later.
|
||||
|
||||
#### Download options
|
||||
|
||||
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow files to download and save to the host operating system from Microsoft Defender Application Guard** setting.
|
||||
|
||||
2. Click **Enabled** and click **OK**.
|
||||
2. Select **Enabled** and select **OK**.
|
||||
|
||||
|
||||
|
||||
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
|
||||
3. Sign out and back in to your device, opening Microsoft Edge in Application Guard again.
|
||||
|
||||
4. Download a file from Microsoft Defender Application Guard.
|
||||
|
||||
@ -201,7 +198,7 @@ You have the option to change each of these settings to work with your enterpris
|
||||
|
||||
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow hardware-accelerated rendering for Microsoft Defender Application Guard** setting.
|
||||
|
||||
2. Click **Enabled** and click **OK**.
|
||||
2. Select **Enabled** and Select **OK**.
|
||||
|
||||
|
||||
|
||||
@ -209,21 +206,15 @@ You have the option to change each of these settings to work with your enterpris
|
||||
|
||||
4. Assess the visual experience and battery performance.
|
||||
|
||||
**Applies to:**
|
||||
|
||||
- Windows 10 Enterprise edition, version 1809
|
||||
- Windows 10 Professional edition, version 1809
|
||||
- Windows 11
|
||||
|
||||
#### Camera and microphone options
|
||||
|
||||
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow camera and microphone access in Microsoft Defender Application Guard** setting.
|
||||
|
||||
2. Click **Enabled** and click **OK**.
|
||||
2. Select **Enabled** and select **OK**.
|
||||
|
||||
|
||||
|
||||
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
|
||||
3. Sign out and back in to your device, opening Microsoft Edge in Application Guard again.
|
||||
|
||||
4. Open an application with video or audio capability in Edge.
|
||||
|
||||
@ -233,11 +224,11 @@ You have the option to change each of these settings to work with your enterpris
|
||||
|
||||
1. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device** setting.
|
||||
|
||||
2. Click **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and click **OK**.
|
||||
2. Select **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and select **OK**.
|
||||
|
||||
|
||||
|
||||
3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
|
||||
3. Sign out and back in to your device, opening Microsoft Edge in Application Guard again.
|
||||
|
||||
## Application Guard Extension for third-party web browsers
|
||||
|
||||
@ -245,9 +236,9 @@ The [Application Guard Extension](md-app-guard-browser-extension.md) available f
|
||||
|
||||
Once a user has the extension and its companion app installed on their enterprise device, you can run through the following scenarios.
|
||||
|
||||
1. Open either Firefox or Chrome — whichever browser you have the extension installed on.
|
||||
1. Open either Firefox or Chrome, whichever browser you have the extension installed on.
|
||||
|
||||
2. Navigate to an enterprise website, i.e. an internal website maintained by your organization. You might see this evaluation page for an instant before the site is fully loaded.
|
||||
2. Navigate to an organizational website. In other words, an internal website maintained by your organization. You might see this evaluation page for an instant before the site is fully loaded.
|
||||
|
||||
|
||||
3. Navigate to a non-enterprise, external website site, such as [www.bing.com](https://www.bing.com). The site should be redirected to Microsoft Defender Application Guard Edge.
|
||||
|
||||
Reference in New Issue
Block a user