mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-18 11:53:37 +00:00
Denise Vangel-MSFT
GitHub
@ -1,6 +1,6 @@
|
|||||||
---
|
---
|
||||||
title: FAQ - Microsoft Defender Application Guard (Windows 10)
|
title: Microsoft Defender Application Guard FAQ (Windows 10)
|
||||||
description: Learn about the commonly asked questions and answers for Microsoft Defender Application Guard.
|
description: See frequently asked questions and answers for Microsoft Defender Application Guard.
|
||||||
ms.prod: m365-security
|
ms.prod: m365-security
|
||||||
ms.mktglfcycl: manage
|
ms.mktglfcycl: manage
|
||||||
ms.sitesec: library
|
ms.sitesec: library
|
||||||
@ -8,7 +8,7 @@ ms.pagetype: security
|
|||||||
ms.localizationpriority: medium
|
ms.localizationpriority: medium
|
||||||
author: denisebmsft
|
author: denisebmsft
|
||||||
ms.author: deniseb
|
ms.author: deniseb
|
||||||
ms.date: 02/25/2021
|
ms.date: 03/01/2021
|
||||||
ms.reviewer:
|
ms.reviewer:
|
||||||
manager: dansimp
|
manager: dansimp
|
||||||
ms.custom: asr
|
ms.custom: asr
|
||||||
@ -19,11 +19,9 @@ ms.technology: mde
|
|||||||
|
|
||||||
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
**Applies to:** [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2069559)
|
||||||
|
|
||||||
Answering frequently asked questions about Microsoft Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration.
|
This article lists frequently asked questions and answers about Microsoft Defender Application Guard (Application Guard) features, integration with the Windows operating system, and general configuration.
|
||||||
|
|
||||||
## Frequently Asked Questions
|
## Can I enable Application Guard on machines equipped with 4-GB RAM?
|
||||||
|
|
||||||
### Can I enable Application Guard on machines equipped with 4-GB RAM?
|
|
||||||
We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration.
|
We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration.
|
||||||
|
|
||||||
`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.)
|
`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.)
|
||||||
@ -32,29 +30,29 @@ We recommend 8-GB RAM for optimal performance but you can use the following regi
|
|||||||
|
|
||||||
`HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.)
|
`HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.)
|
||||||
|
|
||||||
### Can employees download documents from the Application Guard Edge session onto host devices?
|
## Can employees download documents from the Application Guard Edge session onto host devices?
|
||||||
|
|
||||||
In Windows 10 Enterprise edition 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy.
|
In Windows 10 Enterprise edition 1803, users are able to download documents from the isolated Application Guard container to the host PC. This capability is managed by policy.
|
||||||
|
|
||||||
In Windows 10 Enterprise edition 1709 or Windows 10 Professional edition 1803, it is not possible to download files from the isolated Application Guard container to the host device. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.
|
In Windows 10 Enterprise edition 1709 or Windows 10 Professional edition 1803, it is not possible to download files from the isolated Application Guard container to the host device. However, employees can use the **Print as PDF** or **Print as XPS** options and save those files to the host device.
|
||||||
|
|
||||||
### Can employees copy and paste between the host device and the Application Guard Edge session?
|
## Can employees copy and paste between the host device and the Application Guard Edge session?
|
||||||
|
|
||||||
Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container.
|
Depending on your organization's settings, employees can copy and paste images (.bmp) and text to and from the isolated container.
|
||||||
|
|
||||||
### Why don't employees see their Favorites in the Application Guard Edge session?
|
## Why don't employees see their Favorites in the Application Guard Edge session?
|
||||||
|
|
||||||
To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device.
|
To help keep the Application Guard Edge session secure and isolated from the host device, we don't copy the Favorites stored in the Application Guard Edge session back to the host device.
|
||||||
|
|
||||||
### Why aren’t employees able to see their extensions in the Application Guard Edge session?
|
## Why aren’t employees able to see their extensions in the Application Guard Edge session?
|
||||||
|
|
||||||
Currently, the Application Guard Edge session doesn't support extensions. However, we're closely monitoring your feedback about this.
|
Currently, the Application Guard Edge session doesn't support extensions. However, we're closely monitoring your feedback about this.
|
||||||
|
|
||||||
### How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)?
|
## How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)?
|
||||||
|
|
||||||
Microsoft Defender Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune.
|
Microsoft Defender Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune.
|
||||||
|
|
||||||
### Which Input Method Editors (IME) in 19H1 are not supported?
|
## Which Input Method Editors (IME) in 19H1 are not supported?
|
||||||
|
|
||||||
The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard.
|
The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard.
|
||||||
- Vietnam Telex keyboard
|
- Vietnam Telex keyboard
|
||||||
@ -70,31 +68,31 @@ The following Input Method Editors (IME) introduced in Windows 10, version 1903
|
|||||||
- Odia phonetic keyboard
|
- Odia phonetic keyboard
|
||||||
- Punjabi phonetic keyboard
|
- Punjabi phonetic keyboard
|
||||||
|
|
||||||
### I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?
|
## I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?
|
||||||
|
|
||||||
This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature.
|
This feature is currently experimental only and is not functional without an additional registry key provided by Microsoft. If you would like to evaluate this feature on a deployment of Windows 10 Enterprise, version 1803, contact Microsoft and we’ll work with you to enable the feature.
|
||||||
|
|
||||||
### What is the WDAGUtilityAccount local account?
|
## What is the WDAGUtilityAccount local account?
|
||||||
|
|
||||||
This account is part of Application Guard beginning with Windows 10, version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware.
|
This account is part of Application Guard beginning with Windows 10, version 1709 (Fall Creators Update). This account remains disabled until Application Guard is enabled on your device. This item is integrated to the OS and is not considered as a threat/virus/malware.
|
||||||
|
|
||||||
### How do I trust a subdomain in my site list?
|
## How do I trust a subdomain in my site list?
|
||||||
|
|
||||||
To trust a subdomain, you must precede your domain with two dots. For example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted.
|
To trust a subdomain, you must precede your domain with two dots. For example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), the second dot recognizes the start of the domain name (`contoso.com`). This prevents sites such as `fakesitecontoso.com` from being trusted.
|
||||||
|
|
||||||
### Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
|
## Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
|
||||||
|
|
||||||
When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
|
When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode does not. For more information, see [Prepare to install Microsoft Defender Application Guard](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard).
|
||||||
|
|
||||||
### Is there a size limit to the domain lists that I need to configure?
|
## Is there a size limit to the domain lists that I need to configure?
|
||||||
|
|
||||||
Yes, both the Enterprise Resource domains hosted in the cloud and the Domains categorized as both work and personal have a 16383-B limit.
|
Yes, both the Enterprise Resource domains hosted in the cloud and the Domains categorized as both work and personal have a 16383-B limit.
|
||||||
|
|
||||||
### Why does my encryption driver break Microsoft Defender Application Guard?
|
## Why does my encryption driver break Microsoft Defender Application Guard?
|
||||||
|
|
||||||
Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`).
|
Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`).
|
||||||
|
|
||||||
### Why do the Network Isolation policies in Group Policy and CSP look different?
|
## Why do the Network Isolation policies in Group Policy and CSP look different?
|
||||||
|
|
||||||
There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP.
|
There is not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP.
|
||||||
|
|
||||||
@ -104,63 +102,63 @@ For EnterpriseNetworkDomainNames, there is no mapped CSP policy.
|
|||||||
|
|
||||||
Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`).
|
Microsoft Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard does not work and results in an error message (`0x80070013 ERROR_WRITE_PROTECT`).
|
||||||
|
|
||||||
### Why did Application Guard stop working after I turned off hyperthreading?
|
## Why did Application Guard stop working after I turned off hyperthreading?
|
||||||
|
|
||||||
If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements.
|
If hyperthreading is disabled (because of an update applied through a KB article or through BIOS settings), there is a possibility Application Guard no longer meets the minimum requirements.
|
||||||
|
|
||||||
### Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"?
|
## Why am I getting the error message "ERROR_VIRTUAL_DISK_LIMITATION"?
|
||||||
|
|
||||||
Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume.
|
Application Guard might not work correctly on NTFS compressed volumes. If this issue persists, try uncompressing the volume.
|
||||||
|
|
||||||
### Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach PAC file?
|
## Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach PAC file?
|
||||||
|
|
||||||
This is a known issue. To mitigate this you need to create two firewall rules.
|
This is a known issue. To mitigate this you need to create two firewall rules.
|
||||||
For guidance on how to create a firewall rule by using group policy, see:
|
For guidance on how to create a firewall rule by using group policy, see:
|
||||||
- [Create an inbound icmp rule](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule)
|
- [Create an inbound icmp rule](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/create-an-inbound-icmp-rule)
|
||||||
- [Open Group Policy management console for Microsoft Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security)
|
- [Open Group Policy management console for Microsoft Defender Firewall](https://docs.microsoft.com/windows/security/threat-protection/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security)
|
||||||
|
|
||||||
First rule (DHCP Server):
|
### First rule (DHCP Server)
|
||||||
|
|
||||||
1. Program path: `%SystemRoot%\System32\svchost.exe`
|
1. Program path: `%SystemRoot%\System32\svchost.exe`
|
||||||
2. Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))`
|
2. Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))`
|
||||||
3. Protocol UDP
|
3. Protocol UDP
|
||||||
4. Port 67
|
4. Port 67
|
||||||
|
|
||||||
Second rule (DHCP Client)
|
### Second rule (DHCP Client)
|
||||||
|
|
||||||
This is the same as the first rule, but scoped to local port 68.
|
This is the same as the first rule, but scoped to local port 68.
|
||||||
In the Microsoft Defender Firewall user interface go through the following steps:
|
|
||||||
|
In the Microsoft Defender Firewall user interface, take the following steps:
|
||||||
1. Right click on inbound rules, create a new rule.
|
1. Right click on inbound rules, create a new rule.
|
||||||
2. Choose **custom rule**.
|
2. Choose **custom rule**.
|
||||||
3. Program path: `%SystemRoot%\System32\svchost.exe`.
|
3. Program path: `%SystemRoot%\System32\svchost.exe`.
|
||||||
4. Protocol Type: UDP, Specific ports: 67, Remote port: any.
|
4. Protocol Type: UDP, Specific ports: 68, Remote port: any.
|
||||||
5. Any IP addresses.
|
5. Any IP addresses.
|
||||||
6. Allow the connection.
|
6. Allow the connection.
|
||||||
7. All profiles.
|
7. All profiles.
|
||||||
8. The new rule should show up in the user interface. Right click on the **rule** > **properties**.
|
8. The new rule should show up in the user interface. Right-click on the rule, and then select **Properties**.
|
||||||
9. In the **Programs and services** tab, Under the **Services** section click on **settings**. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
|
9. In the **Programs and services** tab, under **Services**, select **settings**.
|
||||||
|
10. Choose **Apply to this Service**, and then select **Internet Connection Sharing (ICS) Shared Access**.
|
||||||
|
|
||||||
### Why can I not launch Application Guard when Exploit Guard is enabled?
|
## Why can I not launch Application Guard when Exploit Guard is enabled?
|
||||||
|
|
||||||
There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**.
|
There is a known issue such that if you change the Exploit Protection settings for CFG and possibly others, hvsimgr cannot launch. To mitigate this issue, go to **Windows Security** > **App and Browser control** > **Exploit Protection Setting**, and then switch CFG to **use default**.
|
||||||
|
|
||||||
|
## How can I have ICS in enabled state yet still use Application Guard?
|
||||||
### How can I have ICS in enabled state yet still use Application Guard?
|
|
||||||
|
|
||||||
ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys.
|
ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We do not recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys.
|
||||||
|
|
||||||
1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**.
|
1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**.
|
||||||
|
|
||||||
2. Disable IpNat.sys from ICS load as follows: <br/>
|
2. Disable IpNat.sys from ICS load as follows: <br/>
|
||||||
`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1`
|
`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1`
|
||||||
|
|
||||||
3. Configure ICS (SharedAccess) to enabled as follows: <br/>
|
3. Configure ICS (SharedAccess) to enabled as follows: <br/>
|
||||||
`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3`
|
`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3`
|
||||||
|
|
||||||
4. (This is optional) Disable IPNAT as follows: <br/>
|
4. (This is optional) Disable IPNAT as follows: <br/>
|
||||||
`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`
|
`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`
|
||||||
|
|
||||||
5. Reboot the device.
|
5. Reboot the device.
|
||||||
|
|
||||||
### Why doesn't the container fully load when device control policies are enabled?
|
## Why doesn't the container fully load when device control policies are enabled?
|
||||||
|
|
||||||
Allow-listed items must be configured as "allowed" in the Group Policy Object to ensure Application Guard works properly. This is a prerequisite. If the device installations have already been blocked by device control policies, the OS must be reinstalled to resolve this issue.
|
Allow-listed items must be configured as "allowed" in the Group Policy Object to ensure Application Guard works properly. This is a prerequisite. If the device installations have already been blocked by device control policies, the OS must be reinstalled to resolve this issue.
|
||||||
|
|
||||||
Policy: Allow installation of devices that match any of these device IDs
|
Policy: Allow installation of devices that match any of these device IDs
|
||||||
@ -180,8 +178,6 @@ Policy: Allow installation of devices that match any of these device IDs
|
|||||||
Policy: Allow installation of devices using drivers that match these device setup classes
|
Policy: Allow installation of devices using drivers that match these device setup classes
|
||||||
- `{71a27cdd-812a-11d0-bec7-08002be2092f}`
|
- `{71a27cdd-812a-11d0-bec7-08002be2092f}`
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
## See also
|
## See also
|
||||||
|
|
||||||
[Configure Microsoft Defender Application Guard policy settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)
|
[Configure Microsoft Defender Application Guard policy settings](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard)
|
||||||
|
|||||||
Reference in New Issue
Block a user