To learn more about assigning policies, see Assign policies in Microsoft Intune. In the Assignments page, select the users or groups that will receive the policy. To learn more about scope tags, see Use role-based access control (RBAC) and scope tags for distributed IT. In the Scope tags tab, if your organization is using scope tags, choose + Select scope tags, and then select the tags you want to use.
In the Configuration settings tab, configure the Application Guard settings, as desired. In the Basics tab, specify the Name and Description for the policy.
In the Profile type, select App and browser isolation. In the Platform list, select Windows 10 and later. Select Endpoint security > Attack surface reduction > Create Policy, and do the following: Sign in to the Microsoft Intune admin center. Make sure your organization's devices meet requirements and are enrolled in Intune. Select the check box next to Microsoft Defender Application Guard and then select OK to install Application Guard and its underlying dependencies. Open the Control Panel, select Programs, and then select Turn Windows features on or off. However, you can quickly install it on your employee's devices through the Control Panel, PowerShell, or your mobile device management (MDM) solution. The following diagram shows the flow between the host PC and the isolated container.Īpplication Guard functionality is turned off by default. Enterprise-managed mode also automatically redirects any browser requests to add non-enterprise domain(s) in the container.Įnterprise-managed mode is applicable for: You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Windows 10 Pro edition, version 1803 and later. Windows 10 Enterprise edition, version 1709 and later. For an example of how this works, see the Application Guard in standalone mode testing scenario. In this mode, you must install Application Guard and then the employee must manually start Microsoft Edge in Application Guard while browsing untrusted sites. Standalone modeĮmployees can use hardware-isolated browsing sessions without any administrator or management policy configuration. 
You can use Application Guard in either Standalone or Enterprise-managed mode.
Prepare for Microsoft Defender Application Guardīefore you can install and use Microsoft Defender Application Guard, you must determine which way you intend to use it in your enterprise. For testing and automation on non-production machines, you may enable WDAG on a VM by enabling Hyper-V nested virtualization on the host. Microsoft Defender Application Guard is not supported on VMs and VDI environment.
0 kommentar(er)
