In Windows 10 1709 there is a lot of new security features in the Windows Defender stack, one is Windows Defender Application Guard. Windows Defender Application requires Microsoft Configuration Manager 1710 or Microsoft Intune to manage the feature.
What is Windows Defender Application Guard:
While using Microsoft Edge, Windows Defender Application Guard protects your environment from sites that haven’t been defined as trusted by your organization. When users visit sites that aren’t listed in your isolated network boundary, the sites will be opened in a virtual browsing session in Hyper-V. Trusted sites are defined by a network boundary, which can be configured in Device Configuration.
Note this feature is only available for Windows 10 (64-bit) devices.
How to deploy Windows Defender Application Guard
Go to the Intune blade of https://portal.azure.com
Click Device configuration – Profiles – Create profile
- Name : Windows 10 – Endpoint Protection WDAG
- Select Windows 10 and later
- Select Endpoint protection
- Select Configure
- Select Windows Defender Application Guard
- Select Enable
- Select Clipboard behavior – “Allow copy and paste from PC to browser only”
- Select Clipboard content – “Text and images”
- Select External content on enterprise sites – “Block”
- Select Print from virtual browser – “Allow”
- Select * Printing type(s) – “PDF”
- Select Collect logs – “Allow”
- Select Retain user-generated browser data – “Allow”
The settings of the profile you need to mach to your company security policies.
After the profile has been deployed to devices and the devices has done a sync with Intune – they need to be restarted. After the restart the Windows Defender Application Guard feature is enabled on the devices.
How is the user experience of Windows Defender Application Guard
When a user is in the Microsoft Edge browser they can open Windows Defender Application Guard by selection “New Application Guard windows”
First time Windows Defender Application Guard starts it will take some time to prepare
Then the user is ready to browse the internet in the most secure way ever.
More info on Windows Defender Application Guard