Part 5 – Configure Microsoft Intune – Windows Defender Application Guard

 

This part is all about Windows Defender Application Guard. Windows Defender Application Guard (WDAG) is a security feature in Windows 10 and Microsoft Edge/Internet Explorer. This feature can be also managed by Microsoft Intune.

This feature allows your users to secure browsing on the Internet. Protecting your company while your employees browse the Internet. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V enabled container, which is separate form the host operating system. More information: https://docs.microsoft.com/nl-nl/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview

Before we are going to configure this, there are some requirements for this feature to enable. The device must at least have:

  • 4 CPUs (CPU virtualization extensions enabled),
  • 8GB of memory
  • 5GB of space.
  • You will need Windows 10 Enterprise, version 1709 or higher (I use 1803) or
  • Windows 10 Professional edition, version 1803.

If you are testing this on a virtual machine you must enable nested Hyper-V. Run this PowerShell on the host of you Hyper-V:

Set-VMProcessor -VMName “The name of your Virtual Machine” -ExposeVirtualizationExtensions $true

This will enable Hyper-V in a virtual machine.

More information: https://docs.microsoft.com/nl-nl/windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard

Let’s give this a try. Go to the Microsoft Intune portal and go to Device configuration -> Profiles

Create Profile

Give the profile a name. Platform is Windows 10 and later. Profile type is Endpoint protection. You will get more settings and go to Windows Defender Application Guard.

Enable some settings and click on Ok (twice). Then you have to create the profile by clicking the create button.

Go to assignments and search for the group. Select the group and click on the save button.

About few minutes this profile is deployed on the device. On the background Intune installs Hyper-V and Windows Defender Application Guard.

Let’s look at the device. You have to restart the machine first, otherwise it wont work.

Open Microsoft Edge and click on the dots to expand the menu. Click New Application Guard Window

You have now opened a new Microsoft Edge window in an isolated in a Hyper-V container. This is secure browsing.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.