This part is all about Windows Defender Application Guard. Windows Defender Application Guard (WDAG) is a security feature in Windows 10 and Microsoft Edge/Internet Explorer. This feature can be also managed by Microsoft Intune.
This feature allows your users to secure browsing on the Internet. Protecting your company while your employees browse the Internet. If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V enabled container, which is separate form the host operating system. More information: https://docs.microsoft.com/nl-nl/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview
Before we are going to configure this, there are some requirements for this feature to enable. The device must at least have:
- 4 CPUs (CPU virtualization extensions enabled),
- 8GB of memory
- 5GB of space.
- You will need Windows 10 Enterprise, version 1709 or higher (I use 1803) or
- Windows 10 Professional edition, version 1803.
If you are testing this on a virtual machine you must enable nested Hyper-V. Run this PowerShell on the host of you Hyper-V:
Set-VMProcessor -VMName “The name of your Virtual Machine” -ExposeVirtualizationExtensions $true
This will enable Hyper-V in a virtual machine.
Let’s give this a try. Go to the Microsoft Intune portal and go to Device configuration -> Profiles
Give the profile a name. Platform is Windows 10 and later. Profile type is Endpoint protection. You will get more settings and go to Windows Defender Application Guard.
Enable some settings and click on Ok (twice). Then you have to create the profile by clicking the create button.
Go to assignments and search for the group. Select the group and click on the save button.
About few minutes this profile is deployed on the device. On the background Intune installs Hyper-V and Windows Defender Application Guard.
Let’s look at the device. You have to restart the machine first, otherwise it wont work.
Open Microsoft Edge and click on the dots to expand the menu. Click New Application Guard Window
You have now opened a new Microsoft Edge window in an isolated in a Hyper-V container. This is secure browsing.