Defender Exploit Guard and Application Guard

%3CLINGO-SUB%20id%3D%22lingo-sub-2255586%22%20slang%3D%22en-US%22%3EDefender%20Exploit%20Guard%20and%20Application%20Guard%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2255586%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20like%20to%20know%20general%20usage%20on%20the%20two%20of%20the%20Defender%20features.%3C%2FP%3E%3COL%3E%3CLI%3EExploit%20Guard%3C%2FLI%3E%3CLI%3EApplication%20Guard%3C%2FLI%3E%3C%2FOL%3E%3CP%3EThese%20features%20are%20set%20to%20be%20mostly%20white%20list%20operation%20and%20it%20is%20difficult%20to%20have%20them%20enabled%20on%20all%20PCs%20in%20the%20company%20where%20each%20department%20uses%20different%20applications%20and%20web%20sites.%3C%2FP%3E%3CP%3ESince%20there%20is%20not%20enough%20case%20information%20available%20and%20is%20difficult%20to%20configure%20and%20maintain%20those%20features%2C%20I'd%20like%20to%20know%20if%20there%20is%20any%20case%20for%20deploying%20to%20company%20wide.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20appreciate%20for%20any%20information%20or%20cases.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20is%20best%20to%20provide%20case%20for%20only%20for%20those%20department%20with%20more%20security%20to%20be%20deployed%20in%20controlled%20manner%20and%20not%20recommending%20to%20deploy%20to%20company%20wide%20as%20the%20conclusion%20for%20me%2C%20but%20I%20lack%20on%20deployment%20cases%20to%20backup%20my%20suggestion%20to%20customer.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHiroshi%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2257820%22%20slang%3D%22en-US%22%3ERe%3A%20Defender%20Exploit%20Guard%20and%20Application%20Guard%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2257820%22%20slang%3D%22en-US%22%3EBefore%20you%20embark%20on%20the%20journey%20with%20Application%20Guard%20and%20Exploit%20Guard%2C%20compare%20the%20existing%20security%20controls%20the%20customer%20may%20have%20with%20their%20existing%20security%20tools.%20Overlap%20can%20cause%20issues%20with%20performance%20or%20stop%20the%20tools%20from%20working%20properly%20all%20together.%3CBR%20%2F%3E%3CBR%20%2F%3EGenerally%2C%20when%20employing%20any%20type%20of%20new%20security%20control%2C%20you%20will%20want%20to%20do%20a%20small%20test%20or%20pilot%20group%20for%20each%20department%20to%20know%20if%20it%20would%20benefit%20them.%20They%20may%20use%20certain%20applications%2C%20plugins%2C%20or%20features%20that%20would%20break%20when%20these%20rules%20are%20enforced.%20If%20during%20your%20test%2C%20you%20find%20it%20is%20beneficial%20and%20doesn't%20negatively%20impact%20the%20user%2C%20then%20expand%20from%20there.%3CBR%20%2F%3E%3CBR%20%2F%3EAlso%20keep%20in%20mind%20any%20type%20of%20Allow%20%2F%20Block%20type%20functionality%20usually%20requires%20a%20high%20amount%20of%20initial%20setup%20and%20maintenance%2C%20which%20may%20not%20be%20financially%20viable%20for%20the%20customer.%3CBR%20%2F%3E%3CBR%20%2F%3EExploit%20Guard%20is%20a%20more%20generalized%20protection%20feature%20that%20seeks%20to%20reduce%20the%20systems%20attack%20surface%2C%20and%20identify%20suspicious%20behavior.%20However%2C%20the%20settings%20may%20impact%20application%20functionality%20and%20compatibility%20if%20not%20properly%20configured.%20It's%20best%20to%20run%20the%20settings%20you%20want%20to%20try%20in%20Audit%20mode%20first%2C%20then%20see%20the%20results%20from%20there.%20You%20may%20find%20it%20works%20well%2C%20or%20that%20lots%20of%20customization%20will%20be%20needed.%3CBR%20%2F%3E%3CBR%20%2F%3EMore%20details%20here%3A%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fconfigmgr%2Fprotect%2Fdeploy-use%2Fcreate-deploy-exploit-guard-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fconfigmgr%2Fprotect%2Fdeploy-use%2Fcreate-deploy-exploit-guard-policy%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EApplication%20Guard%20on%20the%20other%20hand%20creates%20a%20sandbox%20around%20certain%20applications%20and%20limits%20how%20data%20can%20move%20in%20and%20out%20the%20sandboxes.%20In%20my%20experience%2C%20I%20found%20this%20functionality%20didn't%20work%20well%20for%20many%20use%20cases%20just%20because%20of%20how%20users%20work.%20So%20for%20this%2C%20it%20would%20be%20best%20for%20you%20to%20run%20a%20test%20scenario.%20Start%20with%20one%20setting%20at%20a%20time%2C%20and%20understand%20if%20it%20limits%20anything%2C%20or%20makes%20sense%20to%20configure.%20Under%20the%20Microsoft%20Docs%20for%20Application%20Guard%20you%20can%20find%20details%20on%20how%20to%20setup%20a%20test%20scenario.%20Make%20sure%20the%20clients%20systems%20meet%20the%20minimum%20requirements%20as%20well!%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-application-guard%2Fmd-app-guard-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-application-guard%2Fmd-app-guard-overview%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20this%20helps%2C%20and%20good%20luck!%3C%2FLINGO-BODY%3E
New Contributor

Hi,

 

I would like to know general usage on the two of the Defender features.

  1. Exploit Guard
  2. Application Guard

These features are set to be mostly white list operation and it is difficult to have them enabled on all PCs in the company where each department uses different applications and web sites.

Since there is not enough case information available and is difficult to configure and maintain those features, I'd like to know if there is any case for deploying to company wide.

 

I appreciate for any information or cases.

 

It is best to provide case for only for those department with more security to be deployed in controlled manner and not recommending to deploy to company wide as the conclusion for me, but I lack on deployment cases to backup my suggestion to customer.

 

 

Hiroshi

 

 

1 Reply
Before you embark on the journey with Application Guard and Exploit Guard, compare the existing security controls the customer may have with their existing security tools. Overlap can cause issues with performance or stop the tools from working properly all together.

Generally, when employing any type of new security control, you will want to do a small test or pilot group for each department to know if it would benefit them. They may use certain applications, plugins, or features that would break when these rules are enforced. If during your test, you find it is beneficial and doesn't negatively impact the user, then expand from there.

Also keep in mind any type of Allow / Block type functionality usually requires a high amount of initial setup and maintenance, which may not be financially viable for the customer.

Exploit Guard is a more generalized protection feature that seeks to reduce the systems attack surface, and identify suspicious behavior. However, the settings may impact application functionality and compatibility if not properly configured. It's best to run the settings you want to try in Audit mode first, then see the results from there. You may find it works well, or that lots of customization will be needed.

More details here:
https://docs.microsoft.com/en-us/mem/configmgr/protect/deploy-use/create-deploy-exploit-guard-policy

Application Guard on the other hand creates a sandbox around certain applications and limits how data can move in and out the sandboxes. In my experience, I found this functionality didn't work well for many use cases just because of how users work. So for this, it would be best for you to run a test scenario. Start with one setting at a time, and understand if it limits anything, or makes sense to configure. Under the Microsoft Docs for Application Guard you can find details on how to setup a test scenario. Make sure the clients systems meet the minimum requirements as well!

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-application-g...

Hope this helps, and good luck!