Introduction
This is John Barbare and I am a Sr Customer Engineer at Microsoft focusing on all things in the Cybersecurity space. In this blog I will be focusing on Application Guard and the correct configuration/deployment for Microsoft Endpoint Configuration Manager (MECM). I have deployed with many of my customers and will show you what I have found useful in these deployments.
Microsoft Defender Application Guard
Microsoft Defender Application Guard is a hardware Isolation leveraging a Hyper-V enabled container. The container uses a lightweight Virtual Machine (VM) that is resistant to kernel attacks and runs on a separate kernel from the host. There are two types of modes - Enterprise Management Mode and Standalone Mode.
In Enterprise Management Mode, the administrator defines trusted sites through GPOs, Microsoft Intune, MECM, or your current mobile device management solution. Untrusted sites launch in the isolated Hyper-V container giving the user a malicious free browsing session.
In Standalone Mode, users start the isolated-based browser session independently without any administrators or policy configurations which I do not personally recommend as you are letting the user choose how to use your enterprise security tools and not Security Administrators. More Information on the details of Application Guard and pre-requisites can be found in my Tech Blog on App Guard for Office.
A method I use regularly with customers transitioning off GPOs (Group Policy Objects) and without access to Intune, is using MECM. This method is solidly reliable, easy to control Application Guard policy updates by scheduled interval or by manually trigger updates in CM Client Device. You could take the benefits of the SMS Agent to quickly deploy Application Guard and updates happen in several minutes – depending on connectivity. This seems to be a replaced solution if you face the obstacles when deploying Application Guard by other methods.
How the MECM Deployment of Application Guard Policy Works
After the Application Guard Policy is deployed by the MECM Console and then on Clients of MECM, the machine policy will update the Application Guard Policy as Configuration Items. The following screenshot is shown in the Configuration Manager Client's Properties under Configuration Tab:
Just like with other Baseline Configuration Items, you could choose the Application Guard policy from the list, then click on the highlighted button to Refresh, Evaluate its compliance status, and View Report.
Whenever you make a change to the Application Guard Policy on the Client Device, you just need to use the Machine Policy Retrieval & Evaluation Cycle to get the latest version of Application Guard applied to the Client and manually evaluate the Application Guard Policy. The whole process usually only takes several minutes and it is convenient compared to Application Guard Deployment like GPOs.
Deployment Steps
The Application Guard Deployment Steps include:
Create Application Guard Policy
In MECM Console
Starting in Configuration Manager version 1906, There's a policy setting that enables users to trust files that normally open in Application Guard. Upon successful completion, the files will open on the host device instead of in Application Guard.
Options:
Known Issues with File Trust Management:
When you enable file management, you may see errors logged in the client's DCMReporting.log. The errors below typically do not affect functionality.
On compatible devices:
FileTrustCriteria_condition not found
FileTrustCriteria_condition not found
FileTrustCriteria_condition could not be located in the map
FileTrustCriteria_condition not found in digest
Network Isolation Configuration
To support all sub-domains of Contoso we need a wildcard in the form of ".":
Ex: .contoso.com
for sub-sub-domain: ..contoso.com
Policy name |
Supported versions |
Description |
Enterprise Cloud Resource domains hosted in the cloud |
At least Windows Server 2012, Windows 8, or Windows RT |
Ex: contoso.sharepoint.com|my.adp.com|.adp.com|.service-now.com|.contoso.com In the above example, all in-house apps of contoso.com will be supported, like app1.contoso.com, app2.contoso.com, … Contoso.adp.com and Contoso.service-now.com will be supported. In our test, only one "." is accepted, sub-sub-domain (..) was not working. |
The private network ranges for apps |
At least Windows Server 2012, Windows 8. |
A comma-separated list of IP address ranges |
Domains categorized as both work and personal |
At least Windows Server 2012, Windows 8, or Windows RT |
|
Neutral Resources |
|
|
Application Guard Limitations and Considerations for Office 365 and Windows 10
Conclusion
Thanks for taking the time to read this article and I hope you have a better understanding of the configurations required for deployment for Application Guard for MECM. Hope to see you in the next blog and always protect your endpoints!
Thanks for reading and have a great Cybersecurity day!
Follow my Microsoft Security Blogs: http://aka.ms/JohnBarbare and also on LinkedIn.
References
(0x80070013 ERROR_WRITE_PROTECT).
Application Guard Devices running Windows 10, version 2004 will show failures
Application Guard for Office 365 Limitations and Considerations
Configuration for Application Guard Network Isolation
Manage Application Guard policies - Configuration Manager | Microsoft Docs
Microsoft Defender Application Guard FAQ
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.