Skip to content

Commit

Permalink
Fix links
Browse files Browse the repository at this point in the history
  • Loading branch information
@vinaypamnani-msft
vinaypamnani-msft committed Jul 10, 2023
1 parent f00b060 commit 0e7ed8d
Show file tree
Hide file tree
Showing 2 changed files with 58 additions and 53 deletions.
5 changes: 5 additions & 0 deletions .openpublishing.redirection.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5290,6 +5290,11 @@
"redirect_url": "/windows/security/information-protection/windows-information-protection/app-behavior-with-wip",
"redirect_document_id": false
},
{
"source_path": "windows/threat-protection/windows-information-protection/faq-md-app-guard.yml",
"redirect_url": "/windows/security/information-protection/windows-information-protection/faq-md-app-guard",
"redirect_document_id": false
},
{
"source_path": "windows/threat-protection/windows-information-protection/collect-wip-audit-event-logs.md",
"redirect_url": "/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs",
Expand Down
106 changes: 53 additions & 53 deletions ...-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,9 +18,9 @@ metadata:
title: Frequently asked questions - Microsoft Defender Application Guard
summary: |
This article lists frequently asked questions with answers for Microsoft Defender Application Guard (Application Guard). Questions span features, integration with the Windows operating system, and general configuration.
## Frequently Asked Questions
sections:
Expand All @@ -30,34 +30,34 @@ sections:
Can I enable Application Guard on machines equipped with 4-GB RAM?
answer: |
We recommend 8-GB RAM for optimal performance but you can use the following registry DWORD values to enable Application Guard on machines that aren't meeting the recommended hardware configuration.
`HKLM\software\Microsoft\Hvsi\SpecRequiredProcessorCount` (Default is four cores.)
`HKLM\software\Microsoft\Hvsi\SpecRequiredMemoryInGB` (Default is 8 GB.)
`HKLM\software\Microsoft\Hvsi\SpecRequiredFreeDiskSpaceInGB` (Default is 5 GB.)
- question: |
My network configuration uses a proxy and I’m running into a “Cannot resolve External URLs from MDAG Browser: Error: err_connection_refused”. How do I resolve that?
answer: |
The manual or PAC server must be a hostname (not IP) that is neutral on the site-list. Additionally, if the PAC script returns a proxy, it must meet those same requirements.
To ensure the FQDNs (Fully Qualified Domain Names) for the “PAC file” and the “proxy servers the PAC file redirects to” are added as Neutral Resources in the Network Isolation policies used by Application Guard, you can:
- Verify this addition by going to edge://application-guard-internals/#utilities and entering the FQDN for the pac/proxy in the “check url trust” field and verifying that it says “Neutral.”
- It must be an FQDN. A simple IP address won't work.
- Optionally, if possible, the IP addresses associated with the server hosting the above should be removed from the Enterprise IP Ranges in the Network Isolation policies used by Application Guard.
- question: |
How do I configure Microsoft Defender Application Guard to work with my network proxy (IP-Literal Addresses)?
answer: |
Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This annotation applies to Windows 10 Enterprise edition, version 1709 or higher. These annotations would be for the proxy policies under Network Isolation in Group Policy or Intune.
- question: |
Which Input Method Editors (IME) in 19H1 aren't supported?
answer: |
The following Input Method Editors (IME) introduced in Windows 10, version 1903 are currently not supported in Microsoft Defender Application Guard:
- Vietnam Telex keyboard
- Vietnam number key-based keyboard
- Hindi phonetic keyboard
Expand All @@ -70,7 +70,7 @@ sections:
- Gujarati phonetic keyboard
- Odia phonetic keyboard
- Punjabi phonetic keyboard
- question: |
I enabled the hardware acceleration policy on my Windows 10 Enterprise, version 1803 deployment. Why are my users still only getting CPU rendering?
answer: |
Expand All @@ -80,19 +80,19 @@ sections:
What is the WDAGUtilityAccount local account?
answer: |
WDAGUtilityAccount is part of Application Guard, beginning with Windows 10, version 1709 (Fall Creators Update). It remains disabled by default, unless Application Guard is enabled on your device. WDAGUtilityAccount is used to sign in to the Application Guard container as a standard user with a random password. It's NOT a malicious account. It requires *Logon as a service* permissions to be able to function correctly. If this permission is denied, you might see the following error:
**Error: 0x80070569, Ext error: 0x00000001; RDP: Error: 0x00000000, Ext error: 0x00000000 Location: 0x00000000**
- question: |
How do I trust a subdomain in my site list?
answer: |
To trust a subdomain, you must precede your domain with two dots (..). For example: `..contoso.com` ensures that `mail.contoso.com` or `news.contoso.com` are trusted. The first dot represents the strings for the subdomain name (mail or news), and the second dot recognizes the start of the domain name (`contoso.com`). These two dots prevent sites such as `fakesitecontoso.com` from being trusted.
- question: |
Are there differences between using Application Guard on Windows Pro vs Windows Enterprise?
answer: |
When using Windows Pro or Windows Enterprise, you have access to using Application Guard in Standalone Mode. However, when using Enterprise you have access to Application Guard in Enterprise-Managed Mode. This mode has some extra features that the Standalone Mode doesn't. For more information, see [Prepare to install Microsoft Defender Application Guard](./install-md-app-guard.md).
- question: |
Is there a size limit to the domain lists that I need to configure?
answer: |
Expand All @@ -107,15 +107,15 @@ sections:
Why do the Network Isolation policies in Group Policy and CSP look different?
answer: |
There's not a one-to-one mapping among all the Network Isolation policies between CSP and GP. Mandatory network isolation policies to deploy Application Guard are different between CSP and GP.
- Mandatory network isolation GP policy to deploy Application Guard: **DomainSubnets or CloudResources**
- Mandatory network isolation CSP policy to deploy Application Guard: **EnterpriseCloudResources or (EnterpriseIpRange and EnterpriseNetworkDomainNames)**
- For EnterpriseNetworkDomainNames, there's no mapped CSP policy.
Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, Application Guard doesn't work and results in an error message (**0x80070013 ERROR_WRITE_PROTECT**).
- question: |
Why did Application Guard stop working after I turned off hyperthreading?
answer: |
Expand All @@ -130,70 +130,70 @@ sections:
Why am I getting the error message "ERR_NAME_NOT_RESOLVED" after not being able to reach the PAC file?
answer: |
This issue is a known one. To mitigate this issue, you need to create two firewall rules. For information about creating a firewall rule by using Group Policy, see the following resources:
- [Create an inbound icmp rule](../windows-firewall/create-an-inbound-icmp-rule.md)
- [Open Group Policy management console for Microsoft Defender Firewall](../windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
- [Create an inbound icmp rule](../../../operating-system-security/network-security/windows-firewall/create-an-inbound-icmp-rule.md)
- [Open Group Policy management console for Microsoft Defender Firewall](../../../operating-system-security/network-security/windows-firewall/open-the-group-policy-management-console-to-windows-firewall-with-advanced-security.md)
### First rule (DHCP Server)
- Program path: `%SystemRoot%\System32\svchost.exe`
- Local Service: `Sid: S-1-5-80-2009329905-444645132-2728249442-922493431-93864177 (Internet Connection Service (SharedAccess))`
- Protocol UDP
- Port 67
### Second rule (DHCP Client)
This rule is the same as the first rule, but scoped to local port 68. In the Microsoft Defender Firewall user interface go through the following steps:
1. Right-click on inbound rules, and then create a new rule.
2. Choose **custom rule**.
3. Specify the following program path: `%SystemRoot%\System32\svchost.exe`.
4. Specify the following settings:
- Protocol Type: UDP
- Specific ports: 67
- Remote port: any
5. Specify any IP addresses.
6. Allow the connection.
7. Specify to use all profiles.
8. The new rule should show up in the user interface. Right click on the **rule** > **properties**.
9. In the **Programs and services** tab, under the **Services** section, select **settings**.
10. Choose **Apply to this Service** and select **Internet Connection Sharing (ICS) Shared Access**.
- question: |
How can I disable portions of Internet Connection Service (ICS) without breaking Application Guard?
answer: |
ICS is enabled by default in Windows, and ICS must be enabled in order for Application Guard to function correctly. We don't recommend disabling ICS; however, you can disable ICS in part by using a Group Policy and editing registry keys.
1. In the Group Policy setting, **Prohibit use of Internet Connection Sharing on your DNS domain network**, set it to **Disabled**.
2. Disable IpNat.sys from ICS load as follows: <br/>
`System\CurrentControlSet\Services\SharedAccess\Parameters\DisableIpNat = 1`
3. Configure ICS (SharedAccess) to be enabled as follows: <br/>
`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Start = 3`
4. (This step is optional) Disable IPNAT as follows: <br/>
`HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPNat\Start = 4`
5. Reboot the device.
- question: |
Why doesn't the container fully load when device control policies are enabled?
answer: |
Allow-listed items must be configured as "allowed" in the Group Policy Object to ensure AppGuard works properly.
Policy: Allow installation of devices that match any of the following device IDs:
- `SCSI\DiskMsft____Virtual_Disk____`
- `{8e7bd593-6e6c-4c52-86a6-77175494dd8e}\msvhdhba`
- `VMS_VSF`
Expand All @@ -206,7 +206,7 @@ sections:
- `root\storvsp`
- `vms_vsmp`
- `VMS_PP`
Policy: Allow installation of devices using drivers that match these device setup classes
- `{71a27cdd-812a-11d0-bec7-08002be2092f}`
Expand All @@ -218,25 +218,25 @@ sections:
1. Ensure that the FragmentAware DWORD is set to 1 in this registry setting: `\Registry\Machine\SYSTEM\CurrentControlSet\Services\Winnat`.
2. Reboot the device.
- question: |
What does the _Allow users to trust files that open in Microsoft Defender Application Guard_ option in the Group policy do?
answer: |
This policy was present in Windows 10 prior to version 2004. It was removed from later versions of Windows as it doesn't enforce anything for either Edge or Office.
- question: |
How do I open a support ticket for Microsoft Defender Application Guard?
answer: |
- Visit [Create a new support request](https://support.serviceshub.microsoft.com/supportforbusiness/create).
- Under the Product Family, select Windows. Select the product and the product version you need help with. For the category that best describes the issue, select, **Windows Security Technologies**. In the final option, select **Windows Defender Application Guard**.
- question: |
Is there a way to enable or disable the behavior where the host Edge tab auto-closes when navigating to an untrusted site?
answer: |
Yes. Use this Edge flag to enable or disable this behavior: `--disable-features="msWdagAutoCloseNavigatedTabs"`
additionalContent: |
## See also
[Configure Microsoft Defender Application Guard policy settings](./configure-md-app-guard.md)

0 comments on commit 0e7ed8d

Please sign in to comment.