创建和部署 Microsoft Defender 应用程序防护策略Create and deploy Microsoft Defender Application Guard policy

适用范围:Configuration Manager (Current Branch)Applies to: Configuration Manager (current branch)

可以使用 Configuration Manager Endpoint Potection 创建和部署 Microsoft Defender 应用程序防护(应用程序防护)策略。You can create and deploy Microsoft Defender Application Guard (Application Guard) policies by using the Configuration Manager endpoint protection. 这些策略通过在操作系统的其他部分无法访问的安全隔离容器中打开不受信任的网站来帮助保护用户安全。These policies help protect your users by opening untrusted web sites in a secure isolated container that isn't accessible by other parts of the operating system.

必备条件Prerequisites

若要创建和部署 Microsoft Defender 应用程序防护策略,必须使用 Windows 10 Fall Creator Update (1709)。To create and deploy a Microsoft Defender Application Guard policy, you must use the Windows 10 Fall Creator's Update (1709). 必须使用网络隔离策略配置要部署此策略的 Windows 10 设备。The Windows 10 devices to which you deploy the policy must be configured with a network isolation policy. 有关详细信息,请参阅 Microsoft Defender 应用程序防护概述For more information, see the Microsoft Defender Application Guard overview.

若要创建策略,并浏览可用设置,请执行以下操作:Create a policy, and to browse the available settings

  1. 在 Configuration Manager 控制台中,选择“资产和符合性”。In the Configuration Manager console, choose Assets and Compliance.

  2. 在“资产和符合性”工作区中,选择“概述” > “终结点保护” > “Windows Defender 应用程序防护”。In the Assets and Compliance workspace, choose Overview > Endpoint Protection > Windows Defender Application Guard.

  3. 在“主页”选项卡的“创建”组中,单击“创建 Windows Defender 应用程序防护策略”。In the Home tab, in the Create group, click Create Windows Defender Application Guard Policy.

  4. 将此文章用作参考,浏览和配置可用的设置。Using the article as a reference, you can browse and configure the available settings. 使用 Configuration Manager,可以设置某些策略设置:Configuration Manager allows you to set certain policy settings:

  5. 在“网络定义”页上,可指定公司标识并定义企业网络边界。On the Network Definition page, specify the corporate identity, and define your corporate network boundary.

    备注

    Windows 10 电脑仅在客户端上存储一个网络隔离列表。Windows 10 PCs store only one network isolation list on the client. 可以创建两种不同的网络隔离列表,并将它们部署到客户端:You can create two different kinds of network isolation lists and deploy them to the client:

    • 一个来自 Windows 信息保护one from Windows Information Protection
    • 一个来自 Microsoft Defender 应用程序防护one from Microsoft Defender Application Guard

    如果部署两个策略,两个网络隔离列表必须匹配。If you deploy both policies, these network isolation lists must match. 如果部署的列表与同一个客户端不匹配,则部署失败。If you deploy lists that don't match to the same client, the deployment will fail. 有关详细信息,请参阅 Windows 信息保护文档For more information, see the Windows Information Protection documentation.

  6. 结束后,完成向导操作,并将策略部署到一个或多个 Windows 10 1709 设备。When you're finished, complete the wizard, and deploy the policy to one or more Windows 10 1709 devices.

主机交互设置Host interaction settings

配置主机设备和应用程序防护容器之间的交互。Configures interactions between host devices and the Application Guard container. 在 Configuration Manager 1802 之前的版本中,应用程序行为和主机交互都位于“设置”选项卡下。Before Configuration Manager version 1802, both application behavior and host interaction were under the Settings tab.

  • 剪贴板 - 在 Configuration Manager 1802 之前的版本中,位于“设置”下Clipboard - Under settings prior to Configuration Manager 1802
    • 允许的内容类型Permitted content type
      • 文本Text
      • 图像Images
  • 打印:Printing:
    • 启用打印为 XPSEnable printing to XPS
    • 启用打印为 PDFEnable printing to PDF
    • 启用打印到本地打印机Enable printing to local printers
    • 启用打印到网络打印机Enable printing to network printers
  • 图形: (从 Configuration Manager 1802 版开始)Graphics: (starting with Configuration Manager version 1802)
    • 虚拟图形处理器访问Virtual graphics processor access
  • 文件: (从 Configuration Manager 1802 版开始)Files: (starting with Configuration Manager version 1802)
    • 将下载的文件保存到主机Save downloaded files to host

应用程序行为设置Application behavior settings

在应用程序防护会话内配置应用程序行为。Configures application behavior inside the Application Guard session. 在 Configuration Manager 1802 之前的版本中,应用程序行为和主机交互都位于“设置”选项卡下。Before Configuration Manager version 1802, both application behavior and host interaction were under the Settings tab.

  • 内容:Content:
    • 企业网站可以加载非企业内容,如第三方插件。Enterprise sites can load non-enterprise content, such as third-party plug-ins.
  • 其他:Other:
    • 保留用户生成的浏览器数据Retain user-generated browser data
    • 在独立的应用程序防护会话中审核安全性事件Audit security events in the isolated application guard session

文件管理File management

自 Configuration Manager 版本 1906 起,推出了一项策略设置,允许用户信任通常在应用程序防护中打开的文件。Starting in Configuration Manager version 1906, There's a policy setting that enables users to trust files that normally open in Application Guard. 成功完成后,文件将在主机设备上打开,而不是在应用程序防护中打开。Upon successful completion, the files will open on the host device instead of in Application Guard. 有关应用程序防护策略的详细信息,请参阅配置 Microsoft Defender 应用程序防护策略设置For more information about the Application Guard policies, see Configure Microsoft Defender Application Guard policy settings.

  • 允许用户信任在 Windows Defender 应用程序防护中打开的文件 - 可便于用户将文件标记为“受信任”。Allow users to trust files that open in Windows Defender Application Guard - Enable the user to mark files as trusted. 受信任的文件在主机(而不是应用程序防护)中打开。When a file is trusted, it opens on the host rather than in Application Guard. 适用于 Windows 10 版本 1809 或更高版本的客户端。Applies to Windows 10 version 1809 or higher clients.
    • 禁止: 不允许用户将文件标记为可信(默认)。Prohibited: Don't allow users to mark files as trusted (default).
    • 由防病毒软件检查的文件: 允许用户在进行防病毒检查后将文件标记为可信。File checked by antivirus: Allow users to mark files as trusted after an antivirus check.
    • 所有文件: 允许用户将任何文件标记为可信。All files: Allow users to mark any file as trusted.

启用文件管理后,可能会在客户端的 DCMReporting.log 中看到记录的错误。When you enable file management, you may see errors logged in the client's DCMReporting.log. 以下错误通常不会影响功能:The errors below typically don't effect functionality:

  • 在兼容的设备上:On compatible devices:
    • 找不到 FileTrustCriteria_conditionFileTrustCriteria_condition not found
  • 在不兼容的设备上:On non-compatible devices:
    • 找不到 FileTrustCriteria_conditionFileTrustCriteria_condition not found
    • FileTrustCriteria_condition 不能位于映射中FileTrustCriteria_condition could not be located in the map
    • 在摘要中找不到 FileTrustCriteria_conditionFileTrustCriteria_condition not found in digest

若要编辑应用程序防护设置,请展开“资产和符合性”工作区中的“Endpoint Protection”,然后单击“Windows Defender 应用程序防护”节点。To edit Application Guard settings, expand Endpoint Protection in the Assets and Compliance workspace, then click on the Windows Defender Application Guard node. 右键单击要编辑的策略,然后选择“属性”。Right-click on the policy you want to edit, then select Properties.

已知问题Known issues

运行 Windows 10 版本 2004 的设备将在 Microsoft Defender 应用程序防护文件信任条件的符合性报告中显示失败。Devices running Windows 10, version 2004 will show failures in compliance reporting for Microsoft Defender Application Guard File Trust Criteria. 之所以出现此问题,是因为从 Windows 10 版本 2004 中的 WMI 类 MDM_WindowsDefenderApplicationGuard_Settings01 删除了某些子类。This issue occurs because some subclasses were removed from the WMI class MDM_WindowsDefenderApplicationGuard_Settings01 in Windows 10, version 2004. 所有其他 Microsoft Defender 应用程序防护设置仍适用,仅文件信任条件会失败。All other Microsoft Defender Application Guard settings will still apply, only File Trust Criteria will fail. 当前没有可以绕过该错误的解决方法。Currently, there are no workarounds to bypass the error.

后续步骤Next steps

有关 Microsoft Defender 应用程序防护的详细信息,请参阅For more information about Microsoft Defender Application Guard, see