Microsoft Defender 应用程序防护概述Microsoft Defender Application Guard overview

适用于: Microsoft Defender for EndpointApplies to: Microsoft Defender for Endpoint

Microsoft Defender 应用程序防护 (应用程序防护) 旨在帮助防止新旧攻击,以帮助保持员工工作效率。Microsoft Defender Application Guard (Application Guard) is designed to help prevent old and newly emerging attacks to help keep employees productive. 使用我们独特的硬件隔离方法,我们的目标是通过使当前的攻击方法过时来销毁攻击者使用的游戏手册。Using our unique hardware isolation approach, our goal is to destroy the playbook that attackers use by making current attack methods obsolete.

什么是应用程序防护,以及它是如何工作的?What is Application Guard and how does it work?

对于 Microsoft Edge,应用程序防护可帮助隔离企业定义的不受信任的站点,在员工浏览 Internet 时保护你的公司。For Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. 作为企业管理员,你需要定义哪些是受信任的网站、云资源和内部网络。As an enterprise administrator, you define what is among trusted web sites, cloud resources, and internal networks. 你列表上的所有内容均被视为不受信任。Everything not on your list is considered untrusted. 如果员工通过 Microsoft Edge 或 Internet Explorer 转到不受信任的站点,Microsoft Edge 将在启用Hyper-V隔离的容器中打开该站点。If an employee goes to an untrusted site through either Microsoft Edge or Internet Explorer, Microsoft Edge opens the site in an isolated Hyper-V-enabled container.

例如Microsoft Office,应用程序防护有助于防止不受信任的 Word、PowerPoint 和 Excel 文件访问受信任的资源。For Microsoft Office, Application Guard helps prevents untrusted Word, PowerPoint and Excel files from accessing trusted resources. 应用程序防护在启用安全保护的隔离Hyper-V打开不受信任的文件。Application Guard opens untrusted files in an isolated Hyper-V-enabled container. 隔离Hyper-V容器独立于主机操作系统。The isolated Hyper-V container is separate from the host operating system. 此容器隔离意味着,如果不受信任的站点或文件是恶意站点或文件,主机设备将受到保护,并且攻击者无法获取企业数据。This container isolation means that if the untrusted site or file turns out to be malicious, the host device is protected, and the attacker can't get to your enterprise data. 例如,此方法可让隔离容器成为匿名容器,因此,攻击者无法获得你员工的企业凭据。For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials.

硬件隔离图示

哪些类型的设备应使用应用程序防护?What types of devices should use Application Guard?

已创建应用程序防护以面向多种类型的设备:Application Guard has been created to target several types of devices:

  • 企业桌面Enterprise desktops. 这些台式机已加入域并由组织管理。These desktops are domain-joined and managed by your organization. 配置管理主要通过 Microsoft Endpoint Manager 或 Microsoft Intune 完成。Configuration management is primarily done through Microsoft Endpoint Manager or Microsoft Intune. 员工通常具有标准用户权限并且使用高度带宽的有线企业网络。Employees typically have Standard User privileges and use a high-bandwidth, wired, corporate network.

  • 企业移动笔记本电脑Enterprise mobile laptops. 这些笔记本电脑已加入域并由组织管理。These laptops are domain-joined and managed by your organization. 配置管理主要通过 Microsoft Endpoint Manager 或 Microsoft Intune 完成。Configuration management is primarily done through Microsoft Endpoint Manager or Microsoft Intune. 员工通常具有标准用户权限并且使用高度带宽的无线企业网络。Employees typically have Standard User privileges and use a high-bandwidth, wireless, corporate network.

  • 将你自己的设备 (BYOD) 笔记本电脑。Bring your own device (BYOD) mobile laptops. 这些个人拥有的笔记本电脑未加入域,但由组织通过 Microsoft Intune 等工具进行管理。These personally-owned laptops are not domain-joined, but are managed by your organization through tools, such as Microsoft Intune. 员工通常为设备上的管理员,工作时使用高速带宽的无线企业网络,在家时使用与之相当的个人网络。The employee is typically an admin on the device and uses a high-bandwidth wireless corporate network while at work and a comparable personal network while at home.

  • 个人设备Personal devices. 这些个人拥有的台式机或移动笔记本电脑未加入域或由组织管理。These personally-owned desktops or mobile laptops are not domain-joined or managed by an organization. 用户是设备的管理员,在家时使用高带宽的无线个人网络,或在外部使用类似公共网络。The user is an admin on the device and uses a high-bandwidth wireless personal network while at home or a comparable public network while outside.

相关文章Related articles

文章Article 描述Description
Microsoft Defender 应用程序防护的系统要求System requirements for Microsoft Defender Application Guard 指定安装和使用应用程序防护所需的先决条件。Specifies the prerequisites necessary to install and use Application Guard.
准备并安装 Microsoft Defender 应用程序防护Prepare and install Microsoft Defender Application Guard 提供有关确定要使用的模式(独立还是企业管理)以及如何在贵组织中安装应用程序防护的说明。Provides instructions about determining which mode to use, either Standalone or Enterprise-managed, and how to install Application Guard in your organization.
配置 Microsoft Defender 应用程序防护的组策略设置Configure the Group Policy settings for Microsoft Defender Application Guard 提供与可用组策略和 MDM 设置相关的信息。Provides info about the available Group Policy and MDM settings.
在企业或组织中使用 Microsoft Defender 应用程序防护的测试方案Testing scenarios using Microsoft Defender Application Guard in your business or organization 提供建议的测试方案列表,可用于在组织中测试应用程序防护。Provides a list of suggested testing scenarios that you can use to test Application Guard in your organization.
适用于 Web 浏览器的 Microsoft Defender 应用程序防护扩展Microsoft Defender Application Guard Extension for web browsers 介绍 Chrome 和 Firefox 的应用程序防护扩展,包括已知问题和疑难解答指南Describes the Application Guard extension for Chrome and Firefox, including known issues, and a troubleshooting guide
Microsoft Defender 应用程序防护Microsoft OfficeMicrosoft Defender Application Guard for Microsoft Office 介绍应用程序防护Microsoft Office,包括最低硬件要求、配置和疑难解答指南Describes Application Guard for Microsoft Office, including minimum hardware requirements, configuration, and a troubleshooting guide
常见问题 - Microsoft Defender 应用程序防护Frequently asked questions - Microsoft Defender Application Guard 提供有关应用程序防护功能、与 Windows 操作系统的集成以及常规配置的常见问题解答。Provides answers to frequently asked questions about Application Guard features, integration with the Windows operating system, and general configuration.
使用网络边界在 Microsoft Intune 中的 Windows 设备上添加受信任的站点Use a network boundary to add trusted sites on Windows devices in Microsoft Intune 网络边界是一项功能,可帮助您从不受组织信任的网站中保护环境。Network boundary, a feature that helps you protect your environment from sites that aren't trusted by your organization.