Enable Microsoft Defender Application Guard | Configuration Profile

Enable Microsoft Defender Application Guard

Prev Question Next Question

Question

You have configured Defender for Endpoint for your Windows 10 devices managed by Microsoft Endpoint Manager.

You wish to enable Microsoft Defender Application Guard.

Which Device configuration profile should you choose?

Answers

A. Identity protection

B. SCEP certificate

C. Secure assessment

D. Endpoint Protection.

Show Answer

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Correct Answer: D

You can enable Microsoft Defender Application Guard by using the Endpoint Manager Endpoint Protection configuration profile:

Home > Security > Identity Protection

[a] Identity Protection | MFA registration policy

P Search (Ctrl+, «
bolicy Name

© overview Multi-factor authentication registration policy
X _ Diagnose and solve problems Assignments
Protect 2 Users
& User risk policy All users
& Sign-in risk policy
Controls

© Mra registration policy

Require Azure AD MFA registration
Report

ha Risky users
D. Risky sign-ins

A. Risk detections

n policy

Choose the number of days before a user's password will expire, and the number of
days before they're notified about an upcoming password expiration. The policy
applies to everyone in your organization.

Password expira‘

Learn more about password policy recommendations

@ Set user passwords to expire after a number of days

Days before passwords expire *

[20

Summary

Namet Helpdesk administrator

Users with this role can change passwords, invalidate refresh tokens, manage service requests, and monitor service health. invalidating a refresh token forces the user to sign in again.
Helpdesk administrators can reset passwords and invalidate refresh tokens of other users who are non-administrators or assigned the following roles only:

Directory Readers
Guest inviter

Helpdesk Administrator
Message Center Reader
Password Administrator
Reports Reader

Template ID: 729827e3-9c14-4917-bb1b-9608/156bbb8

Related articles: Assigning administrator roles in Azure Active Directory

Role permissions

microsoft.directory/bitlockerkeys/key/read Read bitlocker key on devices.
microsoft.directory/users/invalidateallRefreshTokens Invalidate all user refresh tokens in Azure Active Directory.
microsoft.directory/users/password/update Reset passwords for all users,
microsoftazure.serviceHealth/allentities/allTasks Read and configure Azure Service Health.
microsoftazure.supportTickets/allEntities/allTasks Create and manage Azure support tickets for directory-level services.
microsoftoffice365 serviceHealth/allentities/allTasks Read and configure Office 365 Service Health,

microsoftoffice365 supportTickets/allentities/allTasks Create and manage Office 365 support tickets.

microsoft.office365.webPortal/allntities/standard/read Read basic properties on all resources in microsoft office365.webPortal.

These policies help protect your users by opening untrusted web sites

in a secure isolated container that isn't accessible by other parts of the operating system.

Option A is incorrect.

The Identity Protection profile lets you manage Windows Hello for Business settings on Windows devices.

Option B is incorrect.

The SCEP certificate profile lets you put up a Simple Certificate Enrollment Protocol (SCEP) certificate to enable certificate-based authentication.

Option C is incorrect.

Secure assessment is an education profile which features includes the Take a Test app and settings to add a test URL and choose how end-users sign into the test.

Reference:

To know more about Microsoft Defender Application Guard, please refer to the link below:

The correct answer is D. Endpoint Protection.

Microsoft Defender Application Guard is a security feature that uses virtualization-based security to isolate potentially malicious code from the underlying operating system and applications. This helps protect devices from attacks that target web browsers or other applications.

To enable Microsoft Defender Application Guard, you need to create and deploy a Device configuration profile that includes the necessary settings. This profile should be configured using the Endpoint Protection profile type.

The Identity protection profile type is used to configure settings related to Azure Active Directory identity protection, while the SCEP certificate profile type is used to configure settings related to System Center Endpoint Protection. The Secure assessment profile type is used to configure settings for security assessments, such as the Microsoft Secure Score.

Therefore, the correct profile type to choose in this scenario is D. Endpoint Protection.

Prev Question Next Question