We implemented Microsoft Defender Application Guard (MDAG) across a large enterprise using Microsoft Intune, PowerShell automation, and Azure Runbooks. This ensured hardware-isolated browsing for untrusted websites, minimized manual updates, and enabled admin-controlled URL whitelisting—significantly boosting security without impacting user productivity.
Rising phishing and zero-day threats from unknown URLs Need for browser session isolation for untrusted sites Policy automation through Intune without manual effort Admin-based control for whitelisted URLs Real-time security policy propagation
MDAG Policy via Intune Used Endpoint Protection template Enabled GPU, download permissions, clipboard controls Assigned to all users
App Protection Policy Applied to Windows 10+ devices Setup for non-enrolled devices Default settings used for compatibility
URL Approval Workflow App Built in .NET 5.0 + SQL Server backend Integrated with Azure AD (App Registration) Roles: Users (submit URLs), Admins (approve/reject requests)
PowerShell + Azure Runbook Automation Fetches approved URLs and sends them to Intune via Graph API Scheduled to run hourly, logs tracked for failures Syncs changes to Intune, applying in ~12 minutes
Deploy MDAG to enforce browser isolation Enable admin approval for URL access requests Automate Intune policy updates via PowerShell + Azure Runbooks Configure Intune for browser and app protection policies Validate browser behavior through Edge diagnostics
Devices: Windows 10/11, Azure AD-joined Tools: edge://application-guard-internals for runtime inspection Sample Results: www.google.com → Opened in standard Edge www.facebook.com → Opened in MDAG container Total propagation time: ~1hr 12mins (URL approval to policy sync)
Improved web security by isolating untrusted sites Dynamic URL control through admin workflow Uninterrupted access to trusted websites Centralized configuration via Intune Scalable, automated policy deployment
Policy delay (~1hr): Mitigated with staggered Runbook execution SQL-Intune sync failures: Resolved with logging and retries in script Azure app registration complexity: Resolved with documented steps Edge behaviour mismatches: Validated using Edge internal diagnostic tools
Techstern