IntuneAppAndBrowserIsolationPolicyWindows10

Parameters

Parameter Attribute DataType Description Allowed Values
Description Write String Policy description
DisplayName Key String Policy name
RoleScopeTagIds Write StringArray[] List of Scope Tags for this Entity instance.
Id Write String The unique identifier for an entity. Read-only.
AllowWindowsDefenderApplicationGuard Write String Turn on Microsoft Defender Application Guard (0: Disable Microsoft Defender Application Guard, 1: Enable Microsoft Defender Application Guard for Microsoft Edge ONLY, 2: Enable Microsoft Defender Application Guard for isolated Windows environments ONLY, 3: Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments) 0, 1, 2, 3
ClipboardSettings Write String Clipboard behavior settings (0: Completely turns Off the clipboard functionality for the Application Guard., 1: Turns On clipboard operation from an isolated session to the host., 2: Turns On clipboard operation from the host to an isolated session., 3: Turns On clipboard operation in both the directions.) 0, 1, 2, 3
SaveFilesToHost Write String Allow files to download and save to the host operating system (0: The user cannot download files from Edge in the container to the host file system. When the policy is not configured, it is the same as disabled (0)., 1: Turns on the functionality to allow users to download files from Edge in the container to the host file system.) 0, 1
InstallWindowsDefenderApplicationGuard Write String Install Windows defender application guard (install: Install) install
ClipboardFileType Write String Clipboard content options (1: Allow text copying., 2: Allow image copying., 3: Allow text and image copying.) 1, 2, 3
AllowPersistence Write String Allow data persistence (0: Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off., 1: Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.) 0, 1
AllowVirtualGPU Write String Allow hardware-accelerated rendering (0: Cannot access the vGPU and uses the CPU to support rendering graphics. When the policy is not configured, it is the same as disabled (0)., 1: Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. This can create a faster experience when working with graphics intense websites or watching video within the container.) 0, 1
PrintingSettings Write SInt32Array[] Print Settings (0: Disables all print functionality., 1: Enables only XPS printing., 2: Enables only PDF printing., 4: Enables only local printing., 8: Enables only network printing.) 0, 1, 2, 4, 8
AllowCameraMicrophoneRedirection Write String Allow camera and microphone access (0: Microsoft Defender Application Guard cannot access the device's camera and microphone. When the policy is not configured, it is the same as disabled (0)., 1: Turns on the functionality to allow Microsoft Defender Application Guard to access the device's camera and microphone.) 0, 1
AuditApplicationGuard Write String Audit Application Guard (0: Audit event logs aren't collected for Application Guard., 1: Application Guard inherits its auditing policies from system and starts to audit security events for Application Guard container.) 0, 1
CertificateThumbprints Write StringArray[] Certificate Thumbprints
EnterpriseIPRange Write StringArray[] Enterprise IP Range
EnterpriseCloudResources Write StringArray[] Enterprise Cloud Resources
EnterpriseNetworkDomainNames Write StringArray[] Enterprise Network Domain Names
EnterpriseProxyServers Write StringArray[] Enterprise Proxy Servers
EnterpriseInternalProxyServers Write StringArray[] Enterprise Internal Proxy Servers
NeutralResources Write StringArray[] Neutral Resources
EnterpriseProxyServersAreAuthoritative Write String Enterprise Proxy Servers Are Authoritative (1: Enable, 0: Disable) 1, 0
EnterpriseIPRangesAreAuthoritative Write String Enterprise IP Ranges Are Authoritative (1: Enable, 0: Disable) 1, 0
Assignments Write MSFT_DeviceManagementConfigurationPolicyAssignments[] Represents the assignment to the Intune policy.
Ensure Write String Present ensures the policy exists, absent ensures it is removed. Present, Absent
Credential Write PSCredential Credentials of the Admin
ApplicationId Write String Id of the Azure Active Directory application to authenticate with.
TenantId Write String Id of the Azure Active Directory tenant used for authentication.
ApplicationSecret Write PSCredential Secret of the Azure Active Directory tenant used for authentication.
CertificateThumbprint Write String Thumbprint of the Azure Active Directory application's authentication certificate to use for authentication.
ManagedIdentity Write Boolean Managed ID being used for authentication.
AccessTokens Write StringArray[] Access token used for authentication.

MSFT_DeviceManagementConfigurationPolicyAssignments

Parameters

Parameter Attribute DataType Description Allowed Values
dataType Write String The type of the target assignment. #microsoft.graph.groupAssignmentTarget, #microsoft.graph.allLicensedUsersAssignmentTarget, #microsoft.graph.allDevicesAssignmentTarget, #microsoft.graph.exclusionGroupAssignmentTarget, #microsoft.graph.configurationManagerCollectionAssignmentTarget
deviceAndAppManagementAssignmentFilterType Write String The type of filter of the target assignment i.e. Exclude or Include. Possible values are:none, include, exclude. none, include, exclude
deviceAndAppManagementAssignmentFilterId Write String The Id of the filter for the target assignment.
groupId Write String The group Id that is the target of the assignment.
groupDisplayName Write String The group Display Name that is the target of the assignment.
collectionId Write String The collection Id that is the target of the assignment.(ConfigMgr)

Description

Intune App And Browser Isolation Policy for Windows10

Permissions

Microsoft Graph

To authenticate with the Microsoft Graph API, this resource required the following permissions:

Delegated permissions

  • Read

    • Group.Read.All, DeviceManagementConfiguration.Read.All
  • Update

    • Group.Read.All, DeviceManagementConfiguration.ReadWrite.All

Application permissions

  • Read

    • Group.Read.All, DeviceManagementConfiguration.Read.All
  • Update

    • Group.Read.All, DeviceManagementConfiguration.ReadWrite.All

Examples

Example 1

This example creates a new Device Remediation.

Configuration Example
{
    param(
        [Parameter()]
        [System.String]
        $ApplicationId,

        [Parameter()]
        [System.String]
        $TenantId,

        [Parameter()]
        [System.String]
        $CertificateThumbprint
    )
    Import-DscResource -ModuleName Microsoft365DSC

    node localhost
    {
        IntuneAppAndBrowserIsolationPolicyWindows10 'ConfigureAppAndBrowserIsolationPolicyWindows10'
        {
            Assignments              = @(
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    dataType = '#microsoft.graph.groupAssignmentTarget'
                    groupId = '11111111-1111-1111-1111-111111111111'
                }
            );
            AllowCameraMicrophoneRedirection       = "1";
            AllowPersistence                       = "0";
            AllowVirtualGPU                        = "0";
            AllowWindowsDefenderApplicationGuard   = "1";
            ClipboardFileType                      = "1";
            ClipboardSettings                      = "0";
            Description                            = 'Description'
            DisplayName                            = "App and Browser Isolation";
            Ensure                                 = "Present";
            Id                                     = '00000000-0000-0000-0000-000000000000'
            InstallWindowsDefenderApplicationGuard = "install";
            SaveFilesToHost                        = "0";
            RoleScopeTagIds                        = @("0");
            ApplicationId                          = $ApplicationId;
            TenantId                               = $TenantId;
            CertificateThumbprint                  = $CertificateThumbprint;
        }
    }
}

Example 2

This example updates a new Device Remediation.

Configuration Example
{
    param(
        [Parameter()]
        [System.String]
        $ApplicationId,

        [Parameter()]
        [System.String]
        $TenantId,

        [Parameter()]
        [System.String]
        $CertificateThumbprint
    )
    Import-DscResource -ModuleName Microsoft365DSC

    node localhost
    {
        IntuneAppAndBrowserIsolationPolicyWindows10 'ConfigureAppAndBrowserIsolationPolicyWindows10'
        {
            Assignments              = @(
                MSFT_DeviceManagementConfigurationPolicyAssignments{
                    deviceAndAppManagementAssignmentFilterType = 'none'
                    dataType = '#microsoft.graph.groupAssignmentTarget'
                    groupId = '11111111-1111-1111-1111-111111111111'
                }
            );
            AllowCameraMicrophoneRedirection       = "0"; # Updated property
            AllowPersistence                       = "0";
            AllowVirtualGPU                        = "0";
            AllowWindowsDefenderApplicationGuard   = "1";
            ClipboardFileType                      = "1";
            ClipboardSettings                      = "0";
            Description                            = 'Description'
            DisplayName                            = "App and Browser Isolation";
            Ensure                                 = "Present";
            Id                                     = '00000000-0000-0000-0000-000000000000'
            InstallWindowsDefenderApplicationGuard = "install";
            SaveFilesToHost                        = "0";
            RoleScopeTagIds                        = @("0");
            ApplicationId                          = $ApplicationId;
            TenantId                               = $TenantId;
            CertificateThumbprint                  = $CertificateThumbprint;
        }
    }
}

Example 3

This example removes a Device Remediation.

Configuration Example
{
    param(
        [Parameter()]
        [System.String]
        $ApplicationId,

        [Parameter()]
        [System.String]
        $TenantId,

        [Parameter()]
        [System.String]
        $CertificateThumbprint
    )
    Import-DscResource -ModuleName Microsoft365DSC

    node localhost
    {
        IntuneAppAndBrowserIsolationPolicyWindows10 'ConfigureAppAndBrowserIsolationPolicyWindows10'
        {
            Id          = '00000000-0000-0000-0000-000000000000'
            DisplayName = 'App and Browser Isolation'
            Ensure      = 'Absent'
            ApplicationId         = $ApplicationId;
            TenantId              = $TenantId;
            CertificateThumbprint = $CertificateThumbprint;
        }
    }
}