Use a network boundary to add trusted sites on Windows devices in Microsoft Intune

When using Microsoft Defender Application Guard and Microsoft Edge, you can protect your environment from sites that your organization doesn't trust. This feature is called a network boundary.

In a network bound, you can add network domains, IPV4 and IPv6 ranges, proxy servers, and more. Microsoft Defender Application Guard in Microsoft Edge trusts sites in this boundary.

In Intune, you can create a network boundary profile, and deploy this policy to your devices.

For more information on using Microsoft Defender Application Guard in Intune, go to Windows client settings to protect devices using Intune.

This feature applies to:

• Windows 11 devices enrolled in Intune
• Windows 10 devices enrolled in Intune

This article shows you how to create the profile, and add trusted sites.

Before you begin

• To create the policy, at a minimum, sign into the Microsoft Intune admin center with an account that has the Policy and Profile Manager built-in role. For more information on the built-in roles, go to Role-based access control for Microsoft Intune.
• This feature uses the NetworkIsolation CSP.

Create the profile

1. Sign in to the Microsoft Intune admin center.

2. Select Devices > Configuration > Create.

3. Enter the following properties:

   • Platform: Select Windows 10 and later.
   • Profile type: Select Templates > Network boundary.

4. Select Create.

5. In Basics, enter the following properties:

   • Name: Enter a descriptive name for the profile. Name your policies so you can easily identify them later. For example, a good profile name is Windows-Contoso network boundary.
   • Description: Enter a description for the profile. This setting is optional, but recommended.

6. Select Next.

7. In Configuration settings, configure the following settings:

   • Boundary type: This setting creates an isolated network boundary. Sites in this boundary are considered trusted by Microsoft Defender Application Guard. Your options:

     • IPv4 range: Enter a comma-separated list of IPv4 ranges of devices in your network. Data from these devices is considered part of your organization, and is protected. These locations are considered a safe destination for organization data to be shared to.
     • IPv6 range: Enter a comma-separated list of IPv6 ranges of devices in your network. Data from these devices is considered part of your organization, and is protected. These locations are considered a safe destination for organization data to be shared to.
     • Cloud resources: Enter a pipe-separated (|) list of organization resource domains hosted in the cloud that you want protected.
     • Network domains: Enter a comma-separated list of domains that create the boundaries. Data from any of these domains is sent to a device, is considered organization data, and is protected. These locations are considered a safe destination for organization data to be shared to. For example, enter contoso.sharepoint.com, contoso.com.
     • Proxy servers: Enter a comma-separated list of proxy servers. Any proxy server in this list is at the internet-level, and not internal to the organization. For example, enter 157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59.
     • Internal proxy servers: Enter a comma-separated list of internal proxy servers. The proxies are used when adding Cloud resources. They force traffic to the matched cloud resources. For example, enter 157.54.14.28, 157.54.11.118, 10.202.14.167, 157.53.14.163, 157.69.210.59.
     • Neutral resources: Enter a list of domain names that can be used for work resources or personal resources.

   • Value: Enter your list.

   • Auto detection of other enterprise proxy servers: Disable prevents devices from automatically detecting proxy servers that aren't in the list. The devices accept the configured list of proxies. When set to Not configured (default), Intune doesn't change or update this setting.

   • Auto detection of other enterprise IP ranges: Disable prevents devices from automatically detecting IP ranges that aren't in the list. The devices accept the configured list of IP ranges. When set to Not configured (default), Intune doesn't change or update this setting.

8. Select Next.

9. In Scope tags (optional), assign a tag to filter the profile to specific IT groups, such as US-NC IT Team or JohnGlenn_ITDepartment. For more information about scope tags, go to Use RBAC and scope tags for distributed IT.

   Select Next.

10. In Assignments, select the users or user group that will receive your profile. For more information on assigning profiles, go to Assign user and device profiles.

    Select Next.

11. In Review + create, review your settings. When you select Create, your changes are saved, and the profile is assigned. The policy is also shown in the profiles list.

The next time each device checks in, the policy is applied.

Resources

After the profile is assigned, be sure to monitor its status.

Microsoft Defender Application Guard overview