Application Guard device policy

The Application Guard policy specifies Windows Defender Application Guard settings. The settings include whether to enable Application Guard and controls for clipboard behavior.

Windows Defender Application Guard protects your environment from sites that haven’t been defined as trusted by your organization. When users visit sites that aren’t listed in your isolated network boundary: The sites open in a virtual browsing session in Hyper-V. Enterprise cloud resources define trusted sites.

Requirements

  • Windows 10 (64-bit) enterprise devices running OS version 1709. A device restart is required to install the Windows Defender Application Guard.
  • Microsoft Edge browser

Windows Desktop and Tablet settings

Image of Device Policies configuration screen

  • Application Guard: Enables Application Guard. Default is Off.
    • Enterprise Cloud Resources: A comma-separated list of enterprise cloud domains.
  • Clipboard Behavior: Controls which directions content can be copied and pasted. The options are as follows:

    • Not configured
    • Allow copy and paste from browser to PC only: Allows users to copy and paste content only from their browser to their PC.
    • Allow copy and paste from PC to browser only: Allows users to copy and paste content only from their PC to their browser.
    • Allow copy and paste between PC and browser: Allows users to copy and paste content freely between their PC and browser.
    • Block copy and paste between PC and browser: Does not allow users to copy and paste content between their PC and browser.
  • Clipboard Content: Controls which content users can copy and paste. The options are as follows:
    • Not configured
    • Allow text copying: Allows users to copy text only.
    • Allow image copying: Allows users to copy images only.
    • Allow both text and image copying: Allows users to copy both text and images.
  • Block external content on enterprise sites: If On, Windows Defender Application Guard prevents content from unapproved sites from loading on enterprise sites. Default is Off.
  • Retain user-generated browser data: If On, allows saving user data created during an Application Guard virtual browsing session. This data includes things like passwords, favorites, and cookies. Default is Off.

Application Guard device policy