WindowsDefenderApplicationGuard CSP

The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. This CSP was added in Windows 10, version 1709.

Windows edition and licensing requirements

The following table lists the Windows editions that support Microsoft Defender Application Guard (MDAG) configure via MDM:

Windows Pro Windows Enterprise Windows Pro Education/SE Windows Education
No Yes No Yes

Microsoft Defender Application Guard (MDAG) configure via MDM license entitlements are granted by the following licenses:

Windows Pro/Pro Education/SE Windows Enterprise E3 Windows Enterprise E5 Windows Education A3 Windows Education A5
No Yes Yes Yes Yes

For more information about Windows licensing, see Windows licensing overview.

The following list shows the WindowsDefenderApplicationGuard configuration service provider nodes:

Audit

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Audit

Interior node for Audit.

Description framework properties:

Property name Property value
Format node
Access Type Get

Audit/AuditApplicationGuard

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Audit/AuditApplicationGuard

This policy setting allows you to decide whether auditing events can be collected from Application Guard.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Audit event logs aren't collected for Application Guard.
1 Application Guard inherits its auditing policies from system and starts to audit security events for Application Guard container.

Group policy mapping:

Name Value
Name AppHVSI_AuditApplicationGuardConfig
Friendly Name Allow auditing events in Microsoft Defender Application Guard
Location Computer Configuration
Path Windows Components > Microsoft Defender Application Guard
Registry Key Name SOFTWARE\Policies\Microsoft\AppHVSI
Registry Value Name AuditApplicationGuard
ADMX File Name AppHVSI.admx

InstallWindowsDefenderApplicationGuard

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/InstallWindowsDefenderApplicationGuard

Initiates remote installation of Application Guard feature.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Exec, Get

Allowed values:

Value Description
Install Will initiate feature install.
Uninstall Will initiate feature uninstall.

PlatformStatus

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 2004 [10.0.19041] and later
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/PlatformStatus

Returns bitmask that indicates status of Application Guard platform installation and prerequisites on the device. Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode. Bit 1 - Set to 1 when the client machine is Hyper-V capable. Bit 2 - Reserved for Microsoft. Bit 3 - Set to 1 when Application Guard is installed on the client machine. Bit 4 - Reserved for Microsoft. Bit 5 - Set to 1 when the client machine meets minimum hardware requirements.

Description framework properties:

Property name Property value
Format int
Access Type Get

Settings

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings

Interior Node for Settings.

Description framework properties:

Property name Property value
Format node
Access Type Get

Settings/AllowCameraMicrophoneRedirection

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 [10.0.17763] and later
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/AllowCameraMicrophoneRedirection

This policy setting allows you to determine whether applications inside Microsoft Defender Application Guard can access the device's camera and microphone when these settings are enabled on the user's device.

  • If you enable this policy setting, applications inside Microsoft Defender Application Guard will be able to access the camera and microphone on the user's device.

  • If you disable or don't configure this policy setting, applications inside Microsoft Defender Application Guard will be unable to access the camera and microphone on the user's device.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Microsoft Defender Application Guard can't access the device’s camera and microphone. When the policy isn't configured, it's the same as disabled (0).
1 Turns on the functionality to allow Microsoft Defender Application Guard to access the device’s camera and microphone.

Group policy mapping:

Name Value
Name AppHVSI_AllowCameraMicrophoneRedirectionConfig
Friendly Name Allow camera and microphone access in Microsoft Defender Application Guard
Location Computer Configuration
Path Windows Components > Microsoft Defender Application Guard
Registry Key Name SOFTWARE\Policies\Microsoft\AppHVSI
Registry Value Name AllowCameraMicrophoneRedirection
ADMX File Name AppHVSI.admx

Settings/AllowPersistence

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/AllowPersistence

This policy setting allows you to decide whether data should persist across different sessions in Application Guard.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
0 Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off.
1 Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

Group policy mapping:

Name Value
Name AppHVSI_AllowPersistence
Friendly Name Allow data persistence for Microsoft Defender Application Guard
Location Computer Configuration
Path Windows Components > Microsoft Defender Application Guard
Registry Key Name SOFTWARE\Policies\Microsoft\AppHVSI
Registry Value Name AllowPersistence
ADMX File Name AppHVSI.admx

Settings/AllowVirtualGPU

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1803 [10.0.17134] and later
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/AllowVirtualGPU

This policy setting allows you to determine whether Application Guard can use the virtual Graphics Processing Unit (GPU) to process graphics. If you enable this setting, Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If you enable this setting without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering.

Warning

Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Cannot access the vGPU and uses the CPU to support rendering graphics. When the policy isn't configured, it's the same as disabled (0).
1 Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. This can create a faster experience when working with graphics intense websites or watching video within the container.

Group policy mapping:

Name Value
Name AppHVSI_AllowVirtualGPU
Friendly Name Allow hardware-accelerated rendering for Microsoft Defender Application Guard
Location Computer Configuration
Path Windows Components > Microsoft Defender Application Guard
Registry Key Name SOFTWARE\Policies\Microsoft\AppHVSI
Registry Value Name AllowVirtualGPU
ADMX File Name AppHVSI.admx

Settings/AllowWindowsDefenderApplicationGuard

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/AllowWindowsDefenderApplicationGuard

Turn on Microsoft Defender Application Guard in Enterprise Mode.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
0 Disable Microsoft Defender Application Guard.
1 Enable Microsoft Defender Application Guard for Microsoft Edge ONLY.
2 Enable Microsoft Defender Application Guard for isolated Windows environments ONLY.
3 Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments.

Group policy mapping:

Name Value
Name AllowAppHVSI
Path Windows Components > Microsoft Defender Application Guard

Settings/BlockNonEnterpriseContent

Note

This policy is deprecated and may be removed in a future release.

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/BlockNonEnterpriseContent

This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer.

Note

This policy setting is no longer supported in the new Microsoft Edge browser. The policy will be deprecated and removed in a future release. Webpages that contain mixed content, both enterprise and non-enterprise, may load incorrectly or fail completely if this feature is enabled.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Non-enterprise content embedded in enterprise sites is allowed to open outside of the Microsoft Defender Application Guard container, directly in Internet Explorer and Microsoft Edge.
1 Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Microsoft Defender Application Guard.

Group policy mapping:

Name Value
Name AppHVSI_BlockNonEnterpriseContentConfig
Friendly Name Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer
Location Computer Configuration
Path Windows Components > Microsoft Defender Application Guard
Registry Key Name SOFTWARE\Policies\Microsoft\AppHVSI
Registry Value Name BlockNonEnterpriseContent
ADMX File Name AppHVSI.admx

Settings/CertificateThumbprints

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1809 [10.0.17763] and later
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/CertificateThumbprints

This policy setting allows certain device level Root Certificates to be shared with the Microsoft Defender Application Guard container.

  • If you enable this setting, certificates with a thumbprint matching the ones specified will be transferred into the container. Multiple certificates can be specified by using a comma to separate the thumbprints for each certificate you want to transfer. Here's an example: b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a7b058cda924.

  • If you disable or don't configure this setting, certificates aren't shared with the Microsoft Defender Application Guard container.

Note

To enforce this policy, device restart or user logon/logoff is required.

Description framework properties:

Property name Property value
Format chr (string)
Access Type Add, Delete, Get, Replace
Allowed Values List (Delimiter: ,)

Group policy mapping:

Name Value
Name AppHVSI_CertificateThumbprints
Friendly Name Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user’s device
Location Computer Configuration
Path Windows Components > Microsoft Defender Application Guard
Registry Key Name SOFTWARE\Policies\Microsoft\AppHVSI
ADMX File Name AppHVSI.admx

Settings/ClipboardFileType

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/ClipboardFileType

Determines the type of content that can be copied from the host to Application Guard environment and vice versa.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace

Allowed values:

Value Description
1 Allow text copying.
2 Allow image copying.
3 Allow text and image copying.

Group policy mapping:

Name Value
Name AppHVSI_ClipboardConfig
Friendly Name Configure Microsoft Defender Application Guard clipboard settings
Location Computer Configuration
Path Windows Components > Microsoft Defender Application Guard
Registry Key Name SOFTWARE\Policies\Microsoft\AppHVSI
ADMX File Name AppHVSI.admx

Settings/ClipboardSettings

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/ClipboardSettings

This policy setting allows you to decide how the clipboard behaves while in Application Guard.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Completely turns Off the clipboard functionality for the Application Guard.
1 Turns On clipboard operation from an isolated session to the host.
2 Turns On clipboard operation from the host to an isolated session.
3 Turns On clipboard operation in both the directions.

Group policy mapping:

Name Value
Name AppHVSI_ClipboardConfig
Friendly Name Configure Microsoft Defender Application Guard clipboard settings
Location Computer Configuration
Path Windows Components > Microsoft Defender Application Guard
Registry Key Name SOFTWARE\Policies\Microsoft\AppHVSI
ADMX File Name AppHVSI.admx

Settings/PrintingSettings

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/PrintingSettings

This policy setting allows you to decide how the print functionality behaves while in Application Guard.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) Disables all print functionality.
1 Enables only XPS printing.
2 Enables only PDF printing.
3 Enables both PDF and XPS printing.
4 Enables only local printing.
5 Enables both local and XPS printing.
6 Enables both local and PDF printing.
7 Enables local, PDF, and XPS printing.
8 Enables only network printing.
9 Enables both network and XPS printing.
10 Enables both network and PDF printing.
11 Enables network, PDF, and XPS printing.
12 Enables both network and local printing.
13 Enables network, local, and XPS printing.
14 Enables network, local, and PDF printing.
15 Enables all printing.

Group policy mapping:

Name Value
Name AppHVSI_PrintingConfig
Friendly Name Configure Microsoft Defender Application Guard print settings
Location Computer Configuration
Path Windows Components > Microsoft Defender Application Guard
Registry Key Name SOFTWARE\Policies\Microsoft\AppHVSI
ADMX File Name AppHVSI.admx

Settings/SaveFilesToHost

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1803 [10.0.17134] and later
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/SaveFilesToHost

This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files them from container to the host operating system.

Description framework properties:

Property name Property value
Format int
Access Type Add, Delete, Get, Replace
Default Value 0

Allowed values:

Value Description
0 (Default) The user can't download files from Edge in the container to the host file system. When the policy isn't configured, it's the same as disabled (0).
1 Turns on the functionality to allow users to download files from Edge in the container to the host file system.

Group policy mapping:

Name Value
Name AppHVSI_SaveFilesToHost
Friendly Name Allow files to download and save to the host operating system from Microsoft Defender Application Guard
Location Computer Configuration
Path Windows Components > Microsoft Defender Application Guard
Registry Key Name SOFTWARE\Policies\Microsoft\AppHVSI
Registry Value Name SaveFilesToHost
ADMX File Name AppHVSI.admx

Status

Scope Editions Applicable OS
✅ Device
❌ User
✅ Pro
✅ Enterprise
✅ Education
✅ Windows SE
✅ IoT Enterprise / IoT Enterprise LTSC
✅ Windows 10, version 1709 [10.0.16299] and later
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Status

Returns bitmask that indicates status of Application Guard installation and pre-requisites on the device. Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode. Bit 1 - Set to 1 when the client machine is Hyper-V capable. Bit 2 - Set to 1 when the client machine has a valid OS license and SKU. Bit 3 - Set to 1 when Application Guard installed on the client machine. Bit 4 - Set to 1 when required Network Isolation Policies are configured. Bit 5 - Set to 1 when the client machine meets minimum hardware requirements. Bit 6 - Set to 1 when system reboot is required.

Description framework properties:

Property name Property value
Format int
Access Type Get

Configuration service provider reference