WindowsDefenderApplicationGuard CSP
The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. This CSP was added in Windows 10, version 1709.
Windows edition and licensing requirements
The following table lists the Windows editions that support Microsoft Defender Application Guard (MDAG) configure via MDM:
| Windows Pro | Windows Enterprise | Windows Pro Education/SE | Windows Education |
|---|---|---|---|
| No | Yes | No | Yes |
Microsoft Defender Application Guard (MDAG) configure via MDM license entitlements are granted by the following licenses:
| Windows Pro/Pro Education/SE | Windows Enterprise E3 | Windows Enterprise E5 | Windows Education A3 | Windows Education A5 |
|---|---|---|---|---|
| No | Yes | Yes | Yes | Yes |
For more information about Windows licensing, see Windows licensing overview.
The following list shows the WindowsDefenderApplicationGuard configuration service provider nodes:
- ./Device/Vendor/MSFT/WindowsDefenderApplicationGuard
Audit
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Audit
Interior node for Audit.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
Audit/AuditApplicationGuard
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Audit/AuditApplicationGuard
This policy setting allows you to decide whether auditing events can be collected from Application Guard.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 0 (Default) | Audit event logs aren't collected for Application Guard. |
| 1 | Application Guard inherits its auditing policies from system and starts to audit security events for Application Guard container. |
Group policy mapping:
| Name | Value |
|---|---|
| Name | AppHVSI_AuditApplicationGuardConfig |
| Friendly Name | Allow auditing events in Microsoft Defender Application Guard |
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Application Guard |
| Registry Key Name | SOFTWARE\Policies\Microsoft\AppHVSI |
| Registry Value Name | AuditApplicationGuard |
| ADMX File Name | AppHVSI.admx |
InstallWindowsDefenderApplicationGuard
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/InstallWindowsDefenderApplicationGuard
Initiates remote installation of Application Guard feature.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Exec, Get |
Allowed values:
| Value | Description |
|---|---|
| Install | Will initiate feature install. |
| Uninstall | Will initiate feature uninstall. |
PlatformStatus
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 2004 [10.0.19041] and later |
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/PlatformStatus
Returns bitmask that indicates status of Application Guard platform installation and prerequisites on the device. Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode. Bit 1 - Set to 1 when the client machine is Hyper-V capable. Bit 2 - Reserved for Microsoft. Bit 3 - Set to 1 when Application Guard is installed on the client machine. Bit 4 - Reserved for Microsoft. Bit 5 - Set to 1 when the client machine meets minimum hardware requirements.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Get |
Settings
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings
Interior Node for Settings.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | node |
| Access Type | Get |
Settings/AllowCameraMicrophoneRedirection
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1809 [10.0.17763] and later |
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/AllowCameraMicrophoneRedirection
This policy setting allows you to determine whether applications inside Microsoft Defender Application Guard can access the device's camera and microphone when these settings are enabled on the user's device.
If you enable this policy setting, applications inside Microsoft Defender Application Guard will be able to access the camera and microphone on the user's device.
If you disable or don't configure this policy setting, applications inside Microsoft Defender Application Guard will be unable to access the camera and microphone on the user's device.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 0 (Default) | Microsoft Defender Application Guard can't access the device’s camera and microphone. When the policy isn't configured, it's the same as disabled (0). |
| 1 | Turns on the functionality to allow Microsoft Defender Application Guard to access the device’s camera and microphone. |
Group policy mapping:
| Name | Value |
|---|---|
| Name | AppHVSI_AllowCameraMicrophoneRedirectionConfig |
| Friendly Name | Allow camera and microphone access in Microsoft Defender Application Guard |
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Application Guard |
| Registry Key Name | SOFTWARE\Policies\Microsoft\AppHVSI |
| Registry Value Name | AllowCameraMicrophoneRedirection |
| ADMX File Name | AppHVSI.admx |
Settings/AllowPersistence
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/AllowPersistence
This policy setting allows you to decide whether data should persist across different sessions in Application Guard.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| 0 | Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off. |
| 1 | Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions. |
Group policy mapping:
| Name | Value |
|---|---|
| Name | AppHVSI_AllowPersistence |
| Friendly Name | Allow data persistence for Microsoft Defender Application Guard |
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Application Guard |
| Registry Key Name | SOFTWARE\Policies\Microsoft\AppHVSI |
| Registry Value Name | AllowPersistence |
| ADMX File Name | AppHVSI.admx |
Settings/AllowVirtualGPU
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1803 [10.0.17134] and later |
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/AllowVirtualGPU
This policy setting allows you to determine whether Application Guard can use the virtual Graphics Processing Unit (GPU) to process graphics. If you enable this setting, Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If you enable this setting without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering.
Warning
Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 0 (Default) | Cannot access the vGPU and uses the CPU to support rendering graphics. When the policy isn't configured, it's the same as disabled (0). |
| 1 | Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. This can create a faster experience when working with graphics intense websites or watching video within the container. |
Group policy mapping:
| Name | Value |
|---|---|
| Name | AppHVSI_AllowVirtualGPU |
| Friendly Name | Allow hardware-accelerated rendering for Microsoft Defender Application Guard |
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Application Guard |
| Registry Key Name | SOFTWARE\Policies\Microsoft\AppHVSI |
| Registry Value Name | AllowVirtualGPU |
| ADMX File Name | AppHVSI.admx |
Settings/AllowWindowsDefenderApplicationGuard
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/AllowWindowsDefenderApplicationGuard
Turn on Microsoft Defender Application Guard in Enterprise Mode.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| 0 | Disable Microsoft Defender Application Guard. |
| 1 | Enable Microsoft Defender Application Guard for Microsoft Edge ONLY. |
| 2 | Enable Microsoft Defender Application Guard for isolated Windows environments ONLY. |
| 3 | Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments. |
Group policy mapping:
| Name | Value |
|---|---|
| Name | AllowAppHVSI |
| Path | Windows Components > Microsoft Defender Application Guard |
Settings/BlockNonEnterpriseContent
Note
This policy is deprecated and may be removed in a future release.
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/BlockNonEnterpriseContent
This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer.
Note
This policy setting is no longer supported in the new Microsoft Edge browser. The policy will be deprecated and removed in a future release. Webpages that contain mixed content, both enterprise and non-enterprise, may load incorrectly or fail completely if this feature is enabled.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 0 (Default) | Non-enterprise content embedded in enterprise sites is allowed to open outside of the Microsoft Defender Application Guard container, directly in Internet Explorer and Microsoft Edge. |
| 1 | Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Microsoft Defender Application Guard. |
Group policy mapping:
| Name | Value |
|---|---|
| Name | AppHVSI_BlockNonEnterpriseContentConfig |
| Friendly Name | Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer |
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Application Guard |
| Registry Key Name | SOFTWARE\Policies\Microsoft\AppHVSI |
| Registry Value Name | BlockNonEnterpriseContent |
| ADMX File Name | AppHVSI.admx |
Settings/CertificateThumbprints
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1809 [10.0.17763] and later |
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/CertificateThumbprints
This policy setting allows certain device level Root Certificates to be shared with the Microsoft Defender Application Guard container.
If you enable this setting, certificates with a thumbprint matching the ones specified will be transferred into the container. Multiple certificates can be specified by using a comma to separate the thumbprints for each certificate you want to transfer. Here's an example: b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a7b058cda924.
If you disable or don't configure this setting, certificates aren't shared with the Microsoft Defender Application Guard container.
Note
To enforce this policy, device restart or user logon/logoff is required.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | chr (string) |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | List (Delimiter: ,) |
Group policy mapping:
| Name | Value |
|---|---|
| Name | AppHVSI_CertificateThumbprints |
| Friendly Name | Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user’s device |
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Application Guard |
| Registry Key Name | SOFTWARE\Policies\Microsoft\AppHVSI |
| ADMX File Name | AppHVSI.admx |
Settings/ClipboardFileType
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/ClipboardFileType
Determines the type of content that can be copied from the host to Application Guard environment and vice versa.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
Allowed values:
| Value | Description |
|---|---|
| 1 | Allow text copying. |
| 2 | Allow image copying. |
| 3 | Allow text and image copying. |
Group policy mapping:
| Name | Value |
|---|---|
| Name | AppHVSI_ClipboardConfig |
| Friendly Name | Configure Microsoft Defender Application Guard clipboard settings |
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Application Guard |
| Registry Key Name | SOFTWARE\Policies\Microsoft\AppHVSI |
| ADMX File Name | AppHVSI.admx |
Settings/ClipboardSettings
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/ClipboardSettings
This policy setting allows you to decide how the clipboard behaves while in Application Guard.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 0 (Default) | Completely turns Off the clipboard functionality for the Application Guard. |
| 1 | Turns On clipboard operation from an isolated session to the host. |
| 2 | Turns On clipboard operation from the host to an isolated session. |
| 3 | Turns On clipboard operation in both the directions. |
Group policy mapping:
| Name | Value |
|---|---|
| Name | AppHVSI_ClipboardConfig |
| Friendly Name | Configure Microsoft Defender Application Guard clipboard settings |
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Application Guard |
| Registry Key Name | SOFTWARE\Policies\Microsoft\AppHVSI |
| ADMX File Name | AppHVSI.admx |
Settings/PrintingSettings
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/PrintingSettings
This policy setting allows you to decide how the print functionality behaves while in Application Guard.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 0 (Default) | Disables all print functionality. |
| 1 | Enables only XPS printing. |
| 2 | Enables only PDF printing. |
| 3 | Enables both PDF and XPS printing. |
| 4 | Enables only local printing. |
| 5 | Enables both local and XPS printing. |
| 6 | Enables both local and PDF printing. |
| 7 | Enables local, PDF, and XPS printing. |
| 8 | Enables only network printing. |
| 9 | Enables both network and XPS printing. |
| 10 | Enables both network and PDF printing. |
| 11 | Enables network, PDF, and XPS printing. |
| 12 | Enables both network and local printing. |
| 13 | Enables network, local, and XPS printing. |
| 14 | Enables network, local, and PDF printing. |
| 15 | Enables all printing. |
Group policy mapping:
| Name | Value |
|---|---|
| Name | AppHVSI_PrintingConfig |
| Friendly Name | Configure Microsoft Defender Application Guard print settings |
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Application Guard |
| Registry Key Name | SOFTWARE\Policies\Microsoft\AppHVSI |
| ADMX File Name | AppHVSI.admx |
Settings/SaveFilesToHost
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1803 [10.0.17134] and later |
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/SaveFilesToHost
This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files them from container to the host operating system.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Default Value | 0 |
Allowed values:
| Value | Description |
|---|---|
| 0 (Default) | The user can't download files from Edge in the container to the host file system. When the policy isn't configured, it's the same as disabled (0). |
| 1 | Turns on the functionality to allow users to download files from Edge in the container to the host file system. |
Group policy mapping:
| Name | Value |
|---|---|
| Name | AppHVSI_SaveFilesToHost |
| Friendly Name | Allow files to download and save to the host operating system from Microsoft Defender Application Guard |
| Location | Computer Configuration |
| Path | Windows Components > Microsoft Defender Application Guard |
| Registry Key Name | SOFTWARE\Policies\Microsoft\AppHVSI |
| Registry Value Name | SaveFilesToHost |
| ADMX File Name | AppHVSI.admx |
Status
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 10, version 1709 [10.0.16299] and later |
./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Status
Returns bitmask that indicates status of Application Guard installation and pre-requisites on the device. Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode. Bit 1 - Set to 1 when the client machine is Hyper-V capable. Bit 2 - Set to 1 when the client machine has a valid OS license and SKU. Bit 3 - Set to 1 when Application Guard installed on the client machine. Bit 4 - Set to 1 when required Network Isolation Policies are configured. Bit 5 - Set to 1 when the client machine meets minimum hardware requirements. Bit 6 - Set to 1 when system reboot is required.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Get |