Application Guard

On certain occasions, users may need to access resources or tools that are deemed untrusted by the organization. For example, they might need to visit untrusted websites using Microsoft Edge or use untrusted Microsoft Office applications like Word, PowerPoint, and Excel files that could potentially access trusted resources. This presents a double-edged sword for every enterprise: either compromise user productivity or risk enterprise security.

Windows Defender Application Guard is specifically designed to address these challenges. Simply put, Application Guard acts as a protective barrier between an untrusted session and the host system. If a user accesses an untrusted site using Application Guard, that session is isolated. All activities within this session are contained, ensuring the host system remains unaffected.

You can configure the parameters for Windows Defender Application Guard by creating a profile and then associating that profile with the device groups.

Profile Description

Profile Specification Description
Enforce Defender Application Guard Configure the level of Defender Application Guard protection.
  • Microsoft Edge
  • Microsoft Office
  • Both Microsoft Edge and Office
Clipboard settings This option allows you to restrict data transfer in the form of images, text, or both.
Clipboard access Regulate data transfer through the clipboard.
  • Disable clipboard
  • Allow from an isolated session to the host
  • Allow from the host to an isolated session
  • Allow in both directions (clipboard data transfer from the isolated session to the host and vice versa)
Data persistence This option lets you retain user downloaded files and other items (e.g., favorites, cookies) across different Application Guard sessions.
Print settings Specify the type of printing either network or local printing, as well as, the type of file PDF or XPS.
Saving files in the host This option allows you to save user downloaded files during Application Guard sessions on the host system.
Camera and microphone access This option allows you to provide camera and microphone access for applications within the Application Guard.
Certificate thumbprint Configure this option to share root-level certificates with Application Guard. Upon providing the thumbprint, Application Guard will secure the matching certificates in an isolated container.
Network boundaries A Network Boundary, as the name suggests, enables enterprises to define their security perimeters by including only trusted sites, effectively excluding untrusted ones. Using this feature, you can fine-tune:
  • IP ranges
  • Domain names
  • Cloud resources
  • Proxy servers
  • Internal proxy servers
  • Neutral resources