Configure Microsoft Defender Application Guard policy settings
Note
- Microsoft Defender Application Guard, including the Windows Isolated App Launcher APIs, is deprecated for Microsoft Edge for Business and will no longer be updated. To learn more about Microsoft Edge security capabilities, see Microsoft Edge For Business Security.
- Starting with Windows 11, version 24H2, Microsoft Defender Application Guard, including the Windows Isolated App Launcher APIs, is no longer available.
- Because Application Guard is deprecated there will not be a migration to Edge Manifest V3. The corresponding browser extensions and associated Windows Store app are no longer available. If you want to block unprotected browsers until you are ready to retire MDAG usage in your enterprise, we recommend using AppLocker policies or Microsoft Edge management service. For more information, see Microsoft Edge and Microsoft Defender Application Guard.
Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a Group Policy Object, which is linked to a domain, and then apply all those settings to every endpoint in the domain.
Application Guard uses both network isolation and application-specific settings.
Windows edition and licensing requirements
The following table lists the Windows editions that support Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management:
Windows Pro | Windows Enterprise | Windows Pro Education/SE | Windows Education |
---|---|---|---|
No | Yes | No | Yes |
Microsoft Defender Application Guard (MDAG) for Edge enterprise mode and enterprise management license entitlements are granted by the following licenses:
Windows Pro/Pro Education/SE | Windows Enterprise E3 | Windows Enterprise E5 | Windows Education A3 | Windows Education A5 |
---|---|---|---|---|
No | Yes | Yes | Yes | Yes |
For more information about Windows licensing, see Windows licensing overview.
For more information about Microsoft Defender Application Guard (MDAG) for Microsoft Edge in stand-alone mode, see Microsoft Defender Application Guard overview.
Network isolation settings
These settings, located at Computer Configuration\Administrative Templates\Network\Network Isolation
, help you define and manage your organization's network boundaries. Application Guard uses this information to automatically transfer any requests to access the noncorporate resources into the Application Guard container.
Note
For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you don't need to configure network isolation policy to enable Application Guard for Microsoft Edge in managed mode.
Note
You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. Proxy servers must be a neutral resource listed in the Domains categorized as both work and personal policy.
Policy name | Supported versions | Description |
---|---|---|
Private network ranges for apps | At least Windows Server 2012, Windows 8, or Windows RT | A comma-separated list of IP address ranges that are in your corporate network. Included endpoints or endpoints that are included within a specified IP address range, are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. |
Enterprise resource domains hosted in the cloud | At least Windows Server 2012, Windows 8, or Windows RT | A pipe-separated (| ) list of your domain cloud resources. Included endpoints are rendered using Microsoft Edge and won't be accessible from the Application Guard environment. This list supports the wildcards detailed in the Network isolation settings wildcards table. |
Domains categorized as both work and personal | At least Windows Server 2012, Windows 8, or Windows RT | A comma-separated list of domain names used as both work or personal resources. Included endpoints are rendered using Microsoft Edge and will be accessible from the Application Guard and regular Microsoft Edge environment. This list supports the wildcards detailed in the Network isolation settings wildcards table. |
Network isolation settings wildcards
Value | Number of dots to the left | Meaning |
---|---|---|
contoso.com |
0 | Trust only the literal value of contoso.com . |
www.contoso.com |
0 | Trust only the literal value of www.contoso.com . |
.contoso.com |
1 | Trust any domain that ends with the text contoso.com . Matching sites include spearphishingcontoso.com , contoso.com , and www.contoso.com . |
..contoso.com |
2 | Trust all levels of the domain hierarchy that are to the left of the dot. Matching sites include shop.contoso.com , us.shop.contoso.com , www.us.shop.contoso.com , but NOT contoso.com itself. |
Application-specific settings
These settings, located at Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard
, can help you to manage your organization's implementation of Application Guard.
Name | Supported versions | Description | Options |
---|---|---|---|
Configure Microsoft Defender Application Guard clipboard settings | Windows 10 Enterprise, 1709 or higher Windows 10 Education, 1809 or higher Windows 11 Enterprise and Education |
Determines whether Application Guard can use the clipboard functionality. | Enabled. This is effective only in managed mode. Turns on the clipboard functionality and lets you choose whether to additionally: - Disable the clipboard functionality completely when Virtualization Security is enabled. - Enable copying of certain content from Application Guard into Microsoft Edge. - Enable copying of certain content from Microsoft Edge into Application Guard. Important: Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended. Disabled or not configured. Completely turns off the clipboard functionality for Application Guard. |
Configure Microsoft Defender Application Guard print settings | Windows 10 Enterprise, 1709 or higher Windows 10 Education, 1809 or higher Windows 11 Enterprise and Education |
Determines whether Application Guard can use the print functionality. | Enabled. This is effective only in managed mode. Turns on the print functionality and lets you choose whether to additionally: - Enable Application Guard to print into the XPS format. - Enable Application Guard to print into the PDF format. - Enable Application Guard to print to locally attached printers. - Enable Application Guard to print from previously connected network printers. Employees can't search for other printers. Disabled or not configured. Completely turns Off the print functionality for Application Guard. |
Allow Persistence | Windows 10 Enterprise, 1709 or higher Windows 10 Education, 1809 or higher Windows 11 Enterprise and Education |
Determines whether data persists across different sessions in Microsoft Defender Application Guard. | Enabled. This is effective only in managed mode. Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions. Disabled or not configured. All user data within Application Guard is reset between sessions. NOTE: If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data. To reset the container: |
Turn on Microsoft Defender Application Guard in Managed Mode | Windows 10 Enterprise, 1709 or higher Windows 10 Education, 1809 or higher Windows 11 Enterprise and Education |
Determines whether to turn on Application Guard for Microsoft Edge and Microsoft Office. | Enabled. Turns on Application Guard for Microsoft Edge and/or Microsoft Office, honoring the network isolation settings, rendering untrusted content in the Application Guard container. Application Guard won't actually be turned on unless the required prerequisites and network isolation settings are already set on the device. Available options: - Enable Microsoft Defender Application Guard only for Microsoft Edge - Enable Microsoft Defender Application Guard only for Microsoft Office - Enable Microsoft Defender Application Guard for both Microsoft Edge and Microsoft Office Disabled. Turns off Application Guard, allowing all apps to run in Microsoft Edge and Microsoft Office. Note: For Windows 10, if you have KB5014666 installed, and for Windows 11, if you have KB5014668 installed, you're no longer required to configure network isolation policy to enable Application Guard for Microsoft Edge. |
Allow files to download to host operating system | Windows 10 Enterprise or Pro, 1803 or higher Windows 10 Education, 1809 or higher Windows 11 Enterprise or Pro or Education |
Determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container. | Enabled. Allows users to save downloaded files from the Microsoft Defender Application Guard container to the host operating system. This action creates a share between the host and container that also allows for uploads from the host to the Application Guard container. Disabled or not configured. Users aren't able to save downloaded files from Application Guard to the host operating system. |
Allow hardware-accelerated rendering for Microsoft Defender Application Guard | Windows 10 Enterprise, 1709 or higher Windows 10 Education, 1809 or higher Windows 11 Enterprise and Education |
Determines whether Microsoft Defender Application Guard renders graphics using hardware or software acceleration. | Enabled. This is effective only in managed mode. Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering. Important: Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device. Disabled or not configured. Microsoft Defender Application Guard uses software-based (CPU) rendering and won't load any third-party graphics drivers or interact with any connected graphics hardware. |
Allow camera and microphone access in Microsoft Defender Application Guard | Windows 10 Enterprise, 1709 or higher Windows 10 Education, 1809 or higher Windows 11 Enterprise and Education |
Determines whether to allow camera and microphone access inside Microsoft Defender Application Guard. | Enabled. This is effective only in managed mode. Applications inside Microsoft Defender Application Guard are able to access the camera and microphone on the user's device. Important: Enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge. Disabled or not configured. Applications inside Microsoft Defender Application Guard are unable to access the camera and microphone on the user's device. |
Allow Microsoft Defender Application Guard to use Root Certificate Authorities from a user's device | Windows 10 Enterprise or Pro, 1809 or higher Windows 10 Education, 1809 or higher Windows 11 Enterprise or Pro |
Determines whether Root Certificates are shared with Microsoft Defender Application Guard. | Enabled. Certificates matching the specified thumbprint are transferred into the container. Use a comma to separate multiple certificates. Disabled or not configured. Certificates aren't shared with Microsoft Defender Application Guard. |
Allow auditing events in Microsoft Defender Application Guard | Windows 10 Enterprise, 1709 or higher Windows 10 Education, 1809 or higher Windows 11 Enterprise and Education |
This policy setting allows you to decide whether auditing events can be collected from Microsoft Defender Application Guard. | Enabled. This is effective only in managed mode. Application Guard inherits auditing policies from your device and logs system events from the Application Guard container to your host. Disabled or not configured. Event logs aren't collected from your Application Guard container. |
Application Guard support dialog settings
These settings are located at Administrative Templates\Windows Components\Windows Security\Enterprise Customization
. If an error is encountered, you're presented with a dialog box. By default, this dialog box only contains the error information and a button for you to report it to Microsoft via the feedback hub. However, it's possible to provide additional information in the dialog box.
Use Group Policy to enable and customize contact information.