18.9.77.4 (NG) Ensure 'Configure Windows Defender Application Guard clipboard settings: Clipboard behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host'

Information

This policy setting allows you to decide how the clipboard behaves while in Windows Defender Application Guard (Application Guard).
The recommended state for this setting is: Enabled: Enable clipboard operation from an isolated session to the host.
Note: Windows Defender Application Guard requires a 64-bit version of Windows and a CPU supporting hardware-assisted CPU virtualization (Intel VT-x or AMD-V). This feature is not officially supported on virtual hardware, although it can work on VMs (especially for testing) provided that the hardware-assisted CPU virtualization feature is exposed by the host to the guest VM.
More information on system requirements for this feature can be found at this link:
System requirements for Windows Defender Application Guard (Windows 10) | Microsoft Docs
Rationale:
The primary purpose of Application Guard is to present a 'sandboxed container' for visiting untrusted websites. If the host clipboard is made available to Application Guard, a compromised Application Guard session will have access to its content, potentially exposing sensitive information to a malicious website or application. However, the risk is reduced if the Application Guard clipboard is made accessible to the host, and indeed that functionality may often be necessary from an operational standpoint.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: Enable clipboard operation from an isolated session to the host
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard clipboard settings: Clipboard behavior setting
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppHVSI.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
Impact:
Application Guard sessions will not be able to access the host device's clipboard, however the host device will be able to access the Application Guard session clipboard.
Default Value:
Disabled. (All clipboard functionality is turned off in Application Guard.)
CIS Controls:
Version 6
13 Data Protection
Data Protection
Version 7
13 Data Protection
Data Protection

Item Details

Audit Name: CIS Microsoft Windows 10 Enterprise (Release 1803) v1.5.0 Level 1 Next Generation

References: CSCv6|13, CSCv7|13

Plugin: Windows

Control ID: 18f7831a1d93b4289a5b7569b52c094ed12679c3777d1b8c634f678a5d392753

Detections

Analytics

18.9.77.4 (NG) Ensure 'Configure Windows Defender Application Guard clipboard settings: Clipboard behavior setting' is set to 'Enabled: Enable clipboard operation from an isolated session to the host'

Information

Solution

See Also

Item Details