Information
This policy setting allows you to decide how the clipboard behaves while in Microsoft Defender Application Guard.
The recommended state for this setting is: Enabled: Enable clipboard operation from an isolated session to the host
Note: Microsoft Defender Application Guard requires a 64-bit version of Windows and a CPU supporting hardware-assisted CPU virtualization (Intel VT-x or AMD-V). This feature is not officially supported on virtual hardware, although it can work on VMs (especially for testing) provided that the hardware-assisted CPU virtualization feature is exposed by the host to the guest VM.
More information on system requirements for this feature can be found at
System requirements for Microsoft Defender Application Guard (Windows 10) | Microsoft Docs
Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs.
The primary purpose of Microsoft Defender Application Guard is to present a 'sandboxed container' for visiting untrusted websites. If the host clipboard is made available to Microsoft Defender Application Guard, a compromised Microsoft Defender Application Guard session will have access to its content, potentially exposing sensitive information to a malicious website or application. However, the risk is reduced if the Microsoft Defender Application Guard clipboard is made accessible to the host, and indeed that functionality may often be necessary from an operational standpoint.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled: Enable clipboard operation from an isolated session to the host
Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Configure Microsoft Defender Application Guard clipboard settings: Clipboard behavior setting
Note: This Group Policy path is provided by the Group Policy template AppHVSI.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named
Configure Windows Defender Application Guard clipboard settings: Clipboard behavior setting
, but it was renamed to
Configure Microsoft Defender Application Guard clipboard settings: Clipboard behavior setting
starting with the Windows 10 Release 2004 Administrative Templates.
Impact:
Note: This setting was moved from the Next Generation (NG) profile to the Level 1 (L1) profile for the Windows 11 Operating System only NG profile settings were isolated from the L1 profile due to potential hardware compatibility issues. The Windows 11 Operating System is dependent on the same hardware as the NG settings, so hardware compatibility is no longer an issue.
Microsoft Defender Application Guard sessions will not be able to access the host device's clipboard, however the host device will be able to access the Microsoft Defender Application Guard session clipboard.