Citrix Endpoint Management

Application Guard device policy

The Application Guard policy specifies Windows Defender Application Guard settings. The settings include whether to enable Application Guard and controls for clipboard behavior.

Windows Defender Application Guard protects your environment from sites that haven’t been defined as trusted by your organization. When users visit sites that aren’t listed in your isolated network boundary: The sites open in a virtual browsing session in Hyper-V. Enterprise cloud resources define trusted sites.

Requirements

  • Devices running Windows 10 Enterprise (64-bit) or Windows 11 Enterprise (64-bit). A device restart is required to install the Windows Defender Application Guard.
  • Microsoft Edge browser

Windows Desktop and Tablet settings

Device Policies configuration screen

  • Application guard: Enables Application Guard. Default is Off.
    • Enterprise cloud resources: A comma-separated list of enterprise cloud domains.
  • Clipboard behavior: Controls which directions content can be copied and pasted. The options are as follows:

    • Not configured
    • Allow copy and paste only from browser to PC: Allows users to copy and paste content only from their browser to their PC.
    • Allow copy and paste only from PC to browser: Allows users to copy and paste content only from their PC to their browser.
    • Allow copy and paste between PC and browser: Allows users to copy and paste content freely between their PC and browser.
    • Block copy and paste between PC and browser: Does not allow users to copy and paste content between their PC and browser.
  • Clipboard content: Controls which content users can copy and paste. The options are as follows:
    • No restriction
    • Allow text copying: Allows users to copy text only.
    • Allow image copying: Allows users to copy images only.
    • Allow both text and image copying: Allows users to copy both text and images.
  • Block external content on enterprise sites: If On then the Windows Defender Application Guard prevents content from unapproved sites from loading on enterprise sites. Default is Off.
  • Retain user-generated browser data: If On then allows saving user data created during an Application Guard virtual browsing session. This data includes things like passwords, favorites, and cookies. Default is Off.
Application Guard device policy