WindowsDefenderApplicationGuard 云解决方案提供商WindowsDefenderApplicationGuard CSP

企业使用 WindowsDefenderApplicationGuard 配置 (CSP) ,以配置 Microsoft Defender 应用程序防护中的设置。The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. 此 CSP 已添加到 Windows 10 版本 1709 中。This CSP was added in Windows 10, version 1709.

下面以树格式显示 WindowsDefenderApplicationGuard 配置服务提供程序。The following shows the WindowsDefenderApplicationGuard configuration service provider in tree format.

./Device/Vendor/MSFT
WindowsDefenderApplicationGuard
----Settings
--------AllowWindowsDefenderApplicationGuard
--------ClipboardFileType
--------ClipboardSettings
--------PrintingSettings
--------BlockNonEnterpriseContent
--------AllowPersistence
--------AllowVirtualGPU
--------SaveFilesToHost
--------CertificateThumbprints
--------AllowCameraMicrophoneRedirection
----Status
----PlatformStatus
----InstallWindowsDefenderApplicationGuard
----Audit
--------AuditApplicationGuard

./Device/Vendor/MSFT/WindowsDefenderApplicationGuard./Device/Vendor/MSFT/WindowsDefenderApplicationGuard
根节点。Root node. 支持的操作为 Get。Supported operation is Get.

“设置”Settings
内部节点。Interior node. 支持的操作为 Get。Supported operation is Get.

Settings/AllowWindowsDefenderApplicationGuardSettings/AllowWindowsDefenderApplicationGuard
在企业模式下打开 Microsoft Defender 应用程序防护。Turn on Microsoft Defender Application Guard in Enterprise Mode.

值类型为整数。Value type is integer. 支持的操作包括添加、获取、替换和删除。Supported operations are Add, Get, Replace, and Delete.

以下列表显示支持的值:The following list shows the supported values:

  • 0 - 禁用 Microsoft Defender 应用程序防护0 - Disable Microsoft Defender Application Guard
  • 1 - 仅为 Microsoft Edge 启用 Microsoft Defender 应用程序防护1 - Enable Microsoft Defender Application Guard for Microsoft Edge ONLY
  • 2 - 仅为隔离的 Windows 环境启用 Microsoft Defender 应用程序防护2 - Enable Microsoft Defender Application Guard for isolated Windows environments ONLY
  • 3 - 为 Microsoft Edge 和隔离的 Windows 环境启用 Microsoft Defender 应用程序防护3 - Enable Microsoft Defender Application Guard for Microsoft Edge AND isolated Windows environments

Settings/ClipboardFileTypeSettings/ClipboardFileType
确定可以从主机复制到应用程序防护环境的内容类型,反之亦然。Determines the type of content that can be copied from the host to Application Guard environment and vice versa.

值类型为整数。Value type is integer. 支持的操作包括添加、获取、替换和删除。Supported operations are Add, Get, Replace, and Delete.

此策略设置在 Windows 10 企业版上的 Microsoft Edge 或 Windows 10 教育版(在企业模式下使用 Microsoft Defender 应用程序防护)受支持。This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.

以下列表显示支持的值:The following list shows the supported values:

  • 1 - 允许文本复制。1 - Allow text copying.
  • 2 - 允许复制图像。2 - Allow image copying.
  • 3 - 允许复制文本和图像。3 - Allow text and image copying.

ADMX 信息:ADMX Info:

  • GP 中文名称: 配置 Microsoft Defender 应用程序防护剪贴板设置GP English name: Configure Microsoft Defender Application Guard clipboard settings
  • GP 名称 :AppHVSIClipboardFileTypeGP name: AppHVSIClipboardFileType
  • GP 路径 :Windows 组件/Microsoft Defender 应用程序防护GP path: Windows Components/Microsoft Defender Application Guard
  • GP ADMX 文件名 :AppHVSI.admxGP ADMX file name: AppHVSI.admx

Settings/ClipboardSettingsSettings/ClipboardSettings
此策略设置允许你决定剪贴板在应用程序防护中的行为方式。This policy setting allows you to decide how the clipboard behaves while in Application Guard.

值类型为整数。Value type is integer. 支持的操作包括添加、获取、替换和删除。Supported operations are Add, Get, Replace, and Delete.

此策略设置在 Windows 10 企业版上的 Microsoft Edge 或 Windows 10 教育版(在企业模式下使用 Microsoft Defender 应用程序防护)受支持。This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.

以下列表显示支持的值:The following list shows the supported values:

  • 0 (默认) - 完全关闭应用程序防护的剪贴板功能。0 (default) - Completely turns Off the clipboard functionality for the Application Guard.
  • 1 - 打开从独立会话到主机的剪贴板操作。1 - Turns On clipboard operation from an isolated session to the host.
  • 2 - 打开从主机到独立会话的剪贴板操作。2 - Turns On clipboard operation from the host to an isolated session.
  • 3 - 在两个方向打开剪贴板操作。3 - Turns On clipboard operation in both the directions.

重要

允许将 Microsoft Edge 中的内容复制到应用程序防护可能会导致潜在安全风险,因此不建议使用。Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.

ADMX 信息:ADMX Info:

  • GP 中文名称: 配置 Microsoft Defender 应用程序防护剪贴板设置GP English name: Configure Microsoft Defender Application Guard clipboard settings
  • GP 名称 :AppHVSIClipboardSettingsGP name: AppHVSIClipboardSettings
  • GP 路径 :Windows 组件/Microsoft Defender 应用程序防护GP path: Windows Components/Microsoft Defender Application Guard
  • GP ADMX 文件名 :AppHVSI.admxGP ADMX file name: AppHVSI.admx

Settings/PrintingSettingsSettings/PrintingSettings
此策略设置允许你决定在应用程序防护中打印功能的行为方式。This policy setting allows you to decide how the print functionality behaves while in Application Guard.

值类型为整数。Value type is integer. 支持的操作包括添加、获取、替换和删除。Supported operations are Add, Get, Replace, and Delete.

此策略设置在 Windows 10 企业版上的 Microsoft Edge 或 Windows 10 教育版(在企业模式下使用 Microsoft Defender 应用程序防护)受支持。This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.

以下列表显示支持的值:The following list shows the supported values:

  • 0 (默认) - 禁用所有打印功能。0 (default) - Disables all print functionality.
  • 1 - 仅启用 XPS 打印。1 - Enables only XPS printing.
  • 2 - 仅启用 PDF 打印。2 - Enables only PDF printing.
  • 3 - 同时启用 PDF 和 XPS 打印。3 - Enables both PDF and XPS printing.
  • 4 - 仅启用本地打印。4 - Enables only local printing.
  • 5 - 同时启用本地打印和 XPS 打印。5 - Enables both local and XPS printing.
  • 6 - 同时启用本地打印和 PDF 打印。6 - Enables both local and PDF printing.
  • 7 - 启用本地、PDF 和 XPS 打印。7 - Enables local, PDF, and XPS printing.
  • 8 - 仅启用网络打印。8 - Enables only network printing.
  • 9 - 同时启用网络和 XPS 打印。9 - Enables both network and XPS printing.
  • 10 - 同时启用网络和 PDF 打印。10 - Enables both network and PDF printing.
  • 11 - 启用网络、PDF 和 XPS 打印。11 - Enables network, PDF, and XPS printing.
  • 12 - 同时启用网络和本地打印。12 - Enables both network and local printing.
  • 13 - 启用网络、本地和 XPS 打印。13 - Enables network, local, and XPS printing.
  • 14 - 启用网络、本地和 PDF 打印。14 - Enables network, local, and PDF printing.
  • 15 - 启用所有打印。15 - Enables all printing.

ADMX 信息:ADMX Info:

  • GP 中文名称: 配置 Microsoft Defender 应用程序防护打印设置GP English name: Configure Microsoft Defender Application Guard print settings
  • GP 名称 :AppHVSIPrintingSettingsGP name: AppHVSIPrintingSettings
  • GP 路径 :Windows 组件/Microsoft Defender 应用程序防护GP path: Windows Components/Microsoft Defender Application Guard
  • GP ADMX 文件名 :AppHVSI.admxGP ADMX file name: AppHVSI.admx

Settings/BlockNonEnterpriseContentSettings/BlockNonEnterpriseContent
此策略设置允许你决定网站是否可以在 Microsoft Edge 中加载非企业内容Internet Explorer。This policy setting allows you to decide whether websites can load non-enterprise content in Microsoft Edge and Internet Explorer.

值类型为整数。Value type is integer. 支持的操作包括添加、获取、替换和删除。Supported operations are Add, Get, Replace, and Delete.

此策略设置在 Windows 10 企业版上的 Microsoft Edge 或 Windows 10 教育版(在企业模式下使用 Microsoft Defender 应用程序防护)受支持。This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.

以下列表显示支持的值:The following list shows the supported values:

  • 0 (默认) - 允许嵌入在企业站点中的非企业内容在 Microsoft Defender 应用程序防护容器外部直接在 microsoft Internet Explorer 和 Microsoft Edge 中打开。0 (default) - Non-enterprise content embedded in enterprise sites is allowed to open outside of the Microsoft Defender Application Guard container, directly in Internet Explorer and Microsoft Edge.
  • 1 - 企业网站上嵌入的非企业内容Internet Explorer Microsoft Defender 应用程序防护外部的 Microsoft Edge 中打开。1 - Non-enterprise content embedded on enterprise sites are stopped from opening in Internet Explorer or Microsoft Edge outside of Microsoft Defender Application Guard.

备注

新的 Microsoft Edge 浏览器不再支持此策略设置。This policy setting is no longer supported in the new Microsoft Edge browser. 该策略将在未来版本中弃用和删除。The policy will be deprecated and removed in a future release. 如果启用此功能,包含混合内容(企业和非企业)的网页可能无法正确加载或完全失败。Webpages that contain mixed content, both enterprise and non-enterprise, may load incorrectly or fail completely if this feature is enabled.

ADMX 信息:ADMX Info:

  • GP 中文名称 :阻止企业网站在 Microsoft Edge 中加载非企业Internet ExplorerGP English name: Prevent enterprise websites from loading non-enterprise content in Microsoft Edge and Internet Explorer
  • GP 名称 :BlockNonEnterpriseContentGP name: BlockNonEnterpriseContent
  • GP 路径 :Windows 组件/Microsoft Defender 应用程序防护GP path: Windows Components/Microsoft Defender Application Guard
  • GP ADMX 文件名 :AppHVSI.admxGP ADMX file name: AppHVSI.admx

Settings/AllowPersistenceSettings/AllowPersistence
此策略设置允许你决定数据是否应该在应用程序防护中的不同会话中保留。This policy setting allows you to decide whether data should persist across different sessions in Application Guard.

值类型为整数。Value type is integer. 支持的操作包括添加、获取、替换和删除。Supported operations are Add, Get, Replace, and Delete.

此策略设置在 Windows 10 企业版上的 Microsoft Edge 或 Windows 10 教育版(在企业模式下使用 Microsoft Defender 应用程序防护)受支持。This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.

以下列表显示支持的值:The following list shows the supported values:

  • 0 - 应用程序防护在计算机重启或用户注销期间 (用户下载的文件和其他项目,例如) Cookie、收藏夹等。0 - Application Guard discards user-downloaded files and other items (such as, cookies, Favorites, and so on) during machine restart or user log-off.
  • 1 - 应用程序防护保存用户下载的文件和其他项目 (Cookie、收藏夹等) 供将来应用程序防护会话使用。1 - Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.

ADMX 信息:ADMX Info:

  • GP 中文名称 :允许 Microsoft Defender 应用程序防护的数据持久性GP English name: Allow data persistence for Microsoft Defender Application Guard
  • GP 名称 :AllowPersistenceGP name: AllowPersistence
  • GP 路径 :Windows 组件/Microsoft Defender 应用程序防护GP path: Windows Components/Microsoft Defender Application Guard
  • GP ADMX 文件名 :AppHVSI.admxGP ADMX file name: AppHVSI.admx

Settings/AllowVirtualGPUSettings/AllowVirtualGPU
已添加到 Windows 10 版本 1803。Added in Windows 10, version 1803. 此策略设置允许你确定应用程序防护是否可以使用虚拟图形处理单元 (GPU) 处理图形。This policy setting allows you to determine whether Application Guard can use the virtual Graphics Processing Unit (GPU) to process graphics.

值类型为整数。Value type is integer. 支持的操作包括添加、获取、替换和删除。Supported operations are Add, Get, Replace, and Delete.

此策略设置在 Windows 10 企业版上的 Microsoft Edge 或 Windows 10 教育版(在企业模式下使用 Microsoft Defender 应用程序防护)受支持。This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.

如果启用此设置,Microsoft Defender 应用程序防护将使用 Hyper-V GPU 访问受支持的高安全性呈现图形硬件 (GPU) 。If you enable this setting, Microsoft Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). 这些 GPU 提高了呈现性能和电池使用时间,同时使用 Microsoft Defender 应用程序防护,尤其是视频播放和其他图形密集型用例。These GPUs improve rendering performance and battery life while using Microsoft Defender Application Guard, particularly for video playback and other graphics-intensive use cases. 如果在不连接任何高安全性呈现图形硬件的情况下启用此设置,Microsoft Defender 应用程序防护将自动恢复为基于软件 (CPU) 呈现。If you enable this setting without connecting any high-security rendering graphics hardware, Microsoft Defender Application Guard will automatically revert to software-based (CPU) rendering.

以下列表显示支持的值:The following list shows the supported values:

  • 0 (默认) - 无法访问 vGPU 并使用 CPU 来支持呈现图形。0 (default) - Cannot access the vGPU and uses the CPU to support rendering graphics. 如果策略未配置,则与在 0 或 0 (相同) 。When the policy is not configured, it is the same as disabled (0).
  • 1 - 打开功能以访问 vGPU 卸载从 CPU 呈现的图形。1 - Turns on the functionality to access the vGPU offloading graphics rendering from the CPU. 这样,在使用图形密集网站或在容器内观看视频时,可以创建更快速的体验。This can create a faster experience when working with graphics intense websites or watching video within the container.

警告

使用可能受到威胁的图形设备或驱动程序启用此设置可能会给主机设备带来风险。Enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.

ADMX 信息:ADMX Info:

  • GP 中文名称:允许 Microsoft Defender 应用程序 防护的硬件加速呈现GP English name: Allow hardware-accelerated rendering for Microsoft Defender Application Guard
  • GP 名称 :AllowVirtualGPUGP name: AllowVirtualGPU
  • GP 路径 :Windows 组件/Microsoft Defender 应用程序防护GP path: Windows Components/Microsoft Defender Application Guard
  • GP ADMX 文件名 :AppHVSI.admxGP ADMX file name: AppHVSI.admx

Settings/SaveFilesToHostSettings/SaveFilesToHost
已添加到 Windows 10 版本 1803。Added in Windows 10, version 1803. 此策略设置允许你确定用户是否可以选择从容器中的边缘下载文件,以及将文件从容器保留到主机操作系统。This policy setting allows you to determine whether users can elect to download files from Edge in the container and persist files them from container to the host operating system. 这还允许用户选择主机操作系统上的文件,并通过容器中的 Edge 上载文件。This also enables users to elect files on the host operating system and upload it through Edge in the container.

值类型为整数。Value type is integer. 支持的操作包括添加、获取、替换和删除。Supported operations are Add, Get, Replace, and Delete.

此策略设置在 Windows 10 企业版上的 Microsoft Edge 或 Windows 10 教育版(在企业模式下使用 Microsoft Defender 应用程序防护)受支持。This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.

以下列表显示支持的值:The following list shows the supported values:

  • 0 (默认) - 用户无法将容器中的边缘文件下载到主机文件系统,或将文件从主机文件系统上载到容器中的边缘。0 (default) - The user cannot download files from Edge in the container to the host file system, or upload files from host file system to Edge in the container. 如果策略未配置,则与在 0 或 0 (相同) 。When the policy is not configured, it is the same as disabled (0).
  • 1 - 启用允许用户将容器中的边缘文件下载到主机文件系统的功能。1 - Turns on the functionality to allow users to download files from Edge in the container to the host file system.

ADMX 信息:ADMX Info:

  • GP 中文名称 :允许从 Microsoft Defender应用程序防护下载文件并将其保存到主机操作系统GP English name: Allow files to download and save to the host operating system from Microsoft Defender Application Guard
  • GP 名称 :SaveFilesToHostGP name: SaveFilesToHost
  • GP 路径 :Windows 组件/Microsoft Defender 应用程序防护GP path: Windows Components/Microsoft Defender Application Guard
  • GP ADMX 文件名 :AppHVSI.admxGP ADMX file name: AppHVSI.admx

Settings/CertificateThumbprintsSettings/CertificateThumbprints
在 Windows 10 版本 1809 中添加。Added in Windows 10, version 1809. 此策略设置允许与 Microsoft Defender 应用程序防护容器共享某些设备级别的根证书。This policy setting allows certain device level Root Certificates to be shared with the Microsoft Defender Application Guard container.

值类型为字符串。Value type is string. 支持的操作包括添加、获取、替换和删除。Supported operations are Add, Get, Replace, and Delete.

此策略设置在 Windows 10 企业版上的 Microsoft Edge 或 Windows 10 教育版(在企业模式下使用 Microsoft Defender 应用程序防护)受支持。This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.

如果启用此设置,则指纹与指定证书匹配的证书将传输到容器中。If you enable this setting, certificates with a thumbprint matching the ones specified will be transferred into the container. 可以使用逗号指定多个证书,以分隔要传输的每个证书的指纹。Multiple certificates can be specified by using a comma to separate the thumbprints for each certificate you want to transfer.

下面是一个示例:Here's an example:
b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a7b058cda924b4e72779a8a362c860c36a6461f31e3aa7e58c14,1b1d49f06d2a697a544a1059bd59a7b058cda924

如果禁用或不配置此设置,则证书不会与 Microsoft Defender 应用程序防护容器共享。If you disable or don’t configure this setting, certificates are not shared with the Microsoft Defender Application Guard container.

ADMX 信息:ADMX Info:

  • GP 中文名称 :允许 Microsoft Defender 应用程序防护从用户设备使用根证书颁发机构GP English name: Allow Microsoft Defender Application Guard to use Root Certificate Authorities from the user's device
  • GP 名称 :CertificateThumbprintsGP name: CertificateThumbprints
  • GP 路径 :Windows 组件/Microsoft Defender 应用程序防护GP path: Windows Components/Microsoft Defender Application Guard
  • GP ADMX 文件名 :AppHVSI.admxGP ADMX file name: AppHVSI.admx

备注

若要强制执行此策略,需要设备重启或用户登录/注销。To enforce this policy, device restart or user logon/logoff is required.

Settings/AllowCameraMicrophoneRedirectionSettings/AllowCameraMicrophoneRedirection
在 Windows 10 版本 1809 中添加。Added in Windows 10, version 1809. 此策略设置允许你确定在用户设备上启用这些设置时,Microsoft Defender 应用程序防护内的应用程序是否可以访问设备的相机和麦克风。This policy setting allows you to determine whether applications inside Microsoft Defender Application Guard can access the device’s camera and microphone when these settings are enabled on the user’s device.

值类型为整数。Value type is integer. 支持的操作包括添加、获取、替换和删除。Supported operations are Add, Get, Replace, and Delete.

此策略设置在 Windows 10 企业版上的 Microsoft Edge 或 Windows 10 教育版(在企业模式下使用 Microsoft Defender 应用程序防护)受支持。This policy setting is supported on Microsoft Edge on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.

如果启用此策略设置,Microsoft Defender 应用程序防护内的应用程序将能够访问用户设备上相机和麦克风。If you enable this policy setting, applications inside Microsoft Defender Application Guard will be able to access the camera and microphone on the user’s device.

如果禁用或不配置此策略设置,Microsoft Defender 应用程序防护内的应用程序将无法访问用户设备上相机和麦克风。If you disable or don't configure this policy setting, applications inside Microsoft Defender Application Guard will be unable to access the camera and microphone on the user’s device.

以下列表显示支持的值:The following list shows the supported values:

  • 0 (默认) - Microsoft Defender 应用程序防护无法访问设备的相机和麦克风。0 (default) - Microsoft Defender Application Guard cannot access the device’s camera and microphone. 如果策略未配置,则与在 0 或 0 (相同) 。When the policy is not configured, it is the same as disabled (0).
  • 1 - 启用允许 Microsoft Defender 应用程序防护访问设备的相机和麦克风的功能。1 - Turns on the functionality to allow Microsoft Defender Application Guard to access the device’s camera and microphone.

重要

如果打开此策略设置,损坏的容器可能会绕过相机和麦克风权限,在用户不知情的情况下访问相机和麦克风。If you turn on this policy setting, a compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge. 为了防止未经授权的访问,我们建议在不需要时在用户设备上关闭相机和麦克风隐私设置。To prevent unauthorized access, we recommend that camera and microphone privacy settings be turned off on the user's device when they are not needed.

ADMX 信息:ADMX Info:

  • GP 中文名称:允许在 Microsoft Defender 应用程序防护中访问相机和麦克风GP English name: Allow camera and microphone access in Microsoft Defender Application Guard
  • GP 名称 :AllowCameraMicrophoneRedirectionGP name: AllowCameraMicrophoneRedirection
  • GP 路径 :Windows 组件/Microsoft Defender 应用程序防护GP path: Windows Components/Microsoft Defender Application Guard
  • GP ADMX 文件名 :AppHVSI.admxGP ADMX file name: AppHVSI.admx

状态Status
返回位掩码,指示设备上应用程序防护安装的状态和先决条件。Returns bitmask that indicates status of Application Guard installation and pre-requisites on the device.

值类型为整数。Value type is integer. 支持的操作为 Get。Supported operation is Get.

  • 第 0 位 - 当应用程序防护启用到企业管理模式时,设置为 1。Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode.
  • 第 1 位 - 当客户端计算机支持功能时,Hyper-V 1。Bit 1 - Set to 1 when the client machine is Hyper-V capable.
  • 第 2 位 - 当客户端计算机具有有效的操作系统许可证和 SKU 时,设置为 1。Bit 2 - Set to 1 when the client machine has a valid OS license and SKU.
  • 第 3 位 - 在客户端计算机上安装应用程序防护时设置为 1。Bit 3 - Set to 1 when Application Guard installed on the client machine.
  • 第 4 位 - 在需要配置网络隔离策略时设置为 1。Bit 4 - Set to 1 when required Network Isolation Policies are configured.
  • 第 5 位 - 当客户端计算机满足最低硬件要求时,设置为 1。Bit 5 - Set to 1 when the client machine meets minimum hardware requirements.
  • 第 6 位 - 在需要重新启动系统时设置为 1。Bit 6 - Set to 1 when system reboot is required.

PlatformStatusPlatformStatus
返回位掩码,指示设备上应用程序防护平台安装和必备组件的状态。Returns bitmask that indicates status of Application Guard platform installation and prerequisites on the device.

值类型为整数。Value type is integer. 支持的操作为 Get。Supported operation is Get.

  • 第 0 位 - 当应用程序防护启用到企业管理模式时,设置为 1。Bit 0 - Set to 1 when Application Guard is enabled into enterprise manage mode.
  • 第 1 位 - 当客户端计算机支持功能时,Hyper-V 1。Bit 1 - Set to 1 when the client machine is Hyper-V capable.
  • 第 2 位 - 保留给 Microsoft。Bit 2 - Reserved for Microsoft.
  • 第 3 位 - 在客户端计算机上安装应用程序防护时设置为 1。Bit 3 - Set to 1 when Application Guard is installed on the client machine.
  • 第 4 位 - 保留给 Microsoft。Bit 4 - Reserved for Microsoft.
  • 第 5 位 - 当客户端计算机满足最低硬件要求时,设置为 1。Bit 5 - Set to 1 when the client machine meets minimum hardware requirements.

InstallWindowsDefenderApplicationGuardInstallWindowsDefenderApplicationGuard
启动应用程序防护功能远程安装。Initiates remote installation of Application Guard feature.

支持的操作包括 Get 和 Execute。Supported operations are Get and Execute.

以下列表显示支持的值:The following list shows the supported values:

  • Install - 将启动功能安装。Install - Will initiate feature install.
  • 卸载 - 将启动功能卸载。Uninstall - Will initiate feature uninstall.

审核Audit
内部节点。Interior node. 支持的操作为 Get。Supported operation is Get.

Audit/AuditApplicationGuardAudit/AuditApplicationGuard
此策略设置允许你决定是否可以从应用程序防护收集审核事件。This policy setting allows you to decide whether auditing events can be collected from Application Guard.

整数值类型。Value type in integer. 支持的操作包括添加、获取、替换和删除。Supported operations are Add, Get, Replace, and Delete.

此策略设置在 Windows 10 企业版或 Windows 10 教育版上受支持,在企业模式下使用 Microsoft Defender 应用程序防护。This policy setting is supported on Windows 10 Enterprise or Windows 10 Education with Microsoft Defender Application Guard in Enterprise mode.

以下列表显示支持的值:The following list shows the supported values:

  • 0 (默认) - 不会为应用程序防护收集审核事件日志。0 (default) - Audit event logs aren't collected for Application Guard.
  • 1 - 应用程序防护从系统继承其审核策略,并开始审核应用程序防护容器的安全事件。1 - Application Guard inherits its auditing policies from system and starts to audit security events for Application Guard container.

ADMX 信息:ADMX Info:

  • GP 中文名称: 允许在 Microsoft Defender 应用程序防护中审核事件GP English name: Allow auditing events in Microsoft Defender Application Guard
  • GP 名称 :AuditApplicationGuardGP name: AuditApplicationGuard
  • GP 路径 :Windows 组件/Microsoft Defender 应用程序防护GP path: Windows Components/Microsoft Defender Application Guard
  • GP ADMX 文件名 :AppHVSI.admxGP ADMX file name: AppHVSI.admx