CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

Rationale:

Auditing of Windows Defender Application Guard (WDAG) events may be useful when investigating a security incident.

Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI:AuditApplicationGuard

Remediation:

To establish the recommended configuration via GP, set the following UI path to Enabled:

Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow auditing events in Windows Defender Application Guard

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppHVSI.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).

Impact:

Windows Defender Application Guard (WDAG) will inherit its auditing policies from Microsoft Edge and start to audit system events specifically for WDAG. Collected logs are available for review on Microsoft Edge, outside of Application Guard.

Default Value:

Disabled. (Audit event logs aren't collected for Windows Defender Application Guard.)

1104 | P a g e