CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

18.9.78.2 (NG) Ensure 'Allow camera and microphone access in Windows Defender Application Guard' is set to 'Disabled' (Scored)

ProfileApplicability:

 Level 1 (L1) + Next Generation Windows Security (NG)

 Level 1 (L1) + BitLocker (BL) + Next Generation Windows Security (NG)

 Level 2 (L2) + Next Generation Windows Security (NG)

 Level 2 (L2) + BitLocker (BL) + Next Generation Windows Security (NG)

 Next Generation Windows Security (NG) - optional add-on for use in the newest hardware and configuration environments

Description:

The policy allows you to determine whether applications inside Windows Defender Application Guard (WDAG) can access the device’s camera and microphone.

The recommended state for this setting is: Disabled .

Note: WDAG requires a 64-bit version of Windows and a CPU supporting hardware- assisted CPU virtualization (Intel VT-x or AMD-V). This feature is not officially supported on virtual hardware, although it can work on VMs (especially for testing) provided that the hardware-assisted CPU virtualization feature is exposed by the host to the guest VM.

More information on system requirements for this feature can be found at this link:

System requirements for Windows Defender Application Guard (Windows 10) | Microsoft Docs

Rationale:

In effort to stop sensitive information from being obtained for malicious use, untrusted sites within the WDAG container should not be accessing the computers microphone or camera.

1106 | P a g e