CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI:AllowPersistence

Remediation:

To establish the recommended configuration via GP, set the following UI path to Disabled:

Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow data persistence for Windows Defender Application Guard

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppHVSI.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).

Impact:

None - this is the default behavior.

Default Value:

Disabled. (Windows Defender Application Guard (WDAG) deletes all user data within the WDAG container.)

CIS Controls:

Version 6

13 Data Protection Data Protection

Version 7

7.10 Sandbox All Email Attachments Use sandboxing to analyze and block inbound email attachments with malicious behavior.

1109 | P a g e

Made with FlippingBook - Online magazine maker