CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark
18.9.78.4 (NG) Ensure 'Allow files to download and save to the host operating system fromWindows Defender Application Guard' is set to 'Disabled' (Scored)
ProfileApplicability:
Level 1 (L1) + Next Generation Windows Security (NG)
Level 1 (L1) + BitLocker (BL) + Next Generation Windows Security (NG)
Level 2 (L2) + Next Generation Windows Security (NG)
Level 2 (L2) + BitLocker (BL) + Next Generation Windows Security (NG)
Next Generation Windows Security (NG) - optional add-on for use in the newest hardware and configuration environments
Description:
This policy setting determines whether to save downloaded files to the host operating system from the Windows Defender Application Guard (WDAG) container.
The recommended state for this setting is: Disabled .
Note: WDAG requires a 64-bit version of Windows and a CPU supporting hardware- assisted CPU virtualization (Intel VT-x or AMD-V). This feature is not officially supported on virtual hardware, although it can work on VMs (especially for testing) provided that the hardware-assisted CPU virtualization feature is exposed by the host to the guest VM.
More information on system requirements for this feature can be found at this link:
System requirements for Windows Defender Application Guard (Windows 10) | Microsoft Docs
Rationale:
The primary purpose of Windows Defender Application Guard (WDAG) is to present a "sandboxed container". Potentially malicious files should not be copied to the host OS from the sandboxed environment, which could put the host at risk.
1110 | P a g e
Made with FlippingBook - Online magazine maker