CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

18.9.78.5 (NG) Ensure 'Allow users to trust files that open in Windows Defender Application Guard' is set to 'Enabled: 0 (Do not allow users to manually trust files)' OR '2 (Allowusers to manually trust after an antivirus check)' (Scored)

ProfileApplicability:

 Level 1 (L1) + Next Generation Windows Security (NG)

 Level 1 (L1) + BitLocker (BL) + Next Generation Windows Security (NG)

 Level 2 (L2) + Next Generation Windows Security (NG)

 Level 2 (L2) + BitLocker (BL) + Next Generation Windows Security (NG)

 Next Generation Windows Security (NG) - optional add-on for use in the newest hardware and configuration environments

Description:

This policy setting allows you to configure required actions and validations that enable users to trust files that open in Windows Defender Application Guard (WDAG). Upon successful completion, the files will open on the host.

The recommended state for this setting is: Enabled: 0 OR Enabled: 2 .

Note: WDAG requires a 64-bit version of Windows and a CPU supporting hardware- assisted CPU virtualization (Intel VT-x or AMD-V). This feature is not officially supported on virtual hardware, although it can work on VMs (especially for testing) provided that the hardware-assisted CPU virtualization feature is exposed by the host to the guest VM.

More information on system requirements for this feature can be found at this link:

System requirements for Windows Defender Application Guard (Windows 10) | Microsoft Docs

Rationale:

Ensuring that files have been properly scanned before being opened can help prevent malicious files frombeing opened on a system.

1112 | P a g e