CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

18.9.78.7 (NG) Ensure 'Turn on Windows Defender Application Guard in Enterprise Mode' is set to 'Enabled: 1' (Scored)

ProfileApplicability:

 Level 1 (L1) + Next Generation Windows Security (NG)

 Level 1 (L1) + BitLocker (BL) + Next Generation Windows Security (NG)

 Level 2 (L2) + Next Generation Windows Security (NG)

 Level 2 (L2) + BitLocker (BL) + Next Generation Windows Security (NG)

 Next Generation Windows Security (NG) - optional add-on for use in the newest hardware and configuration environments

Description:

This policy setting enables application isolation through Windows Defender Application Guard (Application Guard).

There are 4 options available:

0. Disable Windows Defender Application Guard 1. Enable Windows Defender Application Guard for Microsoft Edge ONLY 2. Enable Windows Defender Application Guard for Microsoft OfficeONLY 3. Enable Windows Defender Application Guard for Microsoft Edge AND Microsoft Office

The recommended state for this setting is: Enabled: 1 (Enable Windows Defender Application Guard for Microsoft Edge ONLY).

Note: WDAG requires a 64-bit version of Windows and a CPU supporting hardware- assisted CPU virtualization (Intel VT-x or AMD-V). This feature is not officially supported on virtual hardware, although it can work on VMs (especially for testing) provided that the hardware-assisted CPU virtualization feature is exposed by the host to the guest VM.

More information on system requirements for this feature can be found at this link:

System requirements for Windows Defender Application Guard (Windows 10) | Microsoft Docs

1118 | P a g e