CIS Microsoft Windows 10 Enterprise Release 1909 Benchmark

Note #2: At time of publication, Windows Defender Application Guard (WDAG) in all currently released versions of Windows 10 does not yet support protection for Microsoft Office, only for Microsoft Edge. Therefore the additional available options of 2 and 3 in this setting are not yet valid.

Rationale:

Windows Defender Application Guard (WDAG) uses Windows Hypervisor to create a virtualized environment for apps that are configured to use virtualization-based security isolation. While in isolation, improper user interactions and app vulnerabilities can’t compromise the kernel or any other apps running outside of the virtualized environment.

Audit:

Navigate to the UI Path articulated in the Remediation section and confirm it is set as prescribed. This group policy setting is backed by the following registry location:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\AppHVSI:AllowAppHVSI_ProviderS et

Remediation:

To establish the recommended configuration via GP, set the following UI path to Enabled: 1 :

Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender Application Guard\Turn on Windows Defender Application Guard in Enterprise Mode

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppHVSI.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).

Impact:

Windows Defender Application Guard (WDAG) will be turned on for Microsoft Edge.

Note: WDAG requires the Internet Connection Sharing (ICS) (SharedAccess) service in order to operate, so an exception to disabling this service (see Section 5) will be required if choosing to enable WDAG.

Default Value:

Disabled. (Windows Defender Application Guard (WDAG) is turned off.)

1119 | P a g e