Information
This policy setting enables application isolation through Windows Defender Application Guard (Application Guard).
The recommended state for this setting is: Enabled.
Note: Windows Defender Application Guard requires a 64-bit version of Windows and a CPU supporting hardware-assisted CPU virtualization (Intel VT-x or AMD-V). This feature is not officially supported on virtual hardware, although it can work on VMs (especially for testing) provided that the hardware-assisted CPU virtualization feature is exposed by the host to the guest VM.
More information on system requirements for this feature can be found at this link:
System requirements for Windows Defender Application Guard (Windows 10) | Microsoft Docs
Note #2: In the Windows 10 Release 1703 Administrative Templates, this setting was initially named Turn On/Off Windows Defender Application Guard (WDAG), but it was renamed starting with the Windows 10 Release 1803 Administrative Templates.
Rationale:
Application Guard uses Windows Hypervisor to create a virtualized environment for apps that are configured to use virtualization-based security isolation. While in isolation, improper user interactions and app vulnerabilities cant compromise the kernel or any other apps running outside of the virtualized environment.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled:
Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Defender Application Guard\Turn on Windows Defender Application Guard in Enterprise Mode
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppHVSI.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
Impact:
Application Guard will be turned on.
Default Value:
Disabled. (Application Guard is turned off.)
CIS Controls:
Version 6
13 Data Protection
Data Protection
Version 7
13 Data Protection
Data Protection