18.10.43.4 (NG) Ensure 'Allow files to download and save to the host operating system from Microsoft Defender Application Guard' is set to 'Disabled'

Information

This policy setting determines whether to save downloaded files to the host operating system from the Microsoft Defender Application Guard container.

The recommended state for this setting is: Disabled

Note: Microsoft Defender Application Guard requires a 64-bit version of Windows and a CPU supporting hardware-assisted CPU virtualization (Intel VT-x or AMD-V). This feature is not officially supported on virtual hardware, although it can work on VMs (especially for testing) provided that the hardware-assisted CPU virtualization feature is exposed by the host to the guest VM.

More information on system requirements for this feature can be found at

System requirements for Microsoft Defender Application Guard (Windows 10) | Microsoft Docs

Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs.

The primary purpose of Microsoft Defender Application Guard is to present a 'sandboxed container'. Potentially malicious files should not be copied to the host OS from the sandboxed environment, which could put the host at risk.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled :

Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow files to download and save to the host operating system from Microsoft Defender Application Guard

Note: This Group Policy path is provided by the Group Policy template AppHVSI.admx/adml that is included with the Microsoft Windows 10 Release 1803 Administrative Templates (or newer).

Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named

Allow files to download and save to the host operating system from Windows Defender Application Guard

, but it was renamed to

Allow files to download and save to the host operating system from Microsoft Defender Application Guard

starting with the Windows 10 Release 2004 Administrative Templates.

Impact:

None - this is the default behavior.

See Also

https://workbench.cisecurity.org/benchmarks/17129

Item Details

Category: CONFIGURATION MANAGEMENT

References: 800-53|CM-6, 800-53|CM-7, CSCv7|8.3

Plugin: Windows

Control ID: 74d20e83d63418e13bbec3b91da88ba2e810892c934766774d758f51dc3f181b