18.10.43.6 (L1) Ensure 'Turn on Microsoft Defender Application Guard in Managed Mode' is set to 'Enabled: 1'

Information

This policy setting enables application isolation through Microsoft Defender Application Guard (Application Guard).

There are 4 options available:

- <xhtml:ol start='0'> - Disable Microsoft Defender Application Guard

-
- Enable Microsoft Defender Application Guard for Microsoft Edge ONLY

- <xhtml:ol start='2'> - Enable Microsoft Defender Application Guard for Microsoft Office ONLY

- <xhtml:ol start='3'> - Enable Microsoft Defender Application Guard for Microsoft Edge AND Microsoft Office

The recommended state for this setting is: Enabled: 1 (Enable Microsoft Defender Application Guard for Microsoft Edge ONLY).

Note: Microsoft Defender Application Guard requires a 64-bit version of Windows and a CPU supporting hardware-assisted CPU virtualization (Intel VT-x or AMD-V). This feature is not officially supported on virtual hardware, although it can work on VMs (especially for testing) provided that the hardware-assisted CPU virtualization feature is exposed by the host to the guest VM.

More information on system requirements for this feature can be found at

System requirements for Microsoft Defender Application Guard (Windows 10) | Microsoft Docs

Note #2: At time of publication, Microsoft Defender Application Guard in all currently released versions of Windows 10 does not yet support protection for Microsoft Office, only for Microsoft Edge. Therefore the additional available options of 2 and 3 in this setting are not yet valid.

Note #3: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs.

Microsoft Defender Application Guard uses Windows Hypervisor to create a virtualized environment for apps that are configured to use virtualization-based security isolation. While in isolation, improper user interactions and app vulnerabilities can't compromise the kernel or any other apps running outside of the virtualized environment.

Solution

To establish the recommended configuration via GP, set the following UI path to Enabled: 1 :

Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Turn on Microsoft Defender Application Guard in Managed Mode

Note: This Group Policy path is provided by the Group Policy template AppHVSI.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).

Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named

Turn on Windows Defender Application Guard in Enterprise Mode

, but it was renamed to

Turn on Windows Defender Application Guard in Managed Mode

starting with the Windows 10 Release 1903 Administrative Templates. It was again renamed to

Turn on Microsoft Defender Application Guard in Managed Mode

starting with the Windows 10 Release 2004 Administrative Templates.

Impact:

Microsoft Defender Application Guard will be turned on for Microsoft Edge.

Note: This setting was moved from the Next Generation (NG) profile to the Level 1 (L1) profile for the Windows 11 Operating System only NG profile settings were isolated from the L1 profile due to potential hardware compatibility issues. The Windows 11 Operating System is dependent on the same hardware as the NG settings, so hardware compatibility is no longer an issue.

Note #2: Microsoft Defender Application Guard requires the

Internet Connection Sharing (ICS) (SharedAccess)

service in order to operate, so an exception to disabling this service (see Section 5 in the CIS Microsoft Windows 10 benchmark only) will be required if choosing to enable Microsoft Defender Application Guard.

See Also

https://workbench.cisecurity.org/benchmarks/17603

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-16, CSCv7|8.3

Plugin: Windows

Control ID: 3def201166550cc7a0628458a8e3db648cbf1ee204d6e8dc69c1f14ae9f83b46