Details
This policy setting allows you to configure required actions and validations that enable users to trust files that open in Windows Defender Application Guard (WDAG). Upon successful completion, the files will open on the host.
The recommended state for this setting is: Enabled: 0 OR Enabled: 2.
Note: WDAG requires a 64-bit version of Windows and a CPU supporting hardware-assisted CPU virtualization (Intel VT-x or AMD-V). This feature is not officially supported on virtual hardware, although it can work on VMs (especially for testing) provided that the hardware-assisted CPU virtualization feature is exposed by the host to the guest VM.
More information on system requirements for this feature can be found at this link:
System requirements for Windows Defender Application Guard (Windows 10) | Microsoft Docs
Rationale:
Ensuring that files have been properly scanned before being opened can help prevent malicious files from being opened on a system.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled: 0 OR Enabled: 2:
Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsWindows Defender Application GuardAllow users to trust files that open in Windows Defender Application Guard
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppHVSI.admx/adml that is included with the Microsoft Windows 10 Release 1809 & Server 2019 Administrative Templates (or newer).
Impact:
Users will not be allowed to manually trust files without a prior antivirus check.
Default Value:
Disabled. (Users will not be able to trust files that open in Windows Defender Application Guard.)
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Windows.