Details
This policy setting enables application isolation through Windows Defender Application Guard (Application Guard).
There are 4 options available:
Disable Windows Defender Application Guard
Enable Windows Defender Application Guard for Microsoft Edge ONLY
Enable Windows Defender Application Guard for Microsoft Office ONLY
Enable Windows Defender Application Guard for Microsoft Edge AND Microsoft Office
The recommended state for this setting is: Enabled: 1 (Enable Windows Defender Application Guard for Microsoft Edge ONLY).
Note: WDAG requires a 64-bit version of Windows and a CPU supporting hardware-assisted CPU virtualization (Intel VT-x or AMD-V). This feature is not officially supported on virtual hardware, although it can work on VMs (especially for testing) provided that the hardware-assisted CPU virtualization feature is exposed by the host to the guest VM.
More information on system requirements for this feature can be found at this link:
System requirements for Windows Defender Application Guard (Windows 10) | Microsoft Docs
Note #2: At time of publication, Windows Defender Application Guard (WDAG) in all currently released versions of Windows 10 does not yet support protection for Microsoft Office, only for Microsoft Edge. Therefore the additional available options of 2 and 3 in this setting are not yet valid.
Rationale:
Windows Defender Application Guard (WDAG) uses Windows Hypervisor to create a virtualized environment for apps that are configured to use virtualization-based security isolation. While in isolation, improper user interactions and app vulnerabilities can’t compromise the kernel or any other apps running outside of the virtualized environment.
Solution
To establish the recommended configuration via GP, set the following UI path to Enabled: 1:
Computer ConfigurationPoliciesAdministrative TemplatesWindows ComponentsWindows Defender Application GuardTurn on Windows Defender Application Guard in Enterprise Mode
Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppHVSI.admx/adml that is included with the Microsoft Windows 10 Release 1703 Administrative Templates (or newer).
Impact:
Windows Defender Application Guard (WDAG) will be turned on for Microsoft Edge.
Note: WDAG requires the Internet Connection Sharing (ICS) (SharedAccess) service in order to operate, so an exception to disabling this service (see Section 5) will be required if choosing to enable WDAG.
Default Value:
Disabled. (Windows Defender Application Guard (WDAG) is turned off.)
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: System and Information Integrity.This control applies to the following type of system Windows.