18.9.48.3 Ensure 'Allow data persistence for Microsoft Defender Application Guard' is set to 'Disabled'

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This policy setting allows you to decide whether data should persist across different sessions in Microsoft Defender Application Guard.

The recommended state for this setting is: Disabled.

Note: Microsoft Defender Application Guard requires a 64-bit version of Windows and a CPU supporting hardware-assisted CPU virtualization (Intel VT-x or AMD-V). This feature is not officially supported on virtual hardware, although it can work on VMs (especially for testing) provided that the hardware-assisted CPU virtualization feature is exposed by the host to the guest VM.

More information on system requirements for this feature can be found at System requirements for Microsoft Defender Application Guard (Windows 10) | Microsoft Docs

Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs.

Rationale:

The primary purpose of Microsoft Defender Application Guard is to present a 'sandboxed container' for visiting untrusted websites. If data persistence is allowed, then it reduces the effectiveness of the sandboxing, and malicious content will be able to remain active in the Microsoft Defender Application Guard container between sessions.

Impact:

None - this is the default behavior.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled:

Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow data persistence for Microsoft Defender Application Guard

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppHVSI.admx/adml that is included with the Microsoft Windows 10 Release 1709 Administrative Templates (or newer).

Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow data persistence for Windows Defender Application Guard, but it was renamed to Allow data persistence for Microsoft Defender Application Guard starting with the Windows 10 Release 2004 Administrative Templates.

Default Value:

Disabled. (Microsoft Defender Application Guard deletes all user data within the Microsoft Defender Application Guard container.)

See Also

https://workbench.cisecurity.org/files/3714