18.9.48.2 Ensure 'Allow camera and microphone access in Microsoft Defender Application Guard' is set to 'Disabled'

Information

The policy allows you to determine whether applications inside Microsoft Defender Application Guard can access the device's camera and microphone.

The recommended state for this setting is: Disabled.

Note: Microsoft Defender Application Guard requires a 64-bit version of Windows and a CPU supporting hardware-assisted CPU virtualization (Intel VT-x or AMD-V). This feature is not officially supported on virtual hardware, although it can work on VMs (especially for testing) provided that the hardware-assisted CPU virtualization feature is exposed by the host to the guest VM.

More information on system requirements for this feature can be found at System requirements for Microsoft Defender Application Guard (Windows 10) | Microsoft Docs

Note #2: Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs.

Rationale:

In effort to stop sensitive information from being obtained for malicious use, untrusted sites within the Microsoft Defender Application Guard container should not be accessing the computers microphone or camera.

Impact:

This is the default value so impact should be minimal to enforce this setting.

Solution

To establish the recommended configuration via GP, set the following UI path to Disabled

Computer Configuration\Policies\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Allow camera and microphone access in Microsoft Defender Application Guard

Note: This Group Policy path may not exist by default. It is provided by the Group Policy template AppHVSI.admx/adml that is included with the Microsoft Windows 10 Release 1809 & Server 2019 Administrative Templates (or newer).

Note #2: In older Microsoft Windows Administrative Templates, this setting was initially named Allow camera and microphone access in Windows Defender Application Guard, but it was renamed to Allow camera and microphone access in Microsoft Defender Application Guard starting with the Windows 10 Release 2004 Administrative Templates.

Default Value:

Disabled. (Applications inside Microsoft Defender Application Guard will be unable to access the camera and microphone on the user's device.)

See Also

https://workbench.cisecurity.org/files/4167

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-4, CSCv7|9.2

Plugin: Windows

Control ID: 2db24806c8dd8d30a1a4c1c1241d704254ea0c22aae48c8ff8011dbbeafb18f6