Microsoft Defender Application Guard for Office explained
Microsoft Defender Application Guard for Office is a new security feature designed to load untrusted Office documents, e.g. an Excel spreadsheet downloaded from the Internet, in an isolated environment to keep the underlying system and its data protected against potential attacks.
The security feature is based on Microsoft Defender Application Guard, which is designed to load untrusted sites in an isolated container using automated and standalone modes. Automated mode, called Enterprise Management Mode, has an admin define trusted sites through GPO or other management interfaces. These sites are loaded normally on the system while all other sites are considered untrusted and therefore launched in the virtual environment.
Standalone mode on the other hand has the user launch Microsoft Defender Application Guard manually to use it.
Microsoft Defender Application Guard for Office attempts to address threats that exploit weaknesses in Microsoft Office that related to the supported documents or its features. The core idea is to launch untrusted files in a safe environment to avoid interactions with the host system, its data, and the network.
Office users can still view, edit, print, and save documents in the Office application.
Microsoft Office will open files from potentially unsafe locations in Microsoft Defender Application Guard, a secure container, that is isolated from the device through hardware-based virtualization. When Microsoft Office opens files in Microsoft Defender Application Guard, a user can then securely read, edit, print, and save the files without having to re-open files outside of the container.
Microsoft Defender Application Guard for Office has the following hardware and software requirements:
- 64-bit processor with at least 4 cores (physical or virtual), virtualization extensions (Intel VT-x or AMT-V), Core i5 or higher.
- 8 Gigabytes of memory.
- 10 Gigabytes of free hard disk space.
- Windows 10 version 2004 build 19041 or later, Enterprise edition only
- Licensing requirement: Microsoft 365 E5 or E5 Security.
- Office Beta Channel build version 2008 or later.
- Kb4566782 installed
Microsoft limits the feature to Enterprise versions of Windows 10 and customers who are subscribed to either Microsoft 365 E5 or E5 Security.
Microsoft Defender Application Guard needs to be enabled on the system using the Windows Features interface or by executing the following PowerShell command: Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard
Administrators need to open the Group Policy Editor and turn the Microsoft Defender Application Guard policy on. It is found @ Computer ConfigurationAdministrative TemplatesWindows ComponentsMicrosoft Defender Application Guard and needs to be set to 2 or 3.
- 2 enables Microsoft Defender Application Guard for isolated Windows environments ONLY.
- 3 enables Microsoft Defender Application Guard for Microsoft Edge and isolated Windows environments.
Now launch an untrusted document, e.g. one downloaded from the Internet, to verify that Application Guard for Office has been set up correctly. You should get a “To keep you safe, we’re opening this document in Application Guard” notice.
The title bar of the interface should display the Application Guard icon which indicates that it is loaded in a virtual environment as well.
Microsoft Defender Application Guard for Office eliminates many Office document related attack vectors when deployed on user systems. It would be great if Microsoft would make the feature available to all customers, and not just Enterprise customers, but the chance of this happening is not very high.
Home users may use other virtualization software, e.g. Sandboxie or virtual machines, to load untrusted files.
Check out Microsoft’s Docs website for additional information.