Microsoft Defender Application Guard for Office is a new security feature designed to load untrusted Office documents, e.g. an Excel spreadsheet downloaded from the Internet, in an isolated environment to keep the underlying system and its data protected against potential attacks.
The security feature is based on Microsoft Defender Application Guard, which is designed to load untrusted sites in an isolated container using automated and standalone modes. Automated mode, called Enterprise Management Mode, has an admin define trusted sites through GPO or other management interfaces. These sites are loaded normally on the system while all other sites are considered untrusted and therefore launched in the virtual environment.
Standalone mode on the other hand has the user launch Microsoft Defender Application Guard manually to use it.
Microsoft Defender Application Guard for Office attempts to address threats that exploit weaknesses in Microsoft Office that related to the supported documents or its features. The core idea is to launch untrusted files in a safe environment to avoid interactions with the host system, its data, and the network.
Office users can still view, edit, print, and save documents in the Office application.
Microsoft Office will open files from potentially unsafe locations in Microsoft Defender Application Guard, a secure container, that is isolated from the device through hardware-based virtualization. When Microsoft Office opens files in Microsoft Defender Application Guard, a user can then securely read, edit, print, and save the files without having to re-open files outside of the container.
Microsoft Defender Application Guard for Office has the following hardware and software requirements:
Microsoft limits the feature to Enterprise versions of Windows 10 and customers who are subscribed to either Microsoft 365 E5 or E5 Security.
Microsoft Defender Application Guard needs to be enabled on the system using the Windows Features interface or by executing the following PowerShell command: Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard
Administrators need to open the Group Policy Editor and turn the Microsoft Defender Application Guard policy on. It is found @ Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard and needs to be set to 2 or 3.
Now launch an untrusted document, e.g. one downloaded from the Internet, to verify that Application Guard for Office has been set up correctly. You should get a "To keep you safe, we're opening this document in Application Guard" notice.
The title bar of the interface should display the Application Guard icon which indicates that it is loaded in a virtual environment as well.
Microsoft Defender Application Guard for Office eliminates many Office document related attack vectors when deployed on user systems. It would be great if Microsoft would make the feature available to all customers, and not just Enterprise customers, but the chance of this happening is not very high.
Home users may use other virtualization software, e.g. Sandboxie or virtual machines, to load untrusted files.
Check out Microsoft's Docs website for additional information.Advertisement
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.