“Microsoft Defender Application Guard for Office (Application Guard for Office) helps prevent untrusted files from accessing trusted resources, keeping your enterprise safe from new and emerging attacks.”

This a new, highly sought after feature which will help organizations to prevent malicious attachments from being executed on your systems.

There are some prerequisites which you must achieve in order to implement this feature:

Minimum hardware requirements:

  • CPU: 64-bit, 4 cores (physical or virtual), virtualization extensions (Intel VT-x OR AMD-V), Core i5 equivalent or higher recommended.
  • Physical Memory: 8 GB RAM
  • Hard disk: 10 GB of free space on the system drive (SSD recommended)

Minimum software requirements:

  • Windows 10: Windows 10 Enterprise Edition, client build 2005 (20H1) build 19041 or later
  • Office: Office Current Channel Build version 2011 16.0.13530.10000 or later
  • Update package: Windows 10 cumulative monthly security update KB4571756

Licensing requirements:

  • Microsoft 365 E5 or Microsoft 365 E5 Security

Once there are “checks in all boxes” with regards to the prereqs we can now look into enabling the feature.

Enable Application Guard for Office

  1. Download and install Windows 10 cumulative monthly security updates KB4571756.
  2. Select Microsoft Defender Application Guard under Windows Features and select OK. Enabling the Application Guard feature will prompt a system reboot. You can choose to reboot now or after step 3.
Windows Features dialog box showing AG

The feature can also be enabled by running the following PowerShell command as administrator:

Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard

3. Search for Microsoft Defender Application Guard in Managed Mode, a group policy in Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard. Turn on this policy by setting the value under Options as 2 or 3, and then selecting OK or Apply.

Turn on AG in Managed Mode

Instead, you can set the corresponding CSP policy:

OMA-URI: ./Device/Vendor/MSFT/WindowsDefenderApplicationGuard/Settings/AllowWindowsDefenderApplicationGuard
Data type: Integer
Value: 2

4. Restart the system

Set Diagnostics & feedback to send full data (Optional)

  1. Open Settings from the Start menu.
Start menu

2. On Windows Settings, select Privacy.

Windows Settings menu

3. Under Privacy, select Diagnostics & feedback and select Optional diagnostic data.

Diagnostics and feedback menu

Confirm that Application Guard for Office is enabled and working

To confirm that Application Guard for Office is enabled, launch Word, Excel, or PowerPoint, and then open an untrusted document. For example, you can open a document that was downloaded from the internet or an email attachment from someone outside your organization.

When you first open an untrusted file, you may see an Office splash screen like the following example. It might be displayed for some time while Application Guard for Office is being activated and the file is being opened. Subsequent openings of untrusted files should be faster.

Office app splash screen

Upon being opened, the file should display a few visual indicators that the file was opened inside Application Guard for Office:

  • A callout in the ribbon
Doc file showing small App Guard note
  • The application icon with a shield in the taskbar
Icon in taskbar

And that´s it, this is how you can enable Application Guard for Office. Stay safe out there!

On By Viktor Hedberg

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.