“Microsoft Defender Application Guard for Office (Application Guard for Office) helps prevent untrusted files from accessing trusted resources, keeping your enterprise safe from new and emerging attacks.”
This a new, highly sought after feature which will help organizations to prevent malicious attachments from being executed on your systems.
There are some prerequisites which you must achieve in order to implement this feature:
Minimum hardware requirements:
- CPU: 64-bit, 4 cores (physical or virtual), virtualization extensions (Intel VT-x OR AMD-V), Core i5 equivalent or higher recommended.
- Physical Memory: 8 GB RAM
- Hard disk: 10 GB of free space on the system drive (SSD recommended)
Minimum software requirements:
- Windows 10: Windows 10 Enterprise Edition, client build 2005 (20H1) build 19041 or later
- Office: Office Current Channel Build version 2011 16.0.13530.10000 or later
- Update package: Windows 10 cumulative monthly security update KB4571756
- Microsoft 365 E5 or Microsoft 365 E5 Security
Once there are “checks in all boxes” with regards to the prereqs we can now look into enabling the feature.
Enable Application Guard for Office
- Download and install Windows 10 cumulative monthly security updates KB4571756.
- Select Microsoft Defender Application Guard under Windows Features and select OK. Enabling the Application Guard feature will prompt a system reboot. You can choose to reboot now or after step 3.
The feature can also be enabled by running the following PowerShell command as administrator:
Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard
3. Search for Microsoft Defender Application Guard in Managed Mode, a group policy in Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard. Turn on this policy by setting the value under Options as 2 or 3, and then selecting OK or Apply.
Instead, you can set the corresponding CSP policy:
Data type: Integer
4. Restart the system
Set Diagnostics & feedback to send full data (Optional)
- Open Settings from the Start menu.
2. On Windows Settings, select Privacy.
3. Under Privacy, select Diagnostics & feedback and select Optional diagnostic data.
Confirm that Application Guard for Office is enabled and working
To confirm that Application Guard for Office is enabled, launch Word, Excel, or PowerPoint, and then open an untrusted document. For example, you can open a document that was downloaded from the internet or an email attachment from someone outside your organization.
When you first open an untrusted file, you may see an Office splash screen like the following example. It might be displayed for some time while Application Guard for Office is being activated and the file is being opened. Subsequent openings of untrusted files should be faster.
Upon being opened, the file should display a few visual indicators that the file was opened inside Application Guard for Office:
- A callout in the ribbon
- The application icon with a shield in the taskbar
And that´s it, this is how you can enable Application Guard for Office. Stay safe out there!