Microsoft is working to improve the security of its ever-expanding ecosystem. One of the core products is Microsoft Defender, which is part of the Windows Security suite. Microsoft recently released a new product for Office called Microsoft Defender Application Guard. Honestly that’s a long name, but what is it?
Microsoft Defender Application Guard was released last year. As useful as this feature is, it received little attention from both the press and users. This year, Microsoft took a step forward in incorporating, as the name suggests, a suite of Office apps into the product.
For sanity’s sake, we’ll call it Application Guard, just like Microsoft does in their documentation. Let’s learn more about this feature and how to enable it.
Let’s start.
What is Application Protection?
Microsoft has released Application Guard to protect users from ’emerging threats’ by isolating hardware in use. This reminds me of the sandbox tool.
Developed for Microsoft Edge browser and Windows 10 computers. Clicking on the wrong link or opening another malware or virus infected site can harm not only the system accessing it, but any other system connected to the server.
The administrator now whitelists sites and other resources that are considered safe, making all other sites unreliable.
Here’s how it works.
Let’s say you opened a site that is not on the list. Edge will open this site in a Hyper-V container isolated from the host operating system. No malware or virus leaves the container. This preserves data and its integrity.
What is Application Protection for Office 365?
Websites and cloud resources aren’t the only things employees access while surfing the wild web. There are also Office documents and other files that you work with on a daily basis. What about them? Application Guard for Office was released with this in mind. Think of it as a plugin.
Application Guard for Office protects your computer and connected corporate server from untrusted and infected files. Microsoft strangely calls them ‘new and emerging threats’. The basic concept remains the same where files are opened in a secure and isolated container using hardware virtualization.
Once the file is opened in the container, you can read, edit, print, and interact with it like a regular file.
Prerequisites
There are some system requirements for this to work. Them:
- Intel Core i5 or equivalent
- 64-bit architecture, minimum 4 cores with virtualization extension (Intel VT-x OR AMD-V)
- 8GB of RAM
- Preferably 10GB of space on SSD
- Windows 10 Enterprise edition, build version 2004
How to Enable Application Protection for Office
I hope you have checked the hardware and software system requirements. You will now need to download KB4571756 and install it on your computer before it displays the correct options.
The process for enabling or disabling this feature is the same as for sandboxing or virtualization.
Stage 1: Search for and open Control Panel from the start menu.
Step 2: Search for and open Turn Windows features on or off.
Stage 3: Find the Microsoft Defender Application Guard option in the following popup and enable it.
Remember to save all changes before exiting.
For those who can’t find this option in Control Panel or who like to work with command line, you can also enable it from PowerShell. Make sure you open PowerShell with administrator rights and then issue the command:
Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard
Step 4: Search for Group Policy Editor from the start menu and open it.
Step 5: Check out the suggested folder structure below.
Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard
Double click on ‘Turn on Microsoft Defender Application Protection in Managed Mode’ to turn it on.
Step 6: You will now select Enabled and set the Options value to 2 as seen in the screenshot below.
Click Apply and save all changes.
Step 7: Finally, open Settings > Privacy > Diagnostics & feedback. If not already done, select Optional diagnostic data.
How do you know if it’s working or not? Simple. Open any Word document that is not in your whitelist (untrusted) and you should notice this message:
To keep you safe, we open this document in Application Protection.
Also, there should be a shield icon above the Word icon in the Taskbar.
Watch
I’ve been impressed with the way Microsoft has taken care of its security over the past few years. I regularly use Sandbox mode to test apps, open sites and try new hacks in a secure environment. Microsoft Defender Application Guard adds more options for enterprise users who have a lot to lose when their servers or systems are compromised. This is another tool in your arsenal to fight against hackers. While it will never be a permanent solution, the best we can do is stay vigilant and keep them away.
Next: Want to protect yourself even more? Here is a guide with 6 important tips on protecting your data from viruses and malware.
