Microsoft has launched a public preview of 'Microsoft Defender Application Guard for Office,' a defensive technology that quarantines untrusted Office documents so that attack code carried by malicious files can't reach the operating system or its applications.

On Monday, a senior cybersecurity engineer with the Redmond, Wash. company explained how Application Guard for Office worked and more importantly, walked customers through its operation – something that existing documentation omitted when the public preview was launched late last month.

'Microsoft Office will open files from potentially unsafe locations in Microsoft Defender Application Guard, a secure container, that is isolated from the device through hardware-based virtualization,' John Barbare wrote in a post to a Microsoft blog. 'When Microsoft Office opens files in Microsoft Defender Application Guard, a user can then securely read, edit, print, and save the files without having to re-open files outside of the container.'

Application Guard has some history. The feature debuted in 2018 and was originally designed for Edge, Microsoft's Windows 10 browser. (We're talking about the original Edge here, the one using Microsoft's own technologies, including the EdgeHTML rendering engine.)

Application Guard creates a disposable instance of both Windows and Edge – very condensed versions of the OS and the browser – in a virtualized environment using Windows' baked-in HyperVisor technology. Every opening between the pseudo machine, the virtual machine, and the real deal is bricked up, barring almost all interaction between the web session and the physical device.

Users can then browse in a more secure environment because it prevents malware from reaching the real operating system and real applications on the real device (as opposed to the virtual instance). When the user is finished, the virtualized Windows+Edge is discarded. Think of it as a very brutal quarantine that erases the patient if he or she gets sick.

Application Guard for Office works in much the same way, but rather than protect Edge, it isolates certain files opened in Word, Excel or PowerPoint. Documents obtained from the general Internet – intranet domains or domains that have not been marked as trusted – files from potentially unsafe areas and attachments received via Outlook are opened in a virtualized environment, or sandbox, where malicious code can't wreak havoc.

For the public preview, customers must be running Windows 10 Enterprise 2004 or later, the Office Beta Channel build 2008 16.0.13212 or later, this update, and a license for Microsoft 365 E5 (the most comprehensive, most expensive edition) or Microsoft 365 E5 Mobility + Security.

Unlike the much older Protected View, another Office defensive feature, which opens potentially dangerous documents as read-only, files opened in Application Guard can be manipulated. They can be printed, edited and saved. When saved, however, they remain in the isolation container and when reopened later, again are quarantined in that sandbox.

Word, Excel or PowerPoint indicates that the current document has been opened within Application Guard with several visual signals, including a pop-up notice in the app's ribbon and a differently-marked icon in the Windows taskbar.

If the user decides to definitely trust the document – which may be the weak link in Application Guard's protections – he or she can move it out of quarantine and deposit it in in a local or network folder. (Confirmations are required here, though, so at least the user is prompted to reconsider before pulling the trust trigger.)

IT administrators can control much of this, and more, through Application Guard's configuration settings, which range from copy-paste (allow/not allow) and printing (limit to, say, print-as-PDF only) to making it even more difficult for employees to open a file outside of Application Guard.

Barbare's blog post should be valuable to both users and IT admins.

Technically-savvy workers could be pointed to the post for both the background of Application Guard and the workings of the Office-specific edition now available as public preview. (This assumes that IT switches on Application Guard via group policy or a PowerShell command.) Armed with the post, they could be let loose without any assistance.

IT administrators preparing their charges for the roll-out of Application Guard could use Barbare's post to construct help desk documents and how-tos to distribute to those who will use the feature, repurposing his screenshots, for instance, or using them as a guide to craft company-specific step-by-step instructions.

(There are several bits of Application Guard documentation on Microsoft's site, but the best is this 'Application Guard for Office (public preview) for admins,' which was also posted Monday.)

Barbare did not say when Application Guard for Office will wrap up the public preview and shift to general availability for Windows 10 Enterprise and Microsoft 365 E5 users. (Or perhaps others as well; Microsoft began Application Guard as a Windows 10 Enterprise-only feature, but later expanded it to include Windows 10 Pro.)

Microsoft's roadmap, however, currently lists a December 2020 release.

Tomasz David
Tomasz David

Leave a Comment