Microsoft this week released Application Guard for Office, a defensive technology that quarantines untrusted Office documents so attack code embedded in malicious files can't reach the operating system or its applications.

The announcement of Application Guard's general availability came five months after Microsoft kicked off a public preview of the technology. At that time, Microsoft's roadmap indicated a December 2020 debut for Application Guard for Office.

'When you've enabled Application Guard and a user opens a file from a potentially unsafe location, Office opens the file in Application Guard; a secured, Hyper-V-enabled container isolated from the rest of a user's data through hardware-based virtualization,' Emil Karafezov, senior program manager, said in a Jan. 27 post to a company blog.

Application Guard for Office isolates certain files opened in the suite's three primary applications: Word, Excel and PowerPoint. Documents obtained from untrusted Internet or intranet domains, files pulled from potentially unsafe areas, and attachments received through the Outlook email client, are opened in a virtualized environment, or sandbox, where malicious code can't wreak havoc.

Unlike the much older Protected View, another Office defensive feature — it opens potentially dangerous documents as read-only — files opened in Application Guard can be manipulated. They can be printed, edited and saved. When saved, they remain in the isolation container and when reopened later, again are quarantined in the sandbox.

Outdated file types — which can be set by administrators in the File Block feature within Word, Excel and PowerPoint — are also shunted into Application Guard's virtual machine.

Application Guard for Office will be available to customers licensing Microsoft 365 E5 or Microsoft 365 E5 Security, and for now, only to those on either the Current Channel or Monthly Enterprise Channel. (Those are the Microsoft 365 update channels that deliver the most frequent refreshes.)

Customers who have selected the Semi-Annual Enterprise Channel for updates will receive the feature 'later this year,' Microsoft said. Semi-Annuals are released twice each year, in January and July, pointing to a July availability of Application Guard.

Set as 'off' by default, Application Guard requires that IT admins turn on the feature, then set and distribute group policies to individual users. More information about that process can be found here (installation guide) and here (user guide).

Files obtained from untrusted sources are opened in Application Guard, noted as such by the notice in the upper right.

Tomasz David
Tomasz David

Leave a Comment