Application Guard first appeared in Windows 10 1709 (“Fall Creators Update”) to isolate Edge browser activity within a Hyper V container. Microsoft now extends that same idea to Word, Excel, and PowerPoint in Office 365 ProPlus Microsoft 365 Apps for Enterprise on Windows 10…
… if you have Microsoft 365 E5 or E5 Security. You knew that was coming!
With Application Guard for Office, your files can open in a sandbox without access local or network storage. This provides an additional layer of protection against threats such as ransomware, for which Office apps are infamous as an attack surface. There’s a significant catch: a standard configuration of Application Guard will allow users to bypass it if they say they trust the file, therefore executing it in the normal way; resource access included. You can change this default behaviour though, so keep reading.
Note I say “an additional layer of protection”. We know there are no perfect solutions to anything, much less IT security, and I can’t exactly guarantee attackers will never find a way to escape the hypervisor Application Guard uses. So keep patching.
If you do have the appropriate level of licensing, Application Guard for Office 365 (which I’ll now just call Application Guard for this article) isn’t enabled by default. On the endpoint, the requirements are beyond those of standard Microsoft 365 apps, which is part of the reason for this. Your users need a quad-core CPU that supports Intel VT-x or AMD-V and 8GB of memory (the same is true for Application Guard for Edge).
Tip: These hardware requirements are enforced when you try to turn Application Guard on, but you can get around them by editing registry values in HKLM\Software\Microsoft\Hvsi:
SpecRequiredMemoryInGB
SpecRequiredProcessorCount
SpecRequiredFreeDiskSpaceInGB
… or just buy your users a suitable device (please).
Additionally, because this is only for M365 E5/E5 Security licensees, you need to be running Windows 10 Enterprise 2004 or later. Windows 10 Pro does not support Application Guard for Office.
Application Guard itself is a Windows 10 feature you need to enable too. Manually, you can use the Enable-WindowsOptionalFeature cmdlet or, at scale, use an Intune Endpoint Security App and Browser Isolation profile:
Optionally, you can also choose if Application Guard files are allowed to print. This is another benefit over Protected View, which blocks printing:
There’s a range of Application Guard settings configurable in the Office cloud policy service too. You can set these in Intune (Apps > Policies for Office apps) or config.office.com.
These generally do what they say on the tin, but I want to explore Prevent users from removing Application Guard protection on files a bit more. This prevents users from disabling Application Guard in settings or per file. It also means that if a user does need to get that file into local or network resources, you’re going to prevent that (e.g. maybe it’s an Excel file that references other workbooks by network file path). This is also important because, at the time of writing, you can’t run any macros in Application Guard. Good for security, but chances are your users will have some trusted files that Application Guard blocks (shared over email, downloaded from SharePoint Online, etc). Another potential problem is, to make sure you’re appropriately licensed, Application Guard needs to be online the first time a file opens in it. Consider if your users regularly go offline before deploying/enforcing.
After the device reboots from enabling Application Guard, you’ll find a local account called WDAGUtilityAccount is now enabled (you don’t need to do anything with this; it’s managed by Windows for Application Guard instances to anonymise the actual user’s identity if queried by the file). Application Guard is now available. Files opened under it are given a special icon in the taskbar, ribbon, and splash screen.
But when exactly is Application Guard invoked? How do some files open in a standard instance, but others don’t?
Excel, Word, and PowerPoint files open in Application Guard (or Protected View, if you can’t use Application Guard but want to put files in read-only by default) under circumstances like…
- Office File Validation (OFV) checks’ to make sure the file aligns to set format standards fail.
- File Block includes the file extension in scope. File Block is an index of denied extensions, which are generally legacy formats, but an administrator can use Administrative Templates to control the formats, which may include nearer formats such as 2007 and later macro-enabled workbooks and templates.
- Files saved in locations such as %temp%, which Office regards as unsafe locations.
- Files downloaded from the internet (based on zones) which are given a Mark of the Web (MotW) by Windows, if the downloading/extracting software supports it. Most will (think browsers), though things get messy with some apps if we’re then extracting files from ZIPs or VHDs, etc. MotW can be seen below in Properties.
Tip: Bit off topic, but open “YourFile.extension: Zone.Identifier:$DATA” in Notepad to see how this works and that Windows 10 logs the referrer URL… yikes!
The last two of these are of particular interest to the Application Guard (and Protected View) approach to securing Word, Excel, and PowerPoint. It’s trivial to relocate a file from an ‘unsafe location’ to a ‘safe location’ (can such a thing exist?), and as you can see from the MotW screenshot, so is removing a MotW. Using either of these workarounds, users will bypass the earlier discussed setting to stop them from turning off Application Guard.
Again: security is just layers.