Thank you for Application Guard for Office apps.

Thank you for Application Guard for Office apps.

This blog is the first part of the Endpoint Security Series.

In this blog, I will show you, how to start testing with Application Guard for Office apps.

I will divide this blog into 5 parts.

  1. Information About WDAG
  2. Deploy it with Intune Endpoint Security
  3. Deploy it with PowerShell
  4. Results
  5. Troubleshooting
  6. Conclusion

1. Information About Windows Defender Application Guard (WDAG)

To make sure Malware can’t get its foot in the door, you have to protect your endpoint. Hardening your Office apps is the first step. Some time ago Microsoft created the possibility to isolate your Office app documents you open from an untrusted location…

First, you have to meet the minimum software and license requirements

  • Windows 10 Enterprise edition, Client Build version 2004 (20H1) build 19041
  • Office: Office Current Channel and Monthly Enterprise Channel, Build version 2011 16.0.13530.10000 or later. Both 32-bit and 64-bit versions of Office are supported.
  • Windows 10 cumulative monthly security updates KB4566782
  • Microsoft 365 E5 or Microsoft 365 E5 Security

So you need to make sure your Windows is up to date and your Office Apps are set to the Insider beta update channel. An easy way is just to show the option for Office insider would be to create this registry key


Or even easier create a new Device configuration policy to configure it.

Configure the Update channel, to make sure you can update your office apps to the latest build.

2. Deploy it with Intune Endpoint Security

Open Intune and go and create a new Endpoint Security Attack Surface Reduction Profile.

Select “app and browser isolation”

You can choose on which functions, application guard has to be enabled. There are 3 options to choose from:

Enable for Edge” –> To make sure unapproved websites are opened in a Hyper-v virtualized browsing container

Enable for isolated Windows environment” –> To make sure Application guard is enabled for applications like Excel, Word. It will make sure the documents are opened inside a Hyper-V Container

 “Enable for Edge AND isolated Windows environment” –> When you need to make sure App Guard is enabled for Edge and Applications (Office)

After you have made your choice if you want to enable it on Apps, Edge or both we need to take a look at the “Windows network isolation policy”

The next question is

These settings, help you define and manage your organization’s network boundaries. You will need to configure these settings to control which locations are blocked and which locations are considered trusted

Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container

So let’s take a look at the settings I configured!

3. Deploy it with Powershell

To deploy Windows Defender Application Guard, you will need to configure some settings. Create a new Power Shell script and push it to your test endpoints.

Create a new PowerShell script and deploy it to some test devices (group).

PowerShell content:

$RegLoc = "HKLM:\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides"

New-Item -path HKLM:\SYSTEM\CurrentControlSet\Policies\Microsoft

New-Item -path HKLM:\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement

New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides

New-ItemProperty -Path $RegLoc -Name 3457697930 -PropertyType Dword -Value 1

New-ItemProperty -Path $RegLoc -Name 94539402 -PropertyType Dword -Value 1

Get-ScheduledTask -TaskName "ReconcileFeatures" -TaskPath "\Microsoft\Windows\Flighting\FeatureConfig\" | Start-ScheduledTask

#Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All -NoRestart 
#Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-Tools-All -NoRestart

Enable-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard -NoRestart 

reg add HKLM\SOFTWARE\Policies\Microsoft\AppHVSI /v AllowAppHVSI_ProviderSet /t reg_dword /d 2

reg add HKLM\SOFTWARE\Policies\Microsoft\AppHVSI /v AuditApplicationGuard /t reg_dword /d 1

This PowerShell script will set the KB4559004 Issue 001 preview to enabled.

It will launch the Reconcilefeatures task and of course, it will install Microsoft Defender Application Guard (WDAG) and turn on the Microsoft defender application guard managed mode.

4.The Results:

Please reboot your device after the PowerShell script or Endpoint policy is deployed successfully. If you want to be sure Application Guard is enabled, you can check by using this PowerShell command

Let’s download a test Docx from the internet and see what happens when you open the untrusted document. (have some patience the first time it opens…)

You will notice a WDAG notification: The document is opened in Application Guard.

You can remove the protection when you are really sure it’s a trusted document.

5. Troubleshooting

If you need to start troubleshooting why something is not working as it should, you will need to open the event log first. When using WDAG, you will need to look for the WDAG event logs (duhh)

And also don’t forget to change the auditing policy (I also mentioned in the PowerShell script)

6. Conclusion

Of course,  WDAG for Office Apps is not perfect yet but hey, it’s in public preview. It’s a really nice solution to defend your endpoints against malware within Office documents.  

The only argument I have, WDAG really likes your Memory and CPU. That’s the beauty of argument, if you argue correctly, you’re never wrong

Application Guard uses a virtualized container to isolate untrusted documents away from the system. The process of creating a container and setting up the Application Guard container to open Office documents has a performance overhead that might negatively affect the user experience when users open an untrusted document.

I Dont Trust You GIFs - Get the best GIF on GIPHY

The second part of the Endpoint Security Series about CFA (click here)

One thought on “Thank you for Application Guard for Office apps.

Leave a Reply

Your email address will not be published. Required fields are marked *

6  +  3  =