In this blog, I will show you, how to start testing with Application Guard for Office apps.
To make sure Malware can’t get their foot in the door, you have to protect your endpoint. Hardening your Office apps is the first step. Some time ago Microsoft created the possibility to isolate your Office app documents you open from an untrusted location…
First you have to meet the minimum software and license requirements
- Windows 10 Enterprise edition, Client Build version 2004 (20H1) build 19041
- Office Beta Channel Build version 2008 16.0.13212 or later
- Windows 10 cumulative monthly security updates KB4566782
- Microsoft 365 E5 or Microsoft 365 E5 Security
So you need to make sure your Windows is up to date and your Office Apps are set to the beta update channel. An easy way is just to show the option for Office insider.
Configure the Update channel, to make sure you can update your office apps to the latest build.
To deploy Windows Defender Application Guard, you will need to configure some settings. Create a new Power Shell script and push it to your test endpoints.
Create a new PowerShell script and deploy it to some test devices (group).
HKLM\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides /v 3457697930 /t REG_DWORD /d 1 reg add HKLM\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides /v 94539402 /t REG_DWORD /d 1 Get-ScheduledTask -TaskName "ReconcileFeatures" -TaskPath "\Microsoft\Windows\Flighting\FeatureConfig\" | Start-ScheduledTask Enable-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard -NoRestart | out-file “c:\programdata\customscripts\EnableApplicationGuard.log” reg add HKLM\SOFTWARE\Policies\Microsoft\AppHVSI /v AllowAppHVSI_ProviderSet /t reg_dword /d 3
This PowerShell script will set the KB4559004 Issue 001 preview to enabled.
It will launch the Reconcilefeatures task and of course, it will install Microsoft Defender Application Guard (WDAG) and turns on the Microsoft defender application guard managed mode.
Please reboot your device after the PowerShell script is launched and see what happens when you open an untrusted document. (have some patience the first time it opens…)
You will notice a WDAG notification: The document is opened in Application Guard.
You can remove the protection when you are really sure it’s a trusted document.
Of course, WDAG for Office Apps is not perfect yet but hey, it’s in public preview. It’s a really nice solution to defend your endpoints against malware within Office documents. The only argument I have, WDAG really likes your Memory and CPU. That’s the beauty of argument, if you argue correctly, you’re never wrong