This blog is the first part of the Endpoint Security Series.
In this blog, I will show you, how to start testing with Application Guard for Office apps.
I will divide this blog into 5 parts.
- Information About WDAG
- Deploy it with Intune Endpoint Security
- Deploy it with PowerShell
1. Information About Windows Defender Application Guard (WDAG)
To make sure Malware can’t get their foot in the door, you have to protect your endpoint. Hardening your Office apps is the first step. Some time ago Microsoft created the possibility to isolate your Office app documents you open from an untrusted location…
First you have to meet the minimum software and license requirements
- Windows 10 Enterprise edition, Client Build version 2004 (20H1) build 19041
- Office: Office Current Channel and Monthly Enterprise Channel, Build version 2011 16.0.13530.10000 or later. Both 32-bit and 64-bit versions of Office are supported.
- Windows 10 cumulative monthly security updates KB4566782
- Microsoft 365 E5 or Microsoft 365 E5 Security
So you need to make sure your Windows is up to date and your Office Apps are set to the beta update channel. An easy way is just to show the option for Office insider.
Configure the Update channel, to make sure you can update your office apps to the latest build.
2. Deploy it with Intune Endpoint Security
Open Intune and go and create a new Endpoint Security Attack Surface Reduction Profile .
Select “app and browser isolation”
You can choose on which functions, application guard has to be enabled. There are 3 options to choose from:
“Enable for Edge” –> To make sure unapproved websites are opened in a Hyper-v virtualized browsing container
“Enable for isolated Windows environment” –> To make sure Application guard is enabled for applications like Excel, Word. It will make sure the documents are opened inside a Hyper-V Container
“Enable for Edge AND isolated Windows environment” –> When you need to make sure App Guard is enabled for Edge and Applications (Office)
After you have made your choice if you want to enable it on Apps, Edge or both we need to take a look at the “Windows network isolation policy”
The next question is
These settings, help you define and manage your organization’s network boundaries. You will need to configure these settings to control which locations are blocked and which locations are considered trusted
Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container
So let’s take a look at the settings I configured!
3. Deploy it with Powershell
To deploy Windows Defender Application Guard, you will need to configure some settings. Create a new Power Shell script and push it to your test endpoints.
Create a new PowerShell script and deploy it to some test devices (group).
$RegLoc = "HKLM:\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides" New-Item -path HKLM:\SYSTEM\CurrentControlSet\Policies\Microsoft New-Item -path HKLM:\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement New-Item -Path HKLM:\SYSTEM\CurrentControlSet\Policies\Microsoft\FeatureManagement\Overrides New-ItemProperty -Path $RegLoc -Name 3457697930 -PropertyType Dword -Value 1 New-ItemProperty -Path $RegLoc -Name 94539402 -PropertyType Dword -Value 1 Get-ScheduledTask -TaskName "ReconcileFeatures" -TaskPath "\Microsoft\Windows\Flighting\FeatureConfig\" | Start-ScheduledTask #Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-All -NoRestart #Disable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V-Tools-All -NoRestart Enable-WindowsOptionalFeature -Online -FeatureName Windows-Defender-ApplicationGuard -NoRestart reg add HKLM\SOFTWARE\Policies\Microsoft\AppHVSI /v AllowAppHVSI_ProviderSet /t reg_dword /d 2 reg add HKLM\SOFTWARE\Policies\Microsoft\AppHVSI /v AuditApplicationGuard /t reg_dword /d 1
This PowerShell script will set the KB4559004 Issue 001 preview to enabled.
It will launch the Reconcilefeatures task and of course, it will install Microsoft Defender Application Guard (WDAG) and turns on the Microsoft defender application guard managed mode.
Please reboot your device after the PowerShell script or Endpoint policy deployed successfully. If you want to be sure Application Guard is enabled, you can check by using this powershell command
Let’s download a test docx from the internet and see what happens when you open the untrusted document. (have some patience the first time it opens…)
You will notice a WDAG notification: The document is opened in Application Guard.
You can remove the protection when you are really sure it’s a trusted document.
Of course, WDAG for Office Apps is not perfect yet but hey, it’s in public preview. It’s a really nice solution to defend your endpoints against malware within Office documents.
The only argument I have, WDAG really likes your Memory and CPU. That’s the beauty of argument, if you argue correctly, you’re never wrong
Application Guard uses a virtualized container to isolate untrusted documents away from the system. The process of creating a container and setting up the Application Guard container to open Office documents has a performance overhead that might negatively affect the user experience when users open an untrusted document.
The second part of the Endpoint Security Series about CFA (click here)