Application Guard is a feature in Windows 10 and Windows 11 Operating Systems that uses a hardware isolation approach to protect enterprise assets from attacks from untrusted sites and files. It uses an isolated Hyper-V container, which is separate from the host operating system to open enterprise-defined untrusted sites and files. With Application Guard for Office, admins can protect enterprise data and credentials on a wide range of physical endpoints used by employees with Microsoft 365 accounts on their tenants. In this article, we will explain how Microsoft 365 admins can deploy Application Guard for Office.
What Are the Advantages of Deploying Microsoft Defender Application Guard?
Organizations can deploy Application Guard to isolate enterprise-defined untrusted sites and prevent untrusted Word, PowerPoint, and Excel files from accessing trusted resources. Untrusted sites and files are opened in anonymous and isolated Hyper-V containers, denying attackers access to employee data and credentials. Here are some ways in which Application Guard can protect various platforms and devices.
- Domain-joined enterprise desktops and laptops can be configured and managed using Microsoft Endpoint Manager or Microsoft Intune. These are typically domain-joined, and employees have Standard User privileges.
- Personal laptops that are managed by organizations that support bring your own device (BYOD) policy are not domain-joined. These can be protected with Application Guard and managed with tools such as Microsoft Intune. The employee is typically an admin on such devices.
- Other personal devices, such as mobiles, personal desktops, and laptops, are neither domain joined, nor managed by the organization. Application Guard can protect enterprise data even in such devices Application Guard.
How to Deploy Application Guard for Office Apps in Microsoft 365?
Application Guard can be activated from Windows Features in Windows 11 and Windows 11 Enterprise. Follow the steps below to enable Application Guard for Office, available in Microsoft 365.
- Ensure that the latest Windows 10 security updates have been installed.
- Search for windows features in the search box in the Windows taskbar.
- Scroll down to Microsoft Defender Application Guard in the list of features, place a check in the checkbox next to it to turn the feature on, and click OK. Alternatively, admins can enable the feature using PowerShell with the Enable-WindowsOptionalFeature cmdlet.
- The system will reboot after the Microsoft Defender Application Guard application is installed to activate the feature.
- If MDAG needs to be deployed on multiple systems in the same Microsoft 365 tenant, the group policy Microsoft Defender Application Guard in Managed Mode can be turned on in the path Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard by enabling MDAG either for isolated Windows environments or both Edge and isolated Windows environment.
- Open an untrusted file to confirm that it opens in Application Guard for Office to ensure that the feature is enabled.
Apps4Rent Can Help with Microsoft 365 Security Configuration
While Application Guard is available in Windows Pro as well as Windows Enterprise, the latter offers extra features in the Enterprise-Managed mode, which are not available in the Standalone mode. Additionally, the mandatory network isolation policies to deploy Application Guard are different between the configuration service provider and the group policy.
As a Microsoft Gold Partner in multiple competencies, Apps4Rent can help businesses and enterprises with Office 365/ Microsoft 365 licensing, deployment, and customization. Call, chat, or email our certified Microsoft 365 admins available 24/7 for assistance.