Preparing my Application Guard for Office test lab

Posted onAuthorAlex VerboonLeave a comment

Hello everyone, today I wanted to see application guard for office in action. If you are not familiar with application guard for office, I suggest you read the following articles / documentation.

And now let me walk you through the steps to get application guard for office working in your test lab.

  1. Deploy Windows 10 20H1 or 20H2
  2. When running your test client in Hyper-V you have to enable nested virtualization so that we can later enable Application Guard
  3. Next, we turn on the Microsoft Defender Application Guard. Now if your system does not meet the minimum requirements the option is greyed out as shown in the screenshot below.

    But luckily there is a workaround described here. Once you have added these registry keys, you will be able to enable Application Guard
  4. Now we have to enable Microsoft Defender Application Guard in managed mode, so that it can be used for Microsoft Edge and Office. Open the Group Policy editor and navigate to: Computer Configuration \ Administrative templates \ Windows Components \ Microsoft Defender Application Guard and open the setting: Turn on Microsoft Defender Application Guard in Managed Mode and set the value to 3 If you want to enable Application Guard for Edge and Office or 2 for Office only.
  5. Now that we have Defender Application Guard ready, let us move on to Office. The official documentation mentions Office Beta Channel Build version 2008 16.0.13212 or later, however as per this announcement it should work with the Insider current channel as well. Configure the following group policy settings for Office 365 Apps for Enterprise to enable insider releases:User Configuration \ Administrative Templates \ Microsoft Office 2016 \ miscellaneous \ Show the option for Office Insider

  6. Start Office and enable the Office Insider release. Select File, Account, Office Insider, Change Channel

    Choose the Channel, Beta or Current Channel (Preview) and then select Update options, update Office and once installed you should see the version changed to Beta or Current Channel Preview.

  7. Great, now we have everything in place to see Defender Application Guard for Office in action. Let us open a document that comes from the internet.

    While Word is starting, it is telling us that the document is opened in Application Guard

  8. And finally, if you have onboarded the device in Microsoft Defender for Endpoints, you can run the following query to see when Application Guard for Office was launched.

Have a great day

Alex

Related posts:

  1. New Group Policy Settings for Office 365
  2. Retrieving Windows Defender Exploit Guard Windows Event logs with PowerShell
  3. User Spam & Phish Submissions configuration in Office 365 – Part 1
  4. Theme Configuration Group Policy support for Office 2013
  5. How to check if Control Flow Guard is enabled

Leave a Reply