Microsoft Defender Application Guard prevents potentially risky files from gaining access to trusted system resources. It opens untrusted documents in an isolated environment with hardware virtualization. It protects your system from malicious software in this isolated container sing standalone and automated modes. In the automated mode, AKA Enterprise Management Mode, the administrator will define some trusted websites.
Any document or app originating from the defined domains will open normally on your computer. Meanwhile, Application Guard launches files originating from websites outside these defined trusted sites in the virtual environment.
Microsoft Defender Application Guard helps prevent untrusted files from accessing trusted resources, keeping your enterprise safe from new and emerging attacks. This article walks admins through setting up devices for a preview of Application Guard for Office. It provides information about system requirements and installation steps to enable Application Guard for Office on a device, says Microsoft.
How to Enable Microsoft Defender Application Guard on Windows 11
Now that you have an overview of Microsoft Defender Application Guard for Windows, this section shows you how to enable and disable it on your Windows computer. We’ll explore the following:
- Enable or disable Application Guard in Windows Features.
- Enable or disable Application Guard using PowerShell.
- Turn on Microsoft Defender Application Guard in Managed Mode group policy.
- Double-check if Application Guard is enabled and working.
The first two solutions are alternative ways to enable or disable the Application Guard. The third part should be done after following one of the solutions. And finally, you’ll see how to confirm that the Application Guard for Office is enabled and working.
1] Enable or disable Application Guard in Windows Features
Right-click on the Start button and select Run to open the Run dialog box. Enter appwiz.cpl in the Run dialog box and click on the OK button.
Click on the Turn Windows features on or off link at the left-hand panel of the Programs and Features window.
Find Microsoft Defender Application Guard from the list on the Windows Features screen and mark the checkbox next to this option to enable it. Hit the OK button.
After enabling Microsoft Defender Application Guard, you’ll need to restart your machine.
To disable Microsoft Defender Application Guard, simply uncheck the option on the Windows Features screen and restart your computer.
Read: Windows Defender Application Guard Extension for Chrome, Edge, & Firefox.
2] Enable or disable Application Guard using PowerShell
You can also enable Microsoft Defender Application Guard using PowerShell. To open PowerShell as an administrator, right-click on the Start button and select Windows PowerShell (Admin).
Copy and paste the following command in the PowerShell window to enable Windows Defender Application Guard and hit the ENTER key:
Enable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard
On running the above command, you’d have enabled Application Guard for Office. Restart your computer following this to finish the process.
To disable Application Guard, enter the following command:
Disable-WindowsOptionalFeature -online -FeatureName Windows-Defender-ApplicationGuard
3] Turn on Microsoft Defender Application Guard in Managed Mode group policy
The two options above are ways to enable or disable the Application Guard for Office. After completing any of the two above methods, you now have to turn on the feature in the Managed Mode group policy.
To do this, go to Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Application Guard.
Here, change the value under Options to 2 or 3. Click on the OK button to save your settings and close the window. Restart your computer after this.
4] Double-check if Application Guard for Office is enabled and working
After enabling Microsoft Defender Application Guard, you get no confirmation that it’s working. You may want to confirm that you’ve enabled it and it’s working correctly.
Before you go ahead to double-check that you’ve enabled Application Guard for Office, open a Microsoft Office app (Word, PowerPoint, Excel, etc.) on a computer that has policies deployed and ensure that you have an activated copy of Microsoft Office. If it’s not activated, you must activate it to use Application Guard for Office.
To check that Application Guard is enabled and working, download a document or email attachment off the internet so that it’s classed an untrusted. Next, open it in the corresponding Office application.
The first time you use the Office application to open an untrusted document, you might notice that the splash screen shows for a longer time. This delay is because it’s activating Application Guard for Office and opening the file. However, it happens only the first time. Other opens will be quicker.
If Microsoft Defender Application Guard is enabled, you’ll see an indication of that in the splash screen. For example, Microsoft Word will say,
To keep you safe, we’re opening this document in Application Guard…
When the file finally opens, another indicator of an active Application Guard for Office is that you’ll see a callout in the ribbon that says,
File opened in Application Guard.
This file is from an untrusted soure. To keep you safe, we’ve opened it in a protected mode.
Also, you’ll notice a black shield on the Microsoft application’s icon in the taskbar. This is another indicator that Application Guard is enabled and working.
Hope this helps.
Also read:
- How to enable Print from Application Guard for Edge
- How to enable Advanced Graphics in Application Guard for Edge
What is Microsoft Defender Application Guard?
Microsoft Defender Application Guard has been created to target 3 types of enterprise systems:
- Enterprise desktops
- Enterprise mobile laptops
- Bring your own device (BYOD) mobile laptops.
This feature uses virtualization technology to open links clicked while browsing the Internet or checking email in a sandboxed environment (an isolated environment to test or analyze software in a protected environment) to keep malicious scripts out of the user’s network and devices.
How to Install Microsoft Defender Application Guard for Microsoft Edge using Command Prompt?
Execute the following command to Install Microsoft Defender Application Guard for Microsoft Edge:
Dism /online /Enable-Feature /FeatureName:"Windows-Defender-ApplicationGuard"
As soon as you execute this command, it will start the process of enabling Application Guard.