Windows 10 20H2: Microsoft Launches Public Preview Version of Defender Application Guard for Office isolation function using a Hyper-V compatible container for added security
John Barbare, Senior Customer Engineer at Microsoft, announced the arrival of a future version of Microsoft Defender Application Guard for Office available as a Limited Preview for Windows 10 20H2. Windows 10 20H2 is now available for commercial customers so they can begin exploring and validating functionality before a general availability release.
Here are the Prerequisites for using Microsoft Defender Application Guard:
Hardware Requirements :
- A 64-bit computer with a minimum of 4 cores (logical processors) is required for the hypervisor and Virtualization-Based Security (VBS).
- Processor Virtualization Extensions - Extended Page Tables, also known as Second Level Address Translation (SLAT) and one of the following virtualization extensions for VBS: VT-x (Intel) or AMD-V
- 8 GB RAM minimum
- 5 GB free space, Solid State Disk (SSD) recommended for hard disk space
Software Requirements :
- Operating System - Windows 10 Enterprise Edition, version 1709 or higher
- Windows 10 Professional Edition, version 1803 or higher
- Windows 10 Professional for editing workstations, version 1803 or higher
- Windows 10 Professional Education Edition version 1803 or higher
- Windows 10 Education Edition, version 1903 or higher
- Browser - Any variant of Microsoft Edge and Internet Explorer
Microsoft Defender Application Guard offers an isolation feature that uses a Hyper-V compatible container. The Container uses a lightweight virtual machine (VM) that resists kernel attacks and runs on a separate kernel from the host. There are two types of modes: enterprise management mode and standalone mode. In business management mode, the administrator defines trusted sites via Group Policy Objects, Microsoft Intune, Microsoft Endpoint Configuration Manager, or your current mobile device management solution. Unapproved sites are launched in the isolated Hyper-V container giving the user a malicious free browsing session.
Microsoft Defender Application Guard was created to target the following types of systems:
- Enterprise desktops and laptops: Joined to the domain and managed by your organization.
- BYOD strategies (abbreviation for "bring your own device", PAP for "take your personal devices" or AVEC for "bring your personal communication equipment" which refers to a practice of using personal equipment (smartphone, laptop, tablet PC) in a professional context): personal laptops are not joined to a domain, but are managed by your organization via tools such as Microsoft Intune.
- Personal devices: personal desktops or mobile laptops are not attached to a domain or managed by an organization. The user is an administrator of the device and uses a high-bandwidth wireless personal network at home or a comparable public network outside.
In standalone mode, users can use browser sessions isolated from the device without administrator configuration or management policy. In this mode, you must install Microsoft Defender Application Guard and then the user must manually start Microsoft Defender Application Guard when browsing approved/non-approved sites. John Barbare indicates that he generally does not recommend standalone mode to customers as it allows the user to decide whether or not to use a Microsoft Defender Application Guard session. Then the user can authorize any action (good or bad) that could lead to malicious behavior.
Microsoft Defender Application Guard on Chrome and Firefox
While browsing the web, you've already had the experience of clicking on a link to land on a page that has nothing to do with the content you were expecting. When it comes to advertising pages for example, it is easy to return to the initial point and continue your journey on the web without damage. On the other hand, when a page containing a malicious program is displayed, the first reflex is to close that page so as not to infect the host system.
To solve the problem of links redirecting users to infected web pages, many browsers have integrated alerts that warn users when they are about to visit an infected web page, or download a program that may be at risk of infection.
Building on these tools, Microsoft has announced a new extension for Chrome and Firefox to prevent users from unintentionally opening malicious sites. Microsoft explained that the Windows Defender Application Guard extension protects your device from advanced attacks by redirecting untrusted websites to an isolated version of the Microsoft Edge browser. Using a unique hardware-based isolation approach, Application Guard opens untrusted websites inside a lightweight container, separated from the operating system via Hyper-V virtualization technology. If an unapproved website proves to be malicious, it remains in Application Guard's secure container, protecting the device and your corporate data. This extension ensures that untrusted websites open securely in Application Guard's isolated environment, while trusted websites, defined by your IT strategy and business administrator, continue to open in this browser. If a website is untrusted, you can use this extension to manually open it in an isolated Application Guard session.
Microsoft Defender Application Guard for Office
Threats on the Internet are broad, ranging from phishing attacks to malicious content. Various other attack vectors, which include potentially dangerous locations, may contain viruses, worms or other types of malware that can damage your computer and/or sensitive data. This is where Microsoft Defender Application Guard comes in to provide you with a second barrier to protect you from these attacks. Microsoft Office will open files from potentially dangerous locations in Microsoft Defender Application Guard, a secure container isolated from the device via hardware virtualization. When Microsoft Office opens files in Microsoft Defender Application Guard, a user can then securely read, edit, print and save the files without having to re-open files outside the container.
Here are the prerequisites for Microsoft Defender Application Guard for Office :
Minimum Hardware Requirements :
- Processor: 64-bit, 4 cores (physical or virtual), virtualization extensions (Intel VT-x OR AMD-V), Core i5 equivalent or higher recommended
- Physical Memory: 8 GB RAM
- Hard disk: 10 GB free space on the system drive (SSD recommended)
Minimum Software Requirements :
- Windows 10: Windows 10 Enterprise Edition, Client Build version 2004 (20H1) build 19041
- Office: Office Beta Channel Build version 2008 16.0.13212 or later
- Upgrade Package: Cumulative monthly security updates for Windows 10 KB4566782
Microsoft Defender Application Guard for Office settings include additional controls that you can set. Supported Office files include Excel for Microsoft 365, Word for Microsoft 365 and PowerPoint for Microsoft 365.
You can define your configurations, for example, to allow the user to change the settings after opening the file or not to grant any privileges.
If your administrator has enabled Safe Documents, the file will be checked by the Microsoft Defender Advanced Threat Protection service to determine if it is malicious before being opened outside of Microsoft Defender Application Guard.
Office will automatically use Microsoft Defender Application Guard to isolate unapproved documents under the following conditions:
- Microsoft Defender Application Guard is enabled in Windows. This can be enabled either by a policy deployment administrator or by the user.
- The user is using Microsoft 365 Apps for enterprise customers.
- The user logged in to Office has a license for Microsoft Defender Application Guard. Microsoft Defender Application Guard for Office will require a Microsoft 365 E5 or Microsoft 365 E5 security license.
If either of these conditions is not met, Office will use the protected view to isolate unapproved documents.
John Barbare says,
"My interest in Microsoft Defender Application Guard came from the demo and then deployment to several large customers last year due to a great deal of interest from attackers developing new techniques to break down large-scale networks and compromise workstations. As phishing schemes remain one of the best ways to trick users into social engineering attacks, Microsoft Defender Application Guard is designed to proactively prevent several types of attacks. When Microsoft extended Microsoft Defender Application Guard to Office, it further reduced the overall attack surface while increasing employee productivity.