Files from the internet and other potentially unsafe locations can contain viruses, worms, or other kinds of malware that can harm your computer and data. To help protect you, Office opens files from potentially unsafe locations in Application Guard, a secure container that's isolated from the device through hardware-based virtualization. When Office opens files in Application Guard, you can securely read, edit, print, and save those files without having to re-open files outside the container.
If you believe the file is safe, you can choose to open the file outside Application Guard. If your administrator has enabled Safe Documents, the file will be verified against the Microsoft Defender Advanced Threat Protection (MDATP) service to determine if it's malicious before it's opened outside Application Guard.
How do I enable Application Guard?
Application Guard is currently in limited preview, and we're expanding the preview to include more customers. If you're interested in participating, please complete this form. Thank you for volunteering to participate in the preview, and we apologize if we can't enroll everyone at this time.
When will Office use Application Guard to open files?
Office will automatically use Application Guard to isolate untrusted documents under the following conditions:
Application Guard is enabled in Windows. This can be enabled by either an administrator deploying policy or the user.
The user is using an Office 365 ProPlus client.
The user signed in to Office is licensed for Application Guard. Application Guard for Office will require either a Microsoft 365 E5 or Microsoft 365 E5 Security license.
If any of these conditions is not met, Office will use Protected View to isolate untrusted documents.
When will a file open in Application Guard?
Files that currently open in Protected View will open in Application Guard. These include:
Files originating from the internet: This refers to files that are downloaded from domains that aren't part of either the local intranet or a Trusted Sites domain on your device.
Files that are located in potentially unsafe locations: This refers to folders on your computer or network that are considered unsafe, such as the Temporary Internet folder or other folders assigned by your administrator.
Outlook attachments: Attachments in email can come from unreliable or unknown sources, such as someone outside your organization. Sometimes malicious attachments can appear to come from trusted senders or compromised accounts of trusted senders. Always confirm with the sender if you receive an unexpected or suspicious attachment via email.
How is Application Guard different from Protected View?
Application Guard provides both enhanced security and enhanced productivity for users.
Application Guard is a virtualization-based sandbox that's used to isolate untrusted documents you may encounter. It brings the same technology that powers Azure to your desktop.
Untrusted documents are opened in an isolated Hyper-V-enabled container, which is separate from the host operating system. This container isolation means that if a document is malicious, the host PC is protected and the attacker can't access your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't access your employee's enterprise credentials.
In addition to being able to read documents within the secure container, you can now use features like printing, commenting and review, light editing, and saving, while keeping an untrusted document within the Application Guard container.
When you encounter documents from untrusted sources that aren't malicious, you can continue to be productive without worrying about putting your device at risk.
If you do encounter a document that's malicious, it's safely isolated within Application Guard, keeping the rest of your system safe.