Files from the internet and other potentially unsafe locations can contain viruses, worms, or other kinds of malware that can harm your computer and data. To help protect you, Office opens files from potentially unsafe locations in Application Guard, a secure container that's isolated from the rest of your data through hardware-based virtualization. Unlike Protected View, when Office opens files in Application Guard, you can securely read, edit, print, and save those files without having to re-open files outside the container.
If you're confident the file is safe, and you need to do something that is blocked by Application Guard, you can choose to remove protection from that file.
Note: If your administrator has enabled Safe Documents, the file will be verified against the Microsoft Defender Advanced Threat Protection service to determine if it's malicious before it's opened outside Application Guard.
Protected Viewis a read-only mode where most editing functions are disabled. Files from potentially unsafe locations are opened as read-only or in Protected View. By using Protected View, you can read a file and see its contents and enable editing while reducing the risks.
Application Guard is a restricted mode that allows you to perform limited editing and printing of untrusted documents while minimizing the risk to your computer. Office opens files from potentially unsafe locations in Application Guard, a secure container that's isolated from the device through hardware-based virtualization. When Office opens files in Application Guard, you can securely read, edit, print, and save those files without having to re-open files outside the container.
Compared to Protected View, Application Guard provides both enhanced security and enhanced productivity for users.
Application Guard is a virtualization-based sandbox that's used to isolate untrusted documents you may encounter. It brings the same technology that powers Azure to your desktop.
Untrusted documents are opened in an isolated Hyper-V-enabled container, which is separate from the host operating system. This container isolation means that if a document is malicious, the host PC is protected and the attacker can't access your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't access your employee's enterprise credentials.
In addition to being able to read documents within the secure container, you can now use features like printing, commenting and review, light editing, and saving, while keeping an untrusted document within the Application Guard container.
When you encounter documents from untrusted sources that aren't malicious, you can continue to be productive without worrying about putting your device at risk.
If you do encounter a document that's malicious, it's safely isolated within Application Guard, keeping the rest of your system safe.
How do I enable Application Guard for Office?
Application Guard is currently in public preview and is available to participating organizations who have Microsoft 365 E5 or Microsoft 365 E5 Mobility + Security licenses. Users in those organizations must be using Microsoft 365 apps for enterprise on the Beta Channel.
When will a file open in Application Guard?
Files that currently open in Protected View will open in Application Guard if Application Guard is enabled. These include:
Files originating from the internet: This refers to files that are downloaded from domains that aren't part of either the local intranet or a Trusted Sites domain on your device, files that were received as email attachments from senders outside your organization, files that were received from other kinds of internet messaging or sharing services, or files opened from a OneDrive or SharePoint location outside your organization.
Files that are located in potentially unsafe locations: This refers to folders on your computer or network that are considered unsafe, such as the Temporary Internet folder or other folders assigned by your administrator.
Note: Files opened from a network location, including your organization's OneDrive, open Read-Only in Application Guard. You can save a copy of such files to continue working with them, or if you trust the source of the file you can opt to remove protection as described below.
Files that are blocked by File Block: File Block prevents outdated file types from opening and causes your file to open in Protected View and disables the Save and Open features. Learn more about File Block.
How do I remove, or restore, protection from a file?
Caution: Only do this if you're very confident that the file, and its source, is trustworthy.
If you want to take actions that are not allowed by Application Guard you can remove the Application Guard protection from a file. Once you remove the protection, the file becomes a trusted document.
To remove Application Guard protection go to File > Info and select Remove protection.
If you're unable to, then it's likely that your organization has policies deployed that prevent removing Application Guard protection from a file.
To restore protection
Go to File > Options > Trust Center > Trust Center Settings > Trusted Documents and select Clear all Trusted Documents so that they are no longer trusted.
Note that this will restore protection to ALL documents you've removed it from on this device.
How do I change my Application Guard settings
Important: We recommend speaking with your IT administrator before making changes to Application Guard's settings.
Go to File > Options
Select Trust Center > Trust Center Settings > Application Guard.
Make your selections, then select OK to save your changes and exit Trust Center Settings.
Application Guard Settings
Enable Application Guard for files originating from the Internet - The internet is considered an unsafe location because it's the most common source for malicious files.
Enable Application Guard for files that are in potentially unsafe locations - This refers to folders on your computer or network that are considered unsafe, such as the Temporary Internet folder or other folders selected by your IT administrator.
Enable Application Guard for Outlook attachments - Attachments in email are another common source of malicious files.
Excel has two additional settings:
Always open untrusted Text-Based files (.csv, .dif and .sylk) in Application Guard - If enabled, text-based files opened from an untrusted location are always opened in Application Guard. If you disable, or don’t configure, this policy setting, text-based files opened from an untrusted location are opened normally.
Always open untrusted Database files (.dbf) in Application Guard - If enabled, database files opened from an untrusted location are always opened in Application Guard. If you disable, or don’t configure, this setting, database files opened from an untrusted location are opened normally.
All these settings can also be configured by an administrator via Group Policy or the Office cloud policy service.
What kind of things am I not able to do in Application Guard?
For your security, certain capabilities are not available to Office applications while running in Application Guard. These include:
Access to the user’s identity.
Access to arbitrary locations on your file system.
Access to network locations that are classified as within the enterprise security boundary (e.g. company Intranet or domains classified as “Enterprise”) per Network isolation policies.
Features in Office that may have a dependency on these capabilities are unavailable. Some examples include sharing a file, capturing a screenshot, inserting a picture from a location in the file system, adding a connection to a data source etc.
What about Add-Ins and Macros?
In addition to the built-in functions that are disabled, all capabilities that extend the capabilities of Office including COM, VSTO, Web Add-ins and Macros are disabled in Application Guard.
Can I use Application Guard with a screen reader?
Files opened in Application Guard are accessible via accessibility tools that use the Microsoft UI Automation (UIA) framework, such as Microsoft Narrator.