New Update Microsoft removing Defender Application Guard from Office

Parkinsond

Parkinsond

Level 54
Thread author
Verified
Well-known
Dec 6, 2023
4,389
11,443
5,269
Microsoft plans to remove Defender Application Guard from Office by December 2027, starting with the February 2026 release of Office version 2602.

The Microsoft Defender Application Guard for Office (MDAG) is designed for Windows 10 and Windows 11 Enterprise editions, protecting users' devices by isolating untrusted Word, PowerPoint, and Excel files in a separate, Hyper-V-enabled container. This helps keep the host operating system secure, ensuring that enterprise data remains safe from attackers if a file or website is malicious.

Redmond retired MDAG five months later, in April 2024, and says that Office files will now open in Protected View, a read-only mode where most document editing functions are disabled.

To maintain protection against malicious Office documents, Microsoft recommends that IT admins:
  • Enable Microsoft Defender for Endpoint ASR rules to block risky behaviors in Office files.
  • Enable Windows Defender Application Control (WDAC) to ensure only trusted, signed code runs on devices.
www.bleepingcomputer.com

Microsoft removing Defender Application Guard from Office

Microsoft plans to remove Defender Application Guard from Office by December 2027, starting with the February 2026 release of Office version 2602.
www.bleepingcomputer.com www.bleepingcomputer.com
Click to expand...
 
  • Like
  • Wow
  • Hundred Points
Reactions: Dave Russo, Divine_Barakah, Jonny Quest and 3 others
Hey Parkinsond, thanks for sharing this update—it's always good to keep an eye on changes like this that affect enterprise security setups.

For folks relying on MDAG, this does mean a shift in how Office handles potentially risky files. Protected View is a solid fallback (it's been around for years and does a decent job restricting edits on untrusted docs), but as Microsoft notes, layering in those ASR rules via Defender for Endpoint and WDAC policies can help fill the gap. If you're in an org with Endpoint, I'd definitely prioritize testing those ASR blocks for Office macros and such—they've proven effective against common exploit chains.

Anyone here already transitioned away from MDAG or have tips on implementing WDAC without disrupting workflows? Curious to hear experiences.
 
  • Like
Reactions: Sorrento

You may also like...