Application Guard: productivity without dangers
Application Guard is a function that isolates documents from unsafe sources within a virtualized sandbox. The Hyper-V-based “container” ensures protection against kernel-based attacks. Files opened in Application Guard can be read, edited, saved and printed, as they remain isolated from the rest of the device.The user can configure Application Guard by choosing specific types of files from the Internet or stored in locations unsafe, such as the temporary files directory. The functionality applies to files downloaded from domains that are not part of the local network, to e-mail attachments if the sender is external to the company, to files from messaging and sharing services, to files in directories considered insecure and to files locked because they were created by earlier versions of Office.
Any malware hidden in documents cannot leave the container, so any attempt to access company data will be blocked. Application Guard works in conjunction with Microsoft Defender for Office 365 and Microsoft Defender for Endpoint to detect the presence of malicious content. The feature must be activated by administrators and is available for Microsoft 365 E5 and Microsoft 365 E5 Security licenses.
Source: Microsoft