From 460376177868cd0dfb3242d34095181241819da4 Mon Sep 17 00:00:00 2001 From: "Vinay Pamnani (from Dev Box)" Date: Fri, 6 Sep 2024 12:33:03 -0600 Subject: [PATCH 01/23] Windows Sandbox TOC change --- .../application-security/application-isolation/toc.yml | 7 +------ .../application-isolation/windows-sandbox/toc.yml | 7 +++++++ 2 files changed, 8 insertions(+), 6 deletions(-) create mode 100644 windows/security/application-security/application-isolation/windows-sandbox/toc.yml diff --git a/windows/security/application-security/application-isolation/toc.yml b/windows/security/application-security/application-isolation/toc.yml index c8ed9511350..dab01100501 100644 --- a/windows/security/application-security/application-isolation/toc.yml +++ b/windows/security/application-security/application-isolation/toc.yml @@ -12,9 +12,4 @@ items: - name: App containers 🔗 href: /virtualization/windowscontainers/about - name: Windows Sandbox - href: windows-sandbox/windows-sandbox-overview.md - items: - - name: Windows Sandbox architecture - href: windows-sandbox/windows-sandbox-architecture.md - - name: Windows Sandbox configuration - href: windows-sandbox/windows-sandbox-configure-using-wsb-file.md + href: windows-sandbox/toc.yml \ No newline at end of file diff --git a/windows/security/application-security/application-isolation/windows-sandbox/toc.yml b/windows/security/application-security/application-isolation/windows-sandbox/toc.yml new file mode 100644 index 00000000000..c1ab7907d32 --- /dev/null +++ b/windows/security/application-security/application-isolation/windows-sandbox/toc.yml @@ -0,0 +1,7 @@ +items: + - name: Overview + href: windows-sandbox-overview.md + - name: Windows Sandbox architecture + href: windows-sandbox-architecture.md + - name: Windows Sandbox configuration + href: windows-sandbox-configure-using-wsb-file.md From 5e324a0b1918fcf8a9218db9d4305d6f511f882c Mon Sep 17 00:00:00 2001 From: "Vinay Pamnani (from Dev Box)" Date: Mon, 9 Sep 2024 10:40:48 -0600 Subject: [PATCH 02/23] TOC draft --- .../windows-sandbox/toc.yml | 23 +++++++++++++--- .../windows-sandbox/windows-sandbox-faq.yml | 26 +++++++++++++++++++ .../windows-sandbox-install.md | 6 +++++ .../windows-sandbox-overview.md | 2 +- .../windows-sandbox-troubleshoot.md | 6 +++++ .../windows-sandbox/windows-sandbox-use.md | 6 +++++ .../windows-sandbox-versions.md | 6 +++++ 7 files changed, 70 insertions(+), 5 deletions(-) create mode 100644 windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml create mode 100644 windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md create mode 100644 windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md create mode 100644 windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-use.md create mode 100644 windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions.md diff --git a/windows/security/application-security/application-isolation/windows-sandbox/toc.yml b/windows/security/application-security/application-isolation/windows-sandbox/toc.yml index c1ab7907d32..6aeb54f60e6 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/toc.yml +++ b/windows/security/application-security/application-isolation/windows-sandbox/toc.yml @@ -1,7 +1,22 @@ items: - name: Overview href: windows-sandbox-overview.md - - name: Windows Sandbox architecture - href: windows-sandbox-architecture.md - - name: Windows Sandbox configuration - href: windows-sandbox-configure-using-wsb-file.md + items: + - name: Compare versions + href: windows-sandbox-versions.md + - name: Architecture + href: windows-sandbox-architecture.md + - name: Install Windows Sandbox + href: windows-sandbox-install.md + - name: Use Windows Sandbox + href: windows-sandbox-use.md + - name: Tutorials + items: + - name: Configuration file + href: windows-sandbox-configure-using-wsb-file.md + - name: WindowsSandbox Policy CSP + href: /windows/client-management/mdm/policy-csp-windowssandbox.md + - name: Frequently asked questions + href: windows-sandbox-faq.yml + - name: Troubleshooting + href: windows-sandbox-troubleshoot.md \ No newline at end of file diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml new file mode 100644 index 00000000000..29eb6248369 --- /dev/null +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml @@ -0,0 +1,26 @@ +### YamlMime:FAQ +metadata: + title: Windows Sandbox frequently asked questions (FAQ) + description: Use these frequently asked questions (FAQ) to learn important details about Windows Sandbox. + author: vinaypamnani-msft + ms.author: vinpa + ms.topic: faq + ms.date: 09/09/2024 + +title: Common questions about Windows Sandbox +summary: Windows Sandbox (WSB) provides a lightweight desktop environment to safely run applications in isolation. This feature provides a safe and secure space for testing and debugging apps, exploring unknown files, or experimenting with tools since software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine. + +sections: + + - name: Concepts + questions: + - question: Who can use WSB? + answer: | + WSB can be used by anyone without any technical skills in various scenarios where users need a secure, clean environment for testing or running potentially harmful software. Here are some ways in which you can leverage WSB: + + - *Clean environment for software testing*: Test or debug your applications in WSB's clean environment to identify and resolve bugs or compatibility issues. + - *Secure web browsing*: Use WSB for secure web browsing, especially when accessing unfamiliar or potentially dangerous websites without putting your system at risk of malware infection. + - *Running Untrusted Applications*: Mitigate security risks by running untrusted applications or files, such as email attachments in WSB. + - *Test software features risk-free*: Easily test out software without the need for installing or uninstalling on your host machine. + - *Maintaining multiple dev environments*: Streamline your development process by utilizing WSB to maintain multiple sandboxes for different development environments + - *Privacy Protection*: Users concerned about online privacy can use Windows Sandbox for activities like social media browsing or online shopping to prevent tracking cookies and other privacy-invading techniques. diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md new file mode 100644 index 00000000000..8ffb4f952e6 --- /dev/null +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md @@ -0,0 +1,6 @@ +--- +title: Install Windows Sandbox +description: Install Windows Sandbox +ms.topic: how-to +ms.date: 09/09/2024 +--- \ No newline at end of file diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md index 8d8f873a384..d634acd3e5d 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md @@ -2,7 +2,7 @@ title: Windows Sandbox description: Windows Sandbox overview ms.topic: conceptual -ms.date: 03/26/2024 +ms.date: 09/09/2024 --- # Windows Sandbox diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md new file mode 100644 index 00000000000..52f21ae2c20 --- /dev/null +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md @@ -0,0 +1,6 @@ +--- +title: Troubleshoot Windows Sandbox +description: Troubleshoot Windows Sandbox +ms.topic: troubleshooting +ms.date: 09/09/2024 +--- \ No newline at end of file diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-use.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-use.md new file mode 100644 index 00000000000..4ba08383b4c --- /dev/null +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-use.md @@ -0,0 +1,6 @@ +--- +title: Use Windows Sandbox +description: Use Windows Sandbox +ms.topic: how-to +ms.date: 09/09/2024 +--- \ No newline at end of file diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions.md new file mode 100644 index 00000000000..86b6cfc0650 --- /dev/null +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions.md @@ -0,0 +1,6 @@ +--- +title: Windows Sandbox versions +description: Windows Sandbox versions +ms.topic: conceptual +ms.date: 09/09/2024 +--- \ No newline at end of file From b3e6e1202c6a8fe676a11c9e01ab73d7e882eee5 Mon Sep 17 00:00:00 2001 From: "Vinay Pamnani (from Dev Box)" Date: Mon, 9 Sep 2024 10:46:58 -0600 Subject: [PATCH 03/23] More changes --- .../application-isolation/toc.yml | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/windows/security/application-security/application-isolation/toc.yml b/windows/security/application-security/application-isolation/toc.yml index dab01100501..db3200f4a31 100644 --- a/windows/security/application-security/application-isolation/toc.yml +++ b/windows/security/application-security/application-isolation/toc.yml @@ -1,14 +1,15 @@ items: - name: Microsoft Defender Application Guard (MDAG) href: microsoft-defender-application-guard/md-app-guard-overview.md -- name: MDAG for Edge standalone mode - href: microsoft-defender-application-guard/md-app-guard-overview.md -- name: MDAG for Edge enterprise mode and enterprise management 🔗 - href: /deployedge/microsoft-edge-security-windows-defender-application-guard -- name: MDAG for Microsoft Office - href: https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46 -- name: MDAG configure via MDM 🔗 - href: /windows/client-management/mdm/windowsdefenderapplicationguard-csp + items: + - name: MDAG for Microsoft Edge standalone mode + href: microsoft-defender-application-guard/md-app-guard-overview.md + - name: MDAG for Microsoft Edge enterprise mode and enterprise management 🔗 + href: /deployedge/microsoft-edge-security-windows-defender-application-guard + - name: MDAG for Microsoft Office + href: https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46 + - name: Configure MDAG via MDM 🔗 + href: /windows/client-management/mdm/windowsdefenderapplicationguard-csp - name: App containers 🔗 href: /virtualization/windowscontainers/about - name: Windows Sandbox From 65c37f071ec3522c95f040c7a98065347e359ce3 Mon Sep 17 00:00:00 2001 From: "Vinay Pamnani (from Dev Box)" Date: Mon, 9 Sep 2024 10:48:29 -0600 Subject: [PATCH 04/23] Fix warnings --- .../windows-sandbox/windows-sandbox-install.md | 4 +++- .../windows-sandbox/windows-sandbox-troubleshoot.md | 4 +++- .../windows-sandbox/windows-sandbox-use.md | 4 +++- .../windows-sandbox/windows-sandbox-versions.md | 4 +++- 4 files changed, 12 insertions(+), 4 deletions(-) diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md index 8ffb4f952e6..9348c762d73 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md @@ -3,4 +3,6 @@ title: Install Windows Sandbox description: Install Windows Sandbox ms.topic: how-to ms.date: 09/09/2024 ---- \ No newline at end of file +--- + +# Install Windows Sandbox diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md index 52f21ae2c20..90722f57224 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md @@ -3,4 +3,6 @@ title: Troubleshoot Windows Sandbox description: Troubleshoot Windows Sandbox ms.topic: troubleshooting ms.date: 09/09/2024 ---- \ No newline at end of file +--- + +# Troubleshoot Windows Sandbox diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-use.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-use.md index 4ba08383b4c..4a3a48313ea 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-use.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-use.md @@ -3,4 +3,6 @@ title: Use Windows Sandbox description: Use Windows Sandbox ms.topic: how-to ms.date: 09/09/2024 ---- \ No newline at end of file +--- + +# Use Windows Sandbox diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions.md index 86b6cfc0650..7a957abe53f 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions.md @@ -3,4 +3,6 @@ title: Windows Sandbox versions description: Windows Sandbox versions ms.topic: conceptual ms.date: 09/09/2024 ---- \ No newline at end of file +--- + +# Windows Sandbox versions From 67d0c455dac18fc45f5fe3b8604a4ee6aabed1b0 Mon Sep 17 00:00:00 2001 From: "Vinay Pamnani (from Dev Box)" Date: Mon, 9 Sep 2024 11:03:32 -0600 Subject: [PATCH 05/23] chore: Update Windows Sandbox TOC to include sample configuration files --- .../windows-sandbox/toc.yml | 11 ++--- .../windows-sandbox-install.md | 44 +++++++++++++++++++ .../windows-sandbox-overview.md | 43 +----------------- .../windows-sandbox-sample-configuration.md | 8 ++++ .../windows-sandbox/windows-sandbox-use.md | 8 ---- 5 files changed, 59 insertions(+), 55 deletions(-) create mode 100644 windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-sample-configuration.md delete mode 100644 windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-use.md diff --git a/windows/security/application-security/application-isolation/windows-sandbox/toc.yml b/windows/security/application-security/application-isolation/windows-sandbox/toc.yml index 6aeb54f60e6..7509425be9e 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/toc.yml +++ b/windows/security/application-security/application-isolation/windows-sandbox/toc.yml @@ -1,6 +1,7 @@ items: - - name: Overview + - name: What is Windows Sandbox? href: windows-sandbox-overview.md + expanded: true items: - name: Compare versions href: windows-sandbox-versions.md @@ -9,13 +10,13 @@ items: - name: Install Windows Sandbox href: windows-sandbox-install.md - name: Use Windows Sandbox - href: windows-sandbox-use.md + href: windows-sandbox-configure-using-wsb-file.md - name: Tutorials items: - - name: Configuration file - href: windows-sandbox-configure-using-wsb-file.md + - name: Sample configuration files + href: windows-sandbox-sample-configuration.md - name: WindowsSandbox Policy CSP - href: /windows/client-management/mdm/policy-csp-windowssandbox.md + href: /windows/client-management/mdm/policy-csp-windowssandbox - name: Frequently asked questions href: windows-sandbox-faq.yml - name: Troubleshooting diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md index 9348c762d73..b57e6ef35b5 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md @@ -6,3 +6,47 @@ ms.date: 09/09/2024 --- # Install Windows Sandbox + +## Prerequisites + +- ARM64 (for Windows 11, version 22H2 and later) or AMD64 architecture +- Virtualization capabilities enabled in BIOS +- At least 4 GB of RAM (8 GB recommended) +- At least 1 GB of free disk space (SSD recommended) +- At least two CPU cores (four cores with hyper-threading recommended) + +> [!NOTE] +> Windows Sandbox is currently not supported on Windows Home edition. +> Beginning in Windows 11, version 24H2, all inbox store apps like calculator, photos, notepad and terminal are not available inside Windows Sandbox. Ability to use these apps will be added soon. + +## Installation + +1. Ensure that your machine is using Windows 10 Pro or Enterprise, build version 18305 or Windows 11. + +2. Enable virtualization on the machine. + + - If you're using a physical machine, make sure virtualization capabilities are enabled in the BIOS. + - If you're using a virtual machine, you need to enable nested virtualization. If needed, also update the VM to support nested virtualization. Run the following PowerShell commands on the host: + + ```powershell + Set-VMProcessor -VMName -ExposeVirtualizationExtensions $true + Update-VMVersion -VMName + ``` + +3. Use the search bar on the task bar and type **Turn Windows Features on or off** to access the Windows Optional Features tool. Select **Windows Sandbox** and then **OK**. Restart the computer if you're prompted. + + If the **Windows Sandbox** option is unavailable, your computer doesn't meet the requirements to run Windows Sandbox. If you think this analysis is incorrect, review the prerequisite list and steps 1 and 2. + + > [!NOTE] + > To enable Sandbox using PowerShell, open PowerShell as Administrator and run the following command: + > + > ```powershell + > Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online + > ``` + +4. Locate and select **Windows Sandbox** on the Start menu to run it for the first time. + + > [!NOTE] + > Beginning in Windows 11, version 24H2, Windows Sandbox adheres to the mouse settings of the host system. + > + > If you are on an older build and if the host system is set to use a left-handed mouse, you must apply these settings in Windows Sandbox manually when Windows Sandbox starts. Alternatively, you can use a sandbox configuration file to run a logon command to swap the mouse setting. For an example, see [Example 3](windows-sandbox-configure-using-wsb-file.md#example-3). \ No newline at end of file diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md index d634acd3e5d..858efad675a 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md @@ -22,51 +22,10 @@ Windows Sandbox has the following properties: - **Efficient:** Uses the integrated kernel scheduler, smart memory management, and virtual GPU. > [!IMPORTANT] -> Windows Sandbox enables network connection by default. It can be disabled using the [Windows Sandbox configuration file](/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file#networking). +> Windows Sandbox enables network connection by default. It can be disabled using the [Windows Sandbox configuration file](windows-sandbox-configure-using-wsb-file.md#networking). [!INCLUDE [windows-sandbox](../../../../../includes/licensing/windows-sandbox.md)] -## Prerequisites - -- ARM64 (for Windows 11, version 22H2 and later) or AMD64 architecture -- Virtualization capabilities enabled in BIOS -- At least 4 GB of RAM (8 GB recommended) -- At least 1 GB of free disk space (SSD recommended) -- At least two CPU cores (four cores with hyper-threading recommended) - -> [!NOTE] -> Windows Sandbox is currently not supported on Windows Home edition. -> Beginning in Windows 11, version 24H2, all inbox store apps like calculator, photos, notepad and terminal are not available inside Windows Sandbox. Ability to use these apps will be added soon. -## Installation - -1. Ensure that your machine is using Windows 10 Pro or Enterprise, build version 18305 or Windows 11. - -2. Enable virtualization on the machine. - - - If you're using a physical machine, make sure virtualization capabilities are enabled in the BIOS. - - If you're using a virtual machine, you need to enable nested virtualization. If needed, also update the VM to support nested virtualization. Run the following PowerShell commands on the host: - - ```powershell - Set-VMProcessor -VMName -ExposeVirtualizationExtensions $true - Update-VMVersion -VMName - ``` - -3. Use the search bar on the task bar and type **Turn Windows Features on or off** to access the Windows Optional Features tool. Select **Windows Sandbox** and then **OK**. Restart the computer if you're prompted. - - If the **Windows Sandbox** option is unavailable, your computer doesn't meet the requirements to run Windows Sandbox. If you think this analysis is incorrect, review the prerequisite list and steps 1 and 2. - - > [!NOTE] - > To enable Sandbox using PowerShell, open PowerShell as Administrator and run the following command: - > - > ```powershell - > Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online - > ``` - -4. Locate and select **Windows Sandbox** on the Start menu to run it for the first time. - - > [!NOTE] - > Windows Sandbox does not adhere to the mouse settings of the host system, so if the host system is set to use a left-handed mouse, you must apply these settings in Windows Sandbox manually when Windows Sandbox starts. Alternatively, you can use a sandbox configuration file to run a logon command to swap the mouse setting. For an example, see [Example 3](windows-sandbox-configure-using-wsb-file.md#example-3). - ## Usage 1. Copy an executable file (and any other files needed to run the application) from the host and paste them into the **Windows Sandbox** window. diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-sample-configuration.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-sample-configuration.md new file mode 100644 index 00000000000..079dc91f7f1 --- /dev/null +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-sample-configuration.md @@ -0,0 +1,8 @@ +--- +title: Windows Sandbox sample configuration files +description: Windows Sandbox sample configuration files +ms.topic: how-to +ms.date: 09/09/2024 +--- + +# Windows Sandbox sample configuration files diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-use.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-use.md deleted file mode 100644 index 4a3a48313ea..00000000000 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-use.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -title: Use Windows Sandbox -description: Use Windows Sandbox -ms.topic: how-to -ms.date: 09/09/2024 ---- - -# Use Windows Sandbox From 633ac1f6e3bc0808c7793afccc70425706b61b5c Mon Sep 17 00:00:00 2001 From: "Vinay Pamnani (from Dev Box)" Date: Mon, 9 Sep 2024 16:09:00 -0600 Subject: [PATCH 06/23] chore: Update Windows Sandbox TOC and sample configuration files --- .../windows-sandbox/toc.yml | 7 +- .../windows-sandbox-architecture.md | 12 +- ...indows-sandbox-configure-using-wsb-file.md | 236 ++++++------------ .../windows-sandbox/windows-sandbox-faq.yml | 49 ++++ .../windows-sandbox-install.md | 15 +- .../windows-sandbox-overview.md | 31 ++- .../windows-sandbox-sample-configuration.md | 104 ++++++++ .../windows-sandbox-troubleshoot.md | 1 + 8 files changed, 276 insertions(+), 179 deletions(-) diff --git a/windows/security/application-security/application-isolation/windows-sandbox/toc.yml b/windows/security/application-security/application-isolation/windows-sandbox/toc.yml index 7509425be9e..dc3bd5efd08 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/toc.yml +++ b/windows/security/application-security/application-isolation/windows-sandbox/toc.yml @@ -1,15 +1,16 @@ items: - - name: What is Windows Sandbox? - href: windows-sandbox-overview.md + - name: Overview expanded: true items: + - name: What is Windows Sandbox? + href: windows-sandbox-overview.md - name: Compare versions href: windows-sandbox-versions.md - name: Architecture href: windows-sandbox-architecture.md - name: Install Windows Sandbox href: windows-sandbox-install.md - - name: Use Windows Sandbox + - name: Use & configure Windows Sandbox href: windows-sandbox-configure-using-wsb-file.md - name: Tutorials items: diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md index 0da205053ae..fcb9b56ddcd 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md @@ -2,7 +2,7 @@ title: Windows Sandbox architecture description: Windows Sandbox architecture ms.topic: conceptual -ms.date: 03/26/2024 +ms.date: 09/09/2024 --- # Windows Sandbox architecture @@ -27,18 +27,10 @@ Traditional VMs apportion statically sized allocations of host memory. When reso ## Memory sharing -Because Windows Sandbox runs the same operating system image as the host, it's enhanced to use the same physical memory pages as the host for operating system binaries via a technology referred to as "direct map." For example, when *ntdll.dll* is loaded into memory in the sandbox, it uses the same physical pages as those pages of the binary when loaded on the host. Memory sharing between the host and the sandbox results in a smaller memory footprint when compared to traditional VMs, without compromising valuable host secrets. +Because Windows Sandbox runs the same operating system image as the host, it's enhanced to use the same physical memory pages as the host for operating system binaries via a technology referred to as "direct map." For example, when `ntdll.dll` is loaded into memory in the sandbox, it uses the same physical pages as those pages of the binary when loaded on the host. Memory sharing between the host and the sandbox results in a smaller memory footprint when compared to traditional VMs, without compromising valuable host secrets. ![A chart compares the memory footprint in Windows Sandbox versus a traditional VM.](images/3-memory-sharing.png) -## Integrated kernel scheduler - -With ordinary virtual machines, the Microsoft hypervisor controls the scheduling of the virtual processors running in the VMs. Windows Sandbox uses a new technology called "integrated scheduling," which allows the host scheduler to decide when the sandbox gets CPU cycles. - -![A chart compares the scheduling in Windows Sandbox versus a traditional VM.](images/4-integrated-kernal.png) - -Windows Sandbox employs a unique policy that allows the virtual processors of the Sandbox to be scheduled like host threads. Under this scheme, high-priority tasks on the host can preempt less important work in the Sandbox. This preemption means that the most important work is prioritized, whether it's on the host or in the container. - ## WDDM GPU virtualization Hardware accelerated rendering is key to a smooth and responsive user experience, especially for graphics-intensive use cases. Microsoft works with its graphics ecosystem partners to integrate modern graphics virtualization capabilities directly into DirectX and Windows Display Driver Model (WDDM), the driver model used by Windows. diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md index 29d6d96ecb4..df8539a64ce 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md @@ -1,11 +1,32 @@ --- -title: Windows Sandbox configuration -description: Windows Sandbox configuration +title: Use and configure Windows Sandbox +description: Use and configure Windows Sandbox ms.topic: how-to -ms.date: 03/26/2024 +ms.date: 09/09/2024 --- -# Windows Sandbox configuration +# Use and configure Windows Sandbox + +To launch a Windows Sandbox with default settings, simply Locate and select Windows Sandbox on the Start menu or search for 'Windows Sandbox'. This launches a basic Sandbox with 4GB memory with the following properties: + +- **vGPU (virtualized GPU)**: Enabled on non-ARM64 devices. +- **Networking**: Enabled. The sandbox uses the Hyper-V default switch. +- **Audio input**: Enabled. The sandbox shares the host's microphone input into the sandbox. +- **Video input**: Disabled. The sandbox doesn't share the host's video input into the sandbox. +- **Protected client**: Disabled. The sandbox doesn't have increased security settings on the Remote Desktop Protocol (RDP) session. +- **Printer redirection**: Disabled. The sandbox doesn't share printers with the host. +- **Clipboard redirection**: Enabled. The sandbox shares the host clipboard with the sandbox so that text and files can be pasted back and forth. + +> [!IMPORTANT] +> +> - Networking is enabled by default. This can expose untrusted applications to the internal network. To launch a Sandbox with networking disabled, use a custom .wsb file. +> - With Clipboard redirection automatically enabled, you can easily copy files from the host and paste them into the Windows Sandbox window. + +You have the freedom to open files, install applications from the web, and perform various other tasks that benefit from an isolated clean environment. + +When you're finished experimenting, close the sandbox. A dialog box will prompt you to confirm the deletion of all sandbox content. Select "Ok" to proceed. Confirm that your host machine doesn't exhibit any of the modifications that you made in Windows Sandbox. + +## Configure a custom Windows Sandbox Windows Sandbox supports simple configuration files, which provide a minimal set of customization parameters for Sandbox. This feature can be used with Windows 10 build 18342 or Windows 11. Windows Sandbox configuration files are formatted as XML and are associated with Sandbox via the `.wsb` file extension. @@ -25,7 +46,7 @@ A configuration file enables the user to control the following aspects of Window > [!NOTE] > The size of the sandbox window currently isn't configurable. -## Creating a configuration file +## Create a configuration file To create a configuration file: @@ -37,10 +58,8 @@ To create a configuration file: ``` -3. Add appropriate configuration text between the two lines. For details, see [examples](#examples). -4. Save the file with the desired name, but make sure its filename extension is `.wsb`. In Notepad, you should enclose the filename and the extension inside double quotation marks, for example, `"My config file.wsb"`. - -## Using a configuration file +3. Add appropriate configuration text between the two lines. For details, see [examples](windows-sandbox-sample-configuration.md). +4. Save the file with the desired name, but make sure its filename extension is `.wsb`. In Notepad, you should enclose the filename and the extension inside double quotation marks, for example, `"MyConfigFile.wsb"`. To use a configuration file, double-click it to start Windows Sandbox according to its settings. You can also invoke it via the command line as shown here: @@ -48,19 +67,21 @@ To use a configuration file, double-click it to start Windows Sandbox according C:\Temp> MyConfigFile.wsb ``` -## Keywords, values, and limits +## Configuration options ### vGPU Enables or disables GPU sharing. -`value` +```xml +value +``` Supported values: -- *Enable*: Enables vGPU support in the sandbox. -- *Disable*: Disables vGPU support in the sandbox. If this value is set, the sandbox uses software rendering, which might be slower than virtualized GPU. -- *Default* This value is the default value for vGPU support. Currently, this default value denotes that vGPU is enabled. +- **Enable**: Enables vGPU support in the sandbox. +- **Disable**: Disables vGPU support in the sandbox. If this value is set, the sandbox uses software rendering, which might be slower than virtualized GPU. +- **Default**: This value is the default value for vGPU support. Currently, this default value denotes that vGPU is enabled. > [!NOTE] > Enabling virtualized GPU can potentially increase the attack surface of the sandbox. @@ -69,20 +90,24 @@ Supported values: Enables or disables networking in the sandbox. You can disable network access to decrease the attack surface exposed by the sandbox. -`value` +```xml +value +``` Supported values: -- *Enable*: Enables networking in the sandbox. -- *Disable*: Disables networking in the sandbox. -- *Default*: This value is the default value for networking support. This value enables networking by creating a virtual switch on the host and connects the sandbox to it via a virtual NIC. +- **Enable**: Enables networking in the sandbox. +- **Disable**: Disables networking in the sandbox. +- **Default**: This value is the default value for networking support. This value enables networking by creating a virtual switch on the host and connects the sandbox to it via a virtual NIC. > [!NOTE] > Enabling networking can expose untrusted applications to the internal network. ### Mapped folders -An array of folders, each representing a location on the host machine that is shared with the sandbox at the specified path. At this time, relative paths aren't supported. If no path is specified, the folder is mapped to the container user's desktop. +An array of folders, each representing a location on the host machine that is shared with the sandbox at the specified path. Currently, relative paths aren't supported. + +When using `` to map folders, the folders are mapped prior to the execution of the [Logon command](#logon-command). ```xml @@ -97,12 +122,12 @@ An array of folders, each representing a location on the host machine that is sh ``` -- *HostFolder*: Specifies the folder on the host machine to share into the sandbox. The folder must already exist on the host, or the container fails to start. -- *SandboxFolder*: Specifies the destination in the sandbox to map the folder to. If the folder doesn't exist, it is created. If no sandbox folder is specified, the folder is mapped to the container desktop. -- *ReadOnly*: If *true*, enforces read-only access to the shared folder from within the container. Supported values: *true*/*false*. Defaults to *false*. +- **HostFolder**: Specifies the folder on the host machine to share into the sandbox. The folder must already exist on the host, or the container fails to start. +- **SandboxFolder**: Specifies the destination in the sandbox to map the folder to. If the folder doesn't exist, it is created. If no sandbox folder is specified, the folder is mapped to the container desktop. +- **ReadOnly**: If *true*, enforces read-only access to the shared folder from within the container. Supported values: *true*/*false*. Defaults to *false*. > [!NOTE] -> Files and folders mapped in from the host can be compromised by apps in the sandbox or potentially affect the host. +> Files and folders mapped in from the host can be compromised by apps in the sandbox or potentially affect the host. Changes made during a Sandbox session to a mapped folder with write-permissions will persist after a Sandbox is disposed. ### Logon command @@ -114,22 +139,24 @@ Specifies a single command that will be invoked automatically after the sandbox ``` -*Command*: A path to an executable or script inside the container that will be executed after signing in. +**Command**: A path to an executable or script inside the container that will be executed after signing in. > [!NOTE] -> Although very simple commands will work (such as launching an executable or script), more complicated scenarios involving multiple steps should be placed into a script file. This script file may be mapped into the container via a shared folder, and then executed via the *LogonCommand* directive. +> Although very simple commands will work (such as launching an executable or script), more complicated scenarios involving multiple steps should be placed into a script file. This script file may be mapped into the container via a shared folder, and then executed via ``. ### Audio input Enables or disables audio input to the sandbox. -`value` +```xml +value +``` Supported values: -- *Enable*: Enables audio input in the sandbox. If this value is set, the sandbox can receive audio input from the user. Applications that use a microphone may require this capability. -- *Disable*: Disables audio input in the sandbox. If this value is set, the sandbox can't receive audio input from the user. Applications that use a microphone may not function properly with this setting. -- *Default*: This value is the default value for audio input support. Currently, this default value denotes that audio input is enabled. +- **Enable**: Enables audio input in the sandbox. If this value is set, the sandbox can receive audio input from the user. Applications that use a microphone may require this capability. +- **Disable**: Disables audio input in the sandbox. If this value is set, the sandbox can't receive audio input from the user. Applications that use a microphone may not function properly with this setting. +- **Default**: This value is the default value for audio input support. Currently, this default value denotes that audio input is enabled. > [!NOTE] > There may be security implications of exposing host audio input to the container. @@ -138,30 +165,32 @@ Supported values: Enables or disables video input to the sandbox. -`value` +```xml +value +``` Supported values: -- *Enable*: Enables video input in the sandbox. -- *Disable*: Disables video input in the sandbox. Applications that use video input may not function properly in the sandbox. -- *Default*: This value is the default value for video input support. Currently, this default value denotes that video input is disabled. Applications that use video input may not function properly in the sandbox. +- **Enable**: Enables video input in the sandbox. +- **Disable**: Disables video input in the sandbox. Applications that use video input may not function properly in the sandbox. +- **Default**: This value is the default value for video input support. Currently, this default value denotes that video input is disabled. Applications that use video input may not function properly in the sandbox. > [!NOTE] > There may be security implications of exposing host video input to the container. ### Protected client -When Protected Client mode is enabled, Sandbox adds a new layer of security boundary by running inside an [AppContainer Isolation](/windows/win32/secauthz/appcontainer-isolation) execution environment. - -AppContainer Isolation provides Credential, Device, File, Network, Process, and Window isolation. +When Protected Client mode is enabled, Sandbox adds a new layer of security boundary by running inside an [AppContainer Isolation](/windows/win32/secauthz/appcontainer-isolation) execution environment. AppContainer Isolation provides Credential, Device, File, Network, Process, and Window isolation. -`value` +```xml +value +``` Supported values: -- *Enable*: Runs Windows sandbox in Protected Client mode. If this value is set, the Sandbox runs in AppContainer Isolation. -- *Disable*: Runs the Sandbox in the standard mode without extra security mitigations. -- *Default*: This value is the default value for Protected Client mode. Currently, this default value denotes that the sandbox doesn't run in Protected Client mode. +- **Enable**: Runs Windows sandbox in Protected Client mode. If this value is set, the Sandbox runs in AppContainer Isolation. +- **Disable**: Runs the Sandbox in the standard mode without extra security mitigations. +- **Default**: This value is the default value for Protected Client mode. Currently, this default value denotes that the sandbox doesn't run in Protected Client mode. > [!NOTE] > This setting may restrict the user's ability to copy/paste files in and out of the sandbox. @@ -170,135 +199,36 @@ Supported values: Enables or disables printer sharing from the host into the sandbox. -`value` +```xml +value +``` Supported values: -- *Enable*: Enables sharing of host printers into the sandbox. -- *Disable*: Disables printer redirection in the sandbox. If this value is set, the sandbox can't view printers from the host. -- *Default*: This value is the default value for printer redirection support. Currently, this default value denotes that printer redirection is disabled. +- **Enable**: Enables sharing of host printers into the sandbox. +- **Disable**: Disables printer redirection in the sandbox. If this value is set, the sandbox can't view printers from the host. +- **Default**: This value is the default value for printer redirection support. Currently, this default value denotes that printer redirection is disabled. ### Clipboard redirection Enables or disables sharing of the host clipboard with the sandbox. -`value` +```xml +value +``` Supported values: -- *Enable*: Enables sharing of the host clipboard with the sandbox. -- *Disable*: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox is restricted. -- *Default*: This value is the default value for clipboard redirection. Currently, copy/paste between the host and sandbox are permitted under *Default*. +- **Enable**: Enables sharing of the host clipboard with the sandbox. +- **Disable**: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox is restricted. +- **Default**: This value is the default value for clipboard redirection. Currently, copy/paste between the host and sandbox are permitted under *Default*. ### Memory in MB Specifies the amount of memory that the sandbox can use in megabytes (MB). -`value` - -If the memory value specified is insufficient to boot a sandbox, it is automatically increased to the required minimum amount. - -## Examples - -### Example 1 - -The following config file can be used to easily test the downloaded files inside the sandbox. To achieve this testing, networking and vGPU are disabled, and the sandbox is allowed read-only access to the shared downloads folder. For convenience, the logon command opens the downloads folder inside the sandbox when it's started. - -#### Downloads.wsb - -```xml - - Disable - Disable - - - C:\Users\Public\Downloads - C:\Users\WDAGUtilityAccount\Downloads - true - - - - explorer.exe C:\users\WDAGUtilityAccount\Downloads - - -``` - -### Example 2 - -The following config file installs Visual Studio Code in the sandbox, which requires a slightly more complicated LogonCommand setup. - -Two folders are mapped into the sandbox; the first (SandboxScripts) contains VSCodeInstall.cmd, which installs and runs Visual Studio Code. The second folder (CodingProjects) is assumed to contain project files that the developer wants to modify using Visual Studio Code. - -With the Visual Studio Code installer script already mapped into the sandbox, the LogonCommand can reference it. - -#### VSCodeInstall.cmd - -Downloads VS Code to `downloads` folder and runs installation from `downloads` folder. - -```batch -REM Download Visual Studio Code -curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\users\WDAGUtilityAccount\Downloads\vscode.exe - -REM Install and run Visual Studio Code -C:\users\WDAGUtilityAccount\Downloads\vscode.exe /verysilent /suppressmsgboxes -``` - -#### VSCode.wsb - ```xml - - - - C:\SandboxScripts - C:\Users\WDAGUtilityAccount\Downloads\sandbox - true - - - C:\CodingProjects - C:\Users\WDAGUtilityAccount\Documents\Projects - false - - - - C:\Users\WDAGUtilityAccount\Downloads\sandbox\VSCodeInstall.cmd - - -``` - -### Example 3 - -The following config file runs a PowerShell script as a logon command to swap the primary mouse button for left-handed users. - -`C:\sandbox` folder on the host is mapped to the `C:\sandbox` folder in the sandbox, so the `SwapMouse.ps1` script can be referenced in the sandbox configuration file. - -#### SwapMouse.ps1 - -Create a PowerShell script using the following code, and save it in the `C:\sandbox` directory as `SwapMouse.ps1`. - -```powershell -[Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | Out-Null - -$SwapButtons = Add-Type -MemberDefinition @' -[DllImport("user32.dll")] -public static extern bool SwapMouseButton(bool swap); -'@ -Name "NativeMethods" -Namespace "PInvoke" -PassThru - -$SwapButtons::SwapMouseButton(!([System.Windows.Forms.SystemInformation]::MouseButtonsSwapped)) +value ``` -### SwapMouse.wsb - -```xml - - - - C:\sandbox - C:\sandbox - True - - - - powershell.exe -ExecutionPolicy Bypass -File C:\sandbox\SwapMouse.ps1 - - -``` +If the memory value specified is insufficient to boot a sandbox, it is automatically increased to the required minimum amount. diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml index 29eb6248369..2f7a816a549 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml @@ -24,3 +24,52 @@ sections: - *Test software features risk-free*: Easily test out software without the need for installing or uninstalling on your host machine. - *Maintaining multiple dev environments*: Streamline your development process by utilizing WSB to maintain multiple sandboxes for different development environments - *Privacy Protection*: Users concerned about online privacy can use Windows Sandbox for activities like social media browsing or online shopping to prevent tracking cookies and other privacy-invading techniques. + + - question: What's the difference between a Hyper-V VM and Windows Sandbox? + answer: | + 1. **Lightweight and Temporary**: + - **Windows Sandbox**: It's a lightweight, disposable environment that runs within your existing Windows installation. You can quickly launch it, test applications, and discard it without affecting your main system. + - **Hyper-V VMs**: Hyper-V VMs are more heavyweight. They require dedicated resources (CPU, memory, disk space) and take longer to set up. + 1. **Security Isolation**: + - **Windows Sandbox**: Provides a secure, isolated environment for testing untrusted software. Any changes made within the sandbox are discarded when you close it. + - **Hyper-V VMs**: While VMs also offer isolation, they persistently store changes unless you revert them manually. + 1. **Resource Efficiency**: + - **Windows Sandbox**: More resource efficient than full VM. It adjusts memory usage according to the demand. It also reuses many of the host’s read only OS files. + - **Hyper-V VMs**: VMs have fixed resource allocations, which can impact overall system performance. + 1. **Ease of Use**: + - **Windows Sandbox**: Simple to use—just open it, test your software, and close it. No complex setup or management. + - **Hyper-V VMs**: Require more configuration, including setting up virtual switches, network adapters, and managing VM snapshots. + + - question: Why can I not change certain settings using a config file? + answer: | + You cannot make changes to properties if they are controlled by Group Policy. Contact your IT Administrator for more details. + + - question: How do I open multiple Sandbox instances? + answer: | + Today, Windows Sandbox only allows users to launch one Sandbox instance at a time. + + - name: Feedback + questions: + + - question: Where can I provide feedback? + answer: | + You can file a bug in Feedback Hub by: + + 1. Open the Feedback Hub app. + 1. Select **Report a problem** or **Suggest a feature**. + 1. Fill in the **Summarize your feedback** and **Explain in more details** boxes with a detailed description of the issue or suggestion. A useful feedback item includes the following: + - Short and descriptive issue title. + - Windows version and build number. This can be gathered from the CMD prompt using the `cmd.exe --version`` command. + - Device information (including CPU type, memory, disk etc.) + - Detailed repro steps. What steps do we need to take to reproduce the issue? Provide as much detail as you can. Provide error message text where possible or screenshots of errors if text cannot be captured. + - Behavior you were expecting. + 1. Select an appropriate category and subcategory by using the dropdown menus. There is a dedicated option in Feedback Hub to file **Windows Sandbox** bugs and feedback. It is located under **Security and Privacy** category. + 1. Select **Next**. + 1. If necessary, you can collect traces for the issue as follows: Select the Recreate my problem tile, then select Start capture, reproduce the issue, and then select **Stop capture**. + 1. Attach any relevant screenshots or files for the problem, then select **Submit**. + + Alternatively, you can also use the [Windows Sandbox GitHub repository](https://github.com/microsoft/Windows-Sandbox) to: + + - **Search existing issues** to see if there are any associated with a problem that you are having. Note that in the search bar, you can remove "is:open" to include issues that have already been resolved in your search. Please consider commenting or giving a thumbs up to any open issues that you would like to express your interest in moving forward as a priority. + - **File a new issue**: If you have found a problem with WSB or WSB documentation and there does not appear to be an existing issue, you can select the green New issue button and then choose WSB - Bug Report. You will need to include a title for the issue, your Windows build number (run cmd.exe /c ver to see your current build #), whether you're running inbox or undocked Windows Sandbox, any other software versions involved, the repro steps, expected behavior, actual behavior, and diagnostic logs if available and appropriate. + - **File a feature request** by selecting the green New issue button and then select Feature request. You will need to address a few questions describing your request. diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md index b57e6ef35b5..115a257de35 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md @@ -16,12 +16,11 @@ ms.date: 09/09/2024 - At least two CPU cores (four cores with hyper-threading recommended) > [!NOTE] -> Windows Sandbox is currently not supported on Windows Home edition. -> Beginning in Windows 11, version 24H2, all inbox store apps like calculator, photos, notepad and terminal are not available inside Windows Sandbox. Ability to use these apps will be added soon. +> Beginning in Windows 11, version 24H2, inbox store apps like Calculator, Photos, Notepad and Terminal are not available inside Windows Sandbox. Ability to use these apps will be added soon. ## Installation -1. Ensure that your machine is using Windows 10 Pro or Enterprise, build version 18305 or Windows 11. +1. Ensure that your machine is using Windows 11 or Windows 10, version 1903 or later. 2. Enable virtualization on the machine. @@ -49,4 +48,12 @@ ms.date: 09/09/2024 > [!NOTE] > Beginning in Windows 11, version 24H2, Windows Sandbox adheres to the mouse settings of the host system. > - > If you are on an older build and if the host system is set to use a left-handed mouse, you must apply these settings in Windows Sandbox manually when Windows Sandbox starts. Alternatively, you can use a sandbox configuration file to run a logon command to swap the mouse setting. For an example, see [Example 3](windows-sandbox-configure-using-wsb-file.md#example-3). \ No newline at end of file + > If you are on an older build and if the host system is set to use a left-handed mouse, you must apply these settings in Windows Sandbox manually when Windows Sandbox starts. Alternatively, you can use a sandbox configuration file to run a logon command to swap the mouse setting. For an example, see [Example 3](windows-sandbox-configure-using-wsb-file.md#example-3). + +## Try WSB preview features by joining the Windows Insider Program + +To try the most recent features or updates to WSB, join the [Windows Insiders Program](https://insider.windows.com/getting-started). Once you have joined Windows Insiders, you can choose the channel you would like to receive preview builds from inside the Windows settings menu. You can choose from: + +- **Dev channel**: Most recent updates, but low stability. +- **Beta channel**: Ideal for early adopters, more reliable builds than the Dev channel. +- **Release Preview channel**: Preview fixes and key features on the next version of Windows just before its available to the general public. diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md index 858efad675a..c8431f91d44 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md @@ -1,31 +1,44 @@ --- title: Windows Sandbox description: Windows Sandbox overview -ms.topic: conceptual +ms.topic: overview ms.date: 09/09/2024 --- # Windows Sandbox -Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine. +Windows Sandbox (WSB) offers a lightweight, isolated desktop environment for safely running applications. It is ideal for testing, debugging, exploring unknown files, and experimenting with tools. Applications installed within the sandbox remain isolated from the host machine using hypervisor-based virtualization. As a disposable virtual machine (VM), Windows Sandbox ensures reboot persistence, quick launch times, and a lower memory footprint compared to full VMs. Its one-click setup simplifies the user experience. -A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application. Note, however, that as of Windows 11, version 22H2, your data persists through a restart initiated from inside the virtualized environment—useful for installing applications that require the OS to reboot. +The sandbox is temporary; closing it deletes all software, files, and state. Each launch provides a fresh instance. Host-installed software isn't available in the sandbox. Applications needed within the sandbox must be installed there explicitly. -Software and applications installed on the host aren't directly available in the sandbox. If you need specific applications available inside the Windows Sandbox environment, they must be explicitly installed within the environment. +> [!NOTE] +> Starting with Windows 11, version 22H2, data persists through restarts initiated within the sandbox, useful for applications requiring a reboot. -Windows Sandbox has the following properties: +Windows Sandbox offers the following features: -- **Part of Windows**: Everything required for this feature is included in Windows 10 Pro and Enterprise. There's no need to download a Virtual Hard Disk (VHD). -- **Pristine**: Every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows. +- **Part of Windows**: Everything required for this feature is included in the supported Windows SKUs like Pro, Enterprise and Education. There's no need to maintain a separate VM installation. - **Disposable**: Nothing persists on the device. Everything is discarded when the user closes the application. +- **Pristine**: Every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows. - **Secure**: Uses hardware-based virtualization for kernel isolation. It relies on the Microsoft hypervisor to run a separate kernel that isolates Windows Sandbox from the host. -- **Efficient:** Uses the integrated kernel scheduler, smart memory management, and virtual GPU. +- **Efficient**: Takes a few seconds to launch, supports virtual GPU and has smart memory management that optimizes memory footprint. > [!IMPORTANT] -> Windows Sandbox enables network connection by default. It can be disabled using the [Windows Sandbox configuration file](windows-sandbox-configure-using-wsb-file.md#networking). +> Windows Sandbox enables network connection by default. It can be disabled using the [Windows Sandbox configuration file](windows-sandbox-configure-using-wsb-file.md#networking). Enabling networking can expose untrusted applications to the internal network. + +WSB can be used by anyone without any technical skills in various scenarios where users need a secure, clean environment for testing or running potentially harmful software. Here are some ways in which you can leverage WSB: + +- **Clean environment for software testing**: Test or debug your applications in WSB's clean environment to identify and resolve bugs or compatibility issues. +- **Secure web browsing**: Use WSB for secure web browsing, especially when accessing unfamiliar or potentially dangerous websites without putting your system at risk of malware infection. +- **Running Untrusted Applications**: Mitigate security risks by opening untrusted applications or files, such as email attachments in WSB. Improve your safety and security by opening a sandbox with networking disabled and mapping the folder with the application or file you want to open to the sandbox in read-only mode. Check [Sample configuration files](windows-sandbox-sample-configuration.md) for more details. +- **Testing or demoing new software for the first time**: Test drive or demo new software, unstable versions like beta, extensions or add-ons without the hassle of installing and then uninstalling on your host machine. +- **Maintaining multiple dev environments**: Streamline your development process by utilizing WSB to maintain multiple sandboxes for different development environments. For example, maintain a sandbox for each python version and its dependencies! + [!INCLUDE [windows-sandbox](../../../../../includes/licensing/windows-sandbox.md)] +> [!NOTE] +> Windows Sandbox is currently not supported on Windows Home edition. + ## Usage 1. Copy an executable file (and any other files needed to run the application) from the host and paste them into the **Windows Sandbox** window. diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-sample-configuration.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-sample-configuration.md index 079dc91f7f1..95d5bcbfe9d 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-sample-configuration.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-sample-configuration.md @@ -6,3 +6,107 @@ ms.date: 09/09/2024 --- # Windows Sandbox sample configuration files + +## Example 1 - Mapping Folders and testing an unknown downloaded file in a Sandbox + +The following config file can be used to easily test unknown downloaded files inside a sandbox. To achieve this testing, networking and vGPU are disabled, and the sandbox is allowed read-only access to the downloads folder from the host and is placed inside a 'temp' folder in the sandbox. For convenience, the logon command opens the downloads folder inside the sandbox when it's started. + +### Downloads.wsb + +```xml + + Disable + Disable + + + C:\Users\Public\Downloads + C:\temp + true + + + + explorer.exe C:\temp + + + +``` + +## Example 2 - Installing Visual Studio Code at launch in a Sandbox + +The following config file installs Visual Studio Code in the sandbox, which requires a slightly more complicated LogonCommand setup. + +Two folders are mapped into the sandbox; the first (`SandboxScripts`) contains VSCodeInstall.cmd, which installs and runs Visual Studio Code. The second folder (`CodingProjects`) is assumed to contain project files that the developer wants to modify using Visual Studio Code. + +With the Visual Studio Code installer script already mapped into the sandbox, the `` can reference it. + +### VSCodeInstall.cmd + +This batch file should be created in the `C:\SandboxScripts` directory on the host. It downloads VS Code to `temp` folder inside the sandbox and runs installation from `temp` folder. + +```batch +REM Download Visual Studio Code +curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\temp\vscode.exe + +REM Install and run Visual Studio Code +C:\temp\vscode.exe /verysilent /suppressmsgboxes +``` + +### VSCode.wsb + +```xml + + + + C:\SandboxScripts + C:\temp\sandbox + true + + + C:\CodingProjects + C:\temp\Projects + false + + + + C:\temp\sandbox\VSCodeInstall.cmd + + +``` + +## Example 3 - Mapping Folders and running a PowerShell script as a LogOn Command + +The following config file runs a PowerShell script as a logon command to swap the primary mouse button for left-handed users. + +`C:\sandbox` folder on the host is mapped to the `C:\sandbox` folder in the sandbox, so the `SwapMouse.ps1` script can be referenced in the sandbox configuration file. + +### SwapMouse.ps1 + +Create a PowerShell script using the following code, and save it in the `C:\sandbox` directory as `SwapMouse.ps1`. + +```powershell +[Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | Out-Null + +$SwapButtons = Add-Type -MemberDefinition @' +[DllImport("user32.dll")] +public static extern bool SwapMouseButton(bool swap); +'@ -Name "NativeMethods" -Namespace "PInvoke" -PassThru + +$SwapButtons::SwapMouseButton(!([System.Windows.Forms.SystemInformation]::MouseButtonsSwapped)) +``` + +### SwapMouse.wsb + +```xml + + + + C:\sandbox + C:\sandbox + True + + + + powershell.exe -ExecutionPolicy Bypass -File C:\sandbox\SwapMouse.ps1 + + +``` \ No newline at end of file diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md index 90722f57224..ac4107cb4ac 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md @@ -6,3 +6,4 @@ ms.date: 09/09/2024 --- # Troubleshoot Windows Sandbox + From 63e6ed22e7f4e9a8fe4c68ddcd25880e8fdf6368 Mon Sep 17 00:00:00 2001 From: "Vinay Pamnani (from Dev Box)" Date: Tue, 10 Sep 2024 11:41:14 -0600 Subject: [PATCH 07/23] chore: Update Windows Sandbox TOC to include sample configuration files --- .../windows-sandbox/windows-sandbox-faq.yml | 56 +++++++++---------- .../windows-sandbox-install.md | 2 +- 2 files changed, 29 insertions(+), 29 deletions(-) diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml index 2f7a816a549..6fa2f42583d 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml @@ -8,7 +8,7 @@ metadata: ms.date: 09/09/2024 title: Common questions about Windows Sandbox -summary: Windows Sandbox (WSB) provides a lightweight desktop environment to safely run applications in isolation. This feature provides a safe and secure space for testing and debugging apps, exploring unknown files, or experimenting with tools since software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine. +summary: Windows Sandbox (WSB) provides a lightweight desktop environment to safely run applications in isolation. This Frequently Asked Questions (FAQ) article is intended to help you learn more about Windows Sandbox. sections: @@ -16,33 +16,33 @@ sections: questions: - question: Who can use WSB? answer: | - WSB can be used by anyone without any technical skills in various scenarios where users need a secure, clean environment for testing or running potentially harmful software. Here are some ways in which you can leverage WSB: + WSB can be used in various scenarios by anyone without any technical skills. Here are some ways in which you can use WSB: - - *Clean environment for software testing*: Test or debug your applications in WSB's clean environment to identify and resolve bugs or compatibility issues. - - *Secure web browsing*: Use WSB for secure web browsing, especially when accessing unfamiliar or potentially dangerous websites without putting your system at risk of malware infection. - - *Running Untrusted Applications*: Mitigate security risks by running untrusted applications or files, such as email attachments in WSB. - - *Test software features risk-free*: Easily test out software without the need for installing or uninstalling on your host machine. - - *Maintaining multiple dev environments*: Streamline your development process by utilizing WSB to maintain multiple sandboxes for different development environments - - *Privacy Protection*: Users concerned about online privacy can use Windows Sandbox for activities like social media browsing or online shopping to prevent tracking cookies and other privacy-invading techniques. + - **Clean environment for software testing**: Test or debug your applications in WSB's clean environment to identify and resolve bugs or compatibility issues. + - **Secure web browsing**: Use WSB for secure web browsing, especially when accessing unfamiliar or potentially dangerous websites without putting your system at risk of malware infection. + - **Running Untrusted Applications**: Mitigate security risks by running untrusted applications or files, such as email attachments in WSB. + - **Test software features risk-free**: Easily test out software without the need for installing or uninstalling on your host machine. + - **Maintaining multiple dev environments**: Streamline your development process by utilizing WSB to maintain multiple sandboxes for different development environments. + - **Privacy Protection**: Users concerned about online privacy can use Windows Sandbox for activities like social media browsing or online shopping to prevent tracking cookies and other privacy-invading techniques. - - question: What's the difference between a Hyper-V VM and Windows Sandbox? + - question: What's the difference between a Hyper-V virtual machine (VM) and Windows Sandbox? answer: | 1. **Lightweight and Temporary**: - - **Windows Sandbox**: It's a lightweight, disposable environment that runs within your existing Windows installation. You can quickly launch it, test applications, and discard it without affecting your main system. - - **Hyper-V VMs**: Hyper-V VMs are more heavyweight. They require dedicated resources (CPU, memory, disk space) and take longer to set up. + - **Windows Sandbox**: It's a lightweight, disposable environment that runs within your existing Windows installation. You can quickly launch it, test applications, and discard it without affecting your main system. + - **Hyper-V VMs**: Hyper-V VMs are more heavyweight. They require dedicated resources (CPU, memory, disk space) and take longer to set up. 1. **Security Isolation**: - - **Windows Sandbox**: Provides a secure, isolated environment for testing untrusted software. Any changes made within the sandbox are discarded when you close it. - - **Hyper-V VMs**: While VMs also offer isolation, they persistently store changes unless you revert them manually. + - **Windows Sandbox**: Provides a secure, isolated environment for testing untrusted software. Any changes made within the sandbox are discarded when you close it. + - **Hyper-V VMs**: While VMs also offer isolation, they persistently store changes unless you revert them manually. 1. **Resource Efficiency**: - - **Windows Sandbox**: More resource efficient than full VM. It adjusts memory usage according to the demand. It also reuses many of the host’s read only OS files. - - **Hyper-V VMs**: VMs have fixed resource allocations, which can impact overall system performance. + - **Windows Sandbox**: More resource efficient than full VM. It adjusts memory usage according to the demand. It also reuses many of the host’s read only OS files. + - **Hyper-V VMs**: VMs have fixed resource allocations, which can impact overall system performance. 1. **Ease of Use**: - - **Windows Sandbox**: Simple to use—just open it, test your software, and close it. No complex setup or management. - - **Hyper-V VMs**: Require more configuration, including setting up virtual switches, network adapters, and managing VM snapshots. + - **Windows Sandbox**: Simple to use—just open it, test your software, and close it. No complex setup or management. + - **Hyper-V VMs**: Require more configuration, including setting up virtual switches, network adapters, and managing VM snapshots. - question: Why can I not change certain settings using a config file? answer: | - You cannot make changes to properties if they are controlled by Group Policy. Contact your IT Administrator for more details. + You can't make changes to properties if they're controlled by Group Policy. Contact your IT Administrator for more details. - question: How do I open multiple Sandbox instances? answer: | @@ -57,19 +57,19 @@ sections: 1. Open the Feedback Hub app. 1. Select **Report a problem** or **Suggest a feature**. - 1. Fill in the **Summarize your feedback** and **Explain in more details** boxes with a detailed description of the issue or suggestion. A useful feedback item includes the following: - - Short and descriptive issue title. - - Windows version and build number. This can be gathered from the CMD prompt using the `cmd.exe --version`` command. - - Device information (including CPU type, memory, disk etc.) - - Detailed repro steps. What steps do we need to take to reproduce the issue? Provide as much detail as you can. Provide error message text where possible or screenshots of errors if text cannot be captured. - - Behavior you were expecting. - 1. Select an appropriate category and subcategory by using the dropdown menus. There is a dedicated option in Feedback Hub to file **Windows Sandbox** bugs and feedback. It is located under **Security and Privacy** category. + 1. Fill in the **Summarize your feedback** and **Explain in more details** boxes with a detailed description of the issue or suggestion. A useful feedback item includes: + - Short and descriptive issue title. + - Windows version and build number, which can be gathered from a command prompt using the `cmd.exe --version` command. + - Device information (including CPU type, memory, disk etc.) + - Detailed repro steps. What steps do we need to take to reproduce the issue? Provide as much detail as you can. Provide error message text where possible or screenshots of errors if text can't be captured. + - Behavior you were expecting. + 1. Select an appropriate category and subcategory by using the dropdown menus. There's a dedicated option in Feedback Hub to file **Windows Sandbox** bugs and feedback. It's located under **Security and Privacy** category. 1. Select **Next**. 1. If necessary, you can collect traces for the issue as follows: Select the Recreate my problem tile, then select Start capture, reproduce the issue, and then select **Stop capture**. 1. Attach any relevant screenshots or files for the problem, then select **Submit**. Alternatively, you can also use the [Windows Sandbox GitHub repository](https://github.com/microsoft/Windows-Sandbox) to: - - **Search existing issues** to see if there are any associated with a problem that you are having. Note that in the search bar, you can remove "is:open" to include issues that have already been resolved in your search. Please consider commenting or giving a thumbs up to any open issues that you would like to express your interest in moving forward as a priority. - - **File a new issue**: If you have found a problem with WSB or WSB documentation and there does not appear to be an existing issue, you can select the green New issue button and then choose WSB - Bug Report. You will need to include a title for the issue, your Windows build number (run cmd.exe /c ver to see your current build #), whether you're running inbox or undocked Windows Sandbox, any other software versions involved, the repro steps, expected behavior, actual behavior, and diagnostic logs if available and appropriate. - - **File a feature request** by selecting the green New issue button and then select Feature request. You will need to address a few questions describing your request. + - **Search existing issues** to see if there are any associated with a problem that you're having. In the search bar, you can remove "is:open" to include resolved issues in your search. Consider commenting or giving a thumbs up to any open issues that you would like to express your interest in moving forward as a priority. + - **File a new issue**: If you have found a problem with WSB or WSB documentation and there doesn't appear to be an existing issue, you can select the green **New issue** button and then choose **WSB - Bug Report**. Provide a title for the issue, your Windows build number, whether you're running inbox or undocked Windows Sandbox, any other software versions involved, the repro steps, expected behavior, actual behavior, and diagnostic logs if available and appropriate. + - **File a feature request** by selecting the green **New issue** button and then select **Feature request**, then answer the questions describing your request. diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md index 115a257de35..0a3e624f7aa 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md @@ -48,7 +48,7 @@ ms.date: 09/09/2024 > [!NOTE] > Beginning in Windows 11, version 24H2, Windows Sandbox adheres to the mouse settings of the host system. > - > If you are on an older build and if the host system is set to use a left-handed mouse, you must apply these settings in Windows Sandbox manually when Windows Sandbox starts. Alternatively, you can use a sandbox configuration file to run a logon command to swap the mouse setting. For an example, see [Example 3](windows-sandbox-configure-using-wsb-file.md#example-3). + > If you are on an older build and if the host system is set to use a left-handed mouse, you must apply these settings in Windows Sandbox manually when Windows Sandbox starts. Alternatively, you can use a sandbox configuration file to run a logon command to swap the mouse setting. For an example, see [Example 3](windows-sandbox-sample-configuration.md#example-3---mapping-folders-and-running-a-powershell-script-as-a-logon-command). ## Try WSB preview features by joining the Windows Insider Program From a721cb1af017d36c27742c965525091ba0151c5a Mon Sep 17 00:00:00 2001 From: "Vinay Pamnani (from Dev Box)" Date: Tue, 10 Sep 2024 12:13:07 -0600 Subject: [PATCH 08/23] chore: Update Windows Sandbox TOC and sample configuration files --- ...indows-sandbox-configure-using-wsb-file.md | 22 +++++++++---------- .../windows-sandbox-install.md | 2 +- .../windows-sandbox-overview.md | 17 +++++--------- .../windows-sandbox-sample-configuration.md | 2 +- 4 files changed, 18 insertions(+), 25 deletions(-) diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md index df8539a64ce..18d00a04e17 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md @@ -7,13 +7,13 @@ ms.date: 09/09/2024 # Use and configure Windows Sandbox -To launch a Windows Sandbox with default settings, simply Locate and select Windows Sandbox on the Start menu or search for 'Windows Sandbox'. This launches a basic Sandbox with 4GB memory with the following properties: +To launch a Windows Sandbox with default settings, locate and select Windows Sandbox on the Start menu or search for 'Windows Sandbox'. This launches a basic Sandbox with 4GB memory with the following properties: - **vGPU (virtualized GPU)**: Enabled on non-ARM64 devices. - **Networking**: Enabled. The sandbox uses the Hyper-V default switch. - **Audio input**: Enabled. The sandbox shares the host's microphone input into the sandbox. - **Video input**: Disabled. The sandbox doesn't share the host's video input into the sandbox. -- **Protected client**: Disabled. The sandbox doesn't have increased security settings on the Remote Desktop Protocol (RDP) session. +- **Protected client**: Disabled. The sandbox doesn't use increased security settings on the Remote Desktop Protocol (RDP) session. - **Printer redirection**: Disabled. The sandbox doesn't share printers with the host. - **Clipboard redirection**: Enabled. The sandbox shares the host clipboard with the sandbox so that text and files can be pasted back and forth. @@ -24,7 +24,7 @@ To launch a Windows Sandbox with default settings, simply Locate and select Wind You have the freedom to open files, install applications from the web, and perform various other tasks that benefit from an isolated clean environment. -When you're finished experimenting, close the sandbox. A dialog box will prompt you to confirm the deletion of all sandbox content. Select "Ok" to proceed. Confirm that your host machine doesn't exhibit any of the modifications that you made in Windows Sandbox. +When you're finished experimenting, close the sandbox. A dialog box prompts you to confirm the deletion of all sandbox content. Select **Ok** to proceed. Confirm that your host machine doesn't exhibit any of the modifications that you made in Windows Sandbox. ## Configure a custom Windows Sandbox @@ -35,7 +35,7 @@ A configuration file enables the user to control the following aspects of Window - **vGPU (virtualized GPU)**: Enable or disable the virtualized GPU. If vGPU is disabled, the sandbox uses Windows Advanced Rasterization Platform (WARP). - **Networking**: Enable or disable network access within the sandbox. - **Mapped folders**: Share folders from the host with *read* or *write* permissions. Exposing host directories might allow malicious software to affect the system or steal data. -- **Logon command**: A command that's executed when Windows Sandbox starts. +- **Logon command**: A command to execute when Windows Sandbox starts. - **Audio input**: Shares the host's microphone input into the sandbox. - **Video input**: Shares the host's webcam input into the sandbox. - **Protected client**: Places increased security settings on the Remote Desktop Protocol (RDP) session to the sandbox. @@ -107,7 +107,7 @@ Supported values: An array of folders, each representing a location on the host machine that is shared with the sandbox at the specified path. Currently, relative paths aren't supported. -When using `` to map folders, the folders are mapped prior to the execution of the [Logon command](#logon-command). +When using `` to map folders, the folders are mapped before the execution of the [Logon command](#logon-command). ```xml @@ -123,7 +123,7 @@ When using `` to map folders, the folders are mapped prior to the ``` - **HostFolder**: Specifies the folder on the host machine to share into the sandbox. The folder must already exist on the host, or the container fails to start. -- **SandboxFolder**: Specifies the destination in the sandbox to map the folder to. If the folder doesn't exist, it is created. If no sandbox folder is specified, the folder is mapped to the container desktop. +- **SandboxFolder**: Specifies the destination in the sandbox to map the folder to. If the folder doesn't exist, it gets created. If no sandbox folder is specified, the folder is mapped to the container desktop. - **ReadOnly**: If *true*, enforces read-only access to the shared folder from within the container. Supported values: *true*/*false*. Defaults to *false*. > [!NOTE] @@ -154,8 +154,8 @@ Enables or disables audio input to the sandbox. Supported values: -- **Enable**: Enables audio input in the sandbox. If this value is set, the sandbox can receive audio input from the user. Applications that use a microphone may require this capability. -- **Disable**: Disables audio input in the sandbox. If this value is set, the sandbox can't receive audio input from the user. Applications that use a microphone may not function properly with this setting. +- **Enable**: Enables audio input in the sandbox. If this value is set, the sandbox can receive audio input from the user. Applications that use a microphone might require this capability. +- **Disable**: Disables audio input in the sandbox. If this value is set, the sandbox can't receive audio input from the user. Applications that use a microphone might not function properly with this setting. - **Default**: This value is the default value for audio input support. Currently, this default value denotes that audio input is enabled. > [!NOTE] @@ -172,8 +172,8 @@ Enables or disables video input to the sandbox. Supported values: - **Enable**: Enables video input in the sandbox. -- **Disable**: Disables video input in the sandbox. Applications that use video input may not function properly in the sandbox. -- **Default**: This value is the default value for video input support. Currently, this default value denotes that video input is disabled. Applications that use video input may not function properly in the sandbox. +- **Disable**: Disables video input in the sandbox. Applications that use video input might not function properly in the sandbox. +- **Default**: This value is the default value for video input support. Currently, this default value denotes that video input is disabled. Applications that use video input might not function properly in the sandbox. > [!NOTE] > There may be security implications of exposing host video input to the container. @@ -231,4 +231,4 @@ Specifies the amount of memory that the sandbox can use in megabytes (MB). value ``` -If the memory value specified is insufficient to boot a sandbox, it is automatically increased to the required minimum amount. +If the memory value specified is insufficient to boot a sandbox, it's automatically increased to the required minimum amount. diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md index 0a3e624f7aa..d634d4aa6a9 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md @@ -52,7 +52,7 @@ ms.date: 09/09/2024 ## Try WSB preview features by joining the Windows Insider Program -To try the most recent features or updates to WSB, join the [Windows Insiders Program](https://insider.windows.com/getting-started). Once you have joined Windows Insiders, you can choose the channel you would like to receive preview builds from inside the Windows settings menu. You can choose from: +To try the most recent features or updates to WSB, join the [Windows Insiders Program](https://insider.windows.com/getting-started). After joining the Windows Insiders Program, you can choose the channel you would like to receive preview builds from inside the Windows settings menu. You can choose from: - **Dev channel**: Most recent updates, but low stability. - **Beta channel**: Ideal for early adopters, more reliable builds than the Dev channel. diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md index c8431f91d44..33aa59a1b89 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md @@ -7,7 +7,7 @@ ms.date: 09/09/2024 # Windows Sandbox -Windows Sandbox (WSB) offers a lightweight, isolated desktop environment for safely running applications. It is ideal for testing, debugging, exploring unknown files, and experimenting with tools. Applications installed within the sandbox remain isolated from the host machine using hypervisor-based virtualization. As a disposable virtual machine (VM), Windows Sandbox ensures reboot persistence, quick launch times, and a lower memory footprint compared to full VMs. Its one-click setup simplifies the user experience. +Windows Sandbox (WSB) offers a lightweight, isolated desktop environment for safely running applications. It's ideal for testing, debugging, exploring unknown files, and experimenting with tools. Applications installed within the sandbox remain isolated from the host machine using hypervisor-based virtualization. As a disposable virtual machine (VM), Windows Sandbox ensures reboot persistence, quick launch times, and a lower memory footprint compared to full VMs. Its one-click setup simplifies the user experience. The sandbox is temporary; closing it deletes all software, files, and state. Each launch provides a fresh instance. Host-installed software isn't available in the sandbox. Applications needed within the sandbox must be installed there explicitly. @@ -16,21 +16,21 @@ The sandbox is temporary; closing it deletes all software, files, and state. Eac Windows Sandbox offers the following features: -- **Part of Windows**: Everything required for this feature is included in the supported Windows SKUs like Pro, Enterprise and Education. There's no need to maintain a separate VM installation. +- **Part of Windows**: Everything required for this feature is included in the supported Windows editions like Pro, Enterprise, and Education. There's no need to maintain a separate VM installation. - **Disposable**: Nothing persists on the device. Everything is discarded when the user closes the application. - **Pristine**: Every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows. - **Secure**: Uses hardware-based virtualization for kernel isolation. It relies on the Microsoft hypervisor to run a separate kernel that isolates Windows Sandbox from the host. -- **Efficient**: Takes a few seconds to launch, supports virtual GPU and has smart memory management that optimizes memory footprint. +- **Efficient**: Takes a few seconds to launch, supports virtual GPU, and has smart memory management that optimizes memory footprint. > [!IMPORTANT] > Windows Sandbox enables network connection by default. It can be disabled using the [Windows Sandbox configuration file](windows-sandbox-configure-using-wsb-file.md#networking). Enabling networking can expose untrusted applications to the internal network. -WSB can be used by anyone without any technical skills in various scenarios where users need a secure, clean environment for testing or running potentially harmful software. Here are some ways in which you can leverage WSB: +WSB can be used without any technical skills in various scenarios where users need a secure, clean environment for testing or running potentially harmful software. Here are some ways in which you can use WSB: - **Clean environment for software testing**: Test or debug your applications in WSB's clean environment to identify and resolve bugs or compatibility issues. - **Secure web browsing**: Use WSB for secure web browsing, especially when accessing unfamiliar or potentially dangerous websites without putting your system at risk of malware infection. - **Running Untrusted Applications**: Mitigate security risks by opening untrusted applications or files, such as email attachments in WSB. Improve your safety and security by opening a sandbox with networking disabled and mapping the folder with the application or file you want to open to the sandbox in read-only mode. Check [Sample configuration files](windows-sandbox-sample-configuration.md) for more details. -- **Testing or demoing new software for the first time**: Test drive or demo new software, unstable versions like beta, extensions or add-ons without the hassle of installing and then uninstalling on your host machine. +- **Testing or demoing new software for the first time**: Test drive or demo new software, preview versions, extensions, or add-ons without the hassle of installing and then uninstalling on your host machine. - **Maintaining multiple dev environments**: Streamline your development process by utilizing WSB to maintain multiple sandboxes for different development environments. For example, maintain a sandbox for each python version and its dependencies! @@ -38,10 +38,3 @@ WSB can be used by anyone without any technical skills in various scenarios wher > [!NOTE] > Windows Sandbox is currently not supported on Windows Home edition. - -## Usage - -1. Copy an executable file (and any other files needed to run the application) from the host and paste them into the **Windows Sandbox** window. -2. Run the executable file or installer inside the sandbox. -3. When you're finished experimenting, close the sandbox. A dialog box will state that all sandbox content will be discarded and permanently deleted. Select **Ok**. -4. Confirm that your host machine doesn't exhibit any of the modifications that you made in Windows Sandbox. diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-sample-configuration.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-sample-configuration.md index 95d5bcbfe9d..91efb7e8186 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-sample-configuration.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-sample-configuration.md @@ -73,7 +73,7 @@ C:\temp\vscode.exe /verysilent /suppressmsgboxes ``` -## Example 3 - Mapping Folders and running a PowerShell script as a LogOn Command +## Example 3 - Mapping Folders and running a PowerShell script as a Logon Command The following config file runs a PowerShell script as a logon command to swap the primary mouse button for left-handed users. From a70c340e045d0c201f33e03ec31aa66304a6d804 Mon Sep 17 00:00:00 2001 From: "Vinay Pamnani (from Dev Box)" Date: Tue, 10 Sep 2024 14:26:02 -0600 Subject: [PATCH 09/23] Update Windows Sandbox TOC to include sample configuration files --- .../application-isolation/windows-sandbox/toc.yml | 6 ++---- .../windows-sandbox/windows-sandbox-troubleshoot.md | 10 ++++++++++ 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/windows/security/application-security/application-isolation/windows-sandbox/toc.yml b/windows/security/application-security/application-isolation/windows-sandbox/toc.yml index dc3bd5efd08..1ef0028e080 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/toc.yml +++ b/windows/security/application-security/application-isolation/windows-sandbox/toc.yml @@ -12,10 +12,8 @@ items: href: windows-sandbox-install.md - name: Use & configure Windows Sandbox href: windows-sandbox-configure-using-wsb-file.md - - name: Tutorials - items: - - name: Sample configuration files - href: windows-sandbox-sample-configuration.md + - name: Sample configuration files + href: windows-sandbox-sample-configuration.md - name: WindowsSandbox Policy CSP href: /windows/client-management/mdm/policy-csp-windowssandbox - name: Frequently asked questions diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md index ac4107cb4ac..4d61fa1b313 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md @@ -7,3 +7,13 @@ ms.date: 09/09/2024 # Troubleshoot Windows Sandbox +This article lists some common issues with Windows Sandbox and possible solutions. To submit feedback about Windows Sandbox, see [Where can I provide feedback?](windows-sandbox-faq.yml#feedback) + +| Error | Possible Solution | +|--|--| +| `WININET_E_NAME_NOT_RESOLVED`
`WU_E_PT_ENDPOINT_UNREACHABLE` | Upgrade to Windows Sandbox app fails because user isn't connected to internet or network adapter is connected but no internet connection. Check your internet connection. | +| `ERROR_FILE_NOT_FOUND` | `.wsb` config file provided by the user doesn't exist. Make sure that the path to the `.wsb` file is correct. | +| `E_INVALIDARG` | The `.wsb` file provided by the user is invalid or has errors. Check the `.wsb` file. | +| `REGDB_E_IIDNOTREG` | Verify if Windows Sandbox component is enabled under 'Turn Windows features on or off'. For more information, see [Install Windows Sandbox](windows-sandbox-install.md) | +| `The following settings are enforced by your IT administrator.` | `.wsb` file has a setting enabled that is controlled via group policy. | +| General failure during installation. | Possible causes:

- Installing Windows Sandbox is disabled via group policy. Check with your IT Admin.
- Timeout error where we can't reach the Microsoft Store. Try again later. | From 3f042fafb25a9e761f23d0fc9f017fcf1efadb53 Mon Sep 17 00:00:00 2001 From: "Vinay Pamnani (from Dev Box)" Date: Tue, 10 Sep 2024 14:32:12 -0600 Subject: [PATCH 10/23] Update Windows Sandbox TOC to include sample configuration files and fix broken link in troubleshoot.md --- .../application-isolation/windows-sandbox/toc.yml | 2 +- .../windows-sandbox/windows-sandbox-troubleshoot.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/windows/security/application-security/application-isolation/windows-sandbox/toc.yml b/windows/security/application-security/application-isolation/windows-sandbox/toc.yml index 1ef0028e080..2d0ed23d23d 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/toc.yml +++ b/windows/security/application-security/application-isolation/windows-sandbox/toc.yml @@ -14,7 +14,7 @@ items: href: windows-sandbox-configure-using-wsb-file.md - name: Sample configuration files href: windows-sandbox-sample-configuration.md - - name: WindowsSandbox Policy CSP + - name: WindowsSandbox Policy CSP 🔗 href: /windows/client-management/mdm/policy-csp-windowssandbox - name: Frequently asked questions href: windows-sandbox-faq.yml diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md index 4d61fa1b313..719eb8a1d29 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md @@ -7,7 +7,7 @@ ms.date: 09/09/2024 # Troubleshoot Windows Sandbox -This article lists some common issues with Windows Sandbox and possible solutions. To submit feedback about Windows Sandbox, see [Where can I provide feedback?](windows-sandbox-faq.yml#feedback) +This article lists some common issues with Windows Sandbox and possible solutions. To submit feedback about Windows Sandbox, see [Where can I provide feedback?](windows-sandbox-faq.yml##where-can-i-provide-feedback) | Error | Possible Solution | |--|--| From e6e59d69b4cb55b4c25acd66665b5d7ad1358afb Mon Sep 17 00:00:00 2001 From: "Vinay Pamnani (from Dev Box)" Date: Wed, 11 Sep 2024 15:39:38 -0600 Subject: [PATCH 11/23] Test --- .../security/application-security/application-isolation/toc.yml | 2 +- .../windows-sandbox/{windows-sandbox-overview.md => index.md} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename windows/security/application-security/application-isolation/windows-sandbox/{windows-sandbox-overview.md => index.md} (100%) diff --git a/windows/security/application-security/application-isolation/toc.yml b/windows/security/application-security/application-isolation/toc.yml index db3200f4a31..c2de68aab37 100644 --- a/windows/security/application-security/application-isolation/toc.yml +++ b/windows/security/application-security/application-isolation/toc.yml @@ -13,4 +13,4 @@ items: - name: App containers 🔗 href: /virtualization/windowscontainers/about - name: Windows Sandbox - href: windows-sandbox/toc.yml \ No newline at end of file + href: windows-sandbox/index.md \ No newline at end of file diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md b/windows/security/application-security/application-isolation/windows-sandbox/index.md similarity index 100% rename from windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md rename to windows/security/application-security/application-isolation/windows-sandbox/index.md From a0adc7e8ae3de776aed9f501b802bf7e5e861e34 Mon Sep 17 00:00:00 2001 From: "Vinay Pamnani (from Dev Box)" Date: Wed, 11 Sep 2024 15:49:36 -0600 Subject: [PATCH 12/23] Update Windows Sandbox TOC to include sample configuration files and fix broken link in troubleshoot.md --- ...blishing.redirection.windows-security.json | 5 +++ .../windows-sandbox/toc.yml | 40 ++++++++++--------- .../windows-sandbox-troubleshoot.md | 2 +- ...lication-security-application-isolation.md | 2 +- .../security/includes/sections/application.md | 2 +- windows/security/index.yml | 2 +- windows/security/threat-protection/index.md | 2 +- 7 files changed, 31 insertions(+), 24 deletions(-) diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json index fc3a796e959..e66a1c8cae2 100644 --- a/.openpublishing.redirection.windows-security.json +++ b/.openpublishing.redirection.windows-security.json @@ -5,6 +5,11 @@ "redirect_url": "/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt", "redirect_document_id": false }, + { + "source_path": "windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md", + "redirect_url": "/windows/security/application-security/application-isolation/windows-sandbox/index.md", + "redirect_document_id": false + }, { "source_path": "windows/security//threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md", "redirect_url": "/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity", diff --git a/windows/security/application-security/application-isolation/windows-sandbox/toc.yml b/windows/security/application-security/application-isolation/windows-sandbox/toc.yml index 2d0ed23d23d..6a17c8dd4a1 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/toc.yml +++ b/windows/security/application-security/application-isolation/windows-sandbox/toc.yml @@ -1,22 +1,24 @@ items: - - name: Overview - expanded: true - items: - - name: What is Windows Sandbox? - href: windows-sandbox-overview.md - - name: Compare versions - href: windows-sandbox-versions.md - - name: Architecture - href: windows-sandbox-architecture.md - - name: Install Windows Sandbox - href: windows-sandbox-install.md - - name: Use & configure Windows Sandbox - href: windows-sandbox-configure-using-wsb-file.md +- name: Windows Sandbox + href: index.md +- name: Overview + expanded: true + items: + - name: Compare versions + href: windows-sandbox-versions.md + - name: Architecture + href: windows-sandbox-architecture.md +- name: Install Windows Sandbox + href: windows-sandbox-install.md +- name: Use & configure Windows Sandbox + href: windows-sandbox-configure-using-wsb-file.md +- name: Tutorials + items: - name: Sample configuration files href: windows-sandbox-sample-configuration.md - - name: WindowsSandbox Policy CSP 🔗 - href: /windows/client-management/mdm/policy-csp-windowssandbox - - name: Frequently asked questions - href: windows-sandbox-faq.yml - - name: Troubleshooting - href: windows-sandbox-troubleshoot.md \ No newline at end of file +- name: WindowsSandbox Policy CSP 🔗 + href: /windows/client-management/mdm/policy-csp-windowssandbox +- name: Frequently asked questions + href: windows-sandbox-faq.yml +- name: Troubleshooting + href: windows-sandbox-troubleshoot.md \ No newline at end of file diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md index 719eb8a1d29..23b9f622635 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md @@ -7,7 +7,7 @@ ms.date: 09/09/2024 # Troubleshoot Windows Sandbox -This article lists some common issues with Windows Sandbox and possible solutions. To submit feedback about Windows Sandbox, see [Where can I provide feedback?](windows-sandbox-faq.yml##where-can-i-provide-feedback) +This article lists some common issues with Windows Sandbox and possible solutions. To submit feedback about Windows Sandbox, see [Where can I provide feedback?](windows-sandbox-faq.yml#where-can-i-provide-feedback) | Error | Possible Solution | |--|--| diff --git a/windows/security/book/application-security-application-isolation.md b/windows/security/book/application-security-application-isolation.md index 603d0138a4f..a81d5c9c9ce 100644 --- a/windows/security/book/application-security-application-isolation.md +++ b/windows/security/book/application-security-application-isolation.md @@ -38,7 +38,7 @@ Once Windows Sandbox is closed, nothing persists on the device. All the software :::image type="icon" source="images/learn-more.svg" border="false"::: **Learn more:** -- [Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview) +- [Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox) - [Windows Sandbox is a new lightweight desktop environment tailored for safely running applications in isolation](https://techcommunity.microsoft.com/t5/windows-os-platform-blog/windows-sandbox/ba-p/301849) diff --git a/windows/security/includes/sections/application.md b/windows/security/includes/sections/application.md index 8b6b510ef43..f185a1ec049 100644 --- a/windows/security/includes/sections/application.md +++ b/windows/security/includes/sections/application.md @@ -25,4 +25,4 @@ ms.topic: include | **[Microsoft Defender Application Guard (MDAG) for Microsoft Office](https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46)** | Application Guard protects Office files including Word, PowerPoint, and Excel. Application icons have a small shield if Application Guard has been enabled and they are under protection. | | **[Microsoft Defender Application Guard (MDAG) configure via MDM](/windows/client-management/mdm/windowsdefenderapplicationguard-csp)** | The WindowsDefenderApplicationGuard configuration service provider (CSP) is used by the enterprise to configure the settings in Microsoft Defender Application Guard. | | **[App containers](/virtualization/windowscontainers/about/)** | Universal Windows Platform (UWP) applications run in Windows containers known as app containers. Processes that run in app containers operate with low integrity level, meaning they have limited access to resources they don't own. Because the default integrity level of most resources is medium integrity level, the UWP app can access only a subset of the filesystem, registry, and other resources. The app container also enforces restrictions on network connectivity; for example, access to a local host isn't allowed. As a result, malware or infected apps have limited footprint for escape. | -| **[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview)** | Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation, using the same hardware-based Hyper-V virtualization technology to isolate apps without fear of lasting impact to your PC. | +| **[Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox)** | Windows Sandbox provides a lightweight desktop environment to safely run untrusted Win32 applications in isolation, using the same hardware-based Hyper-V virtualization technology to isolate apps without fear of lasting impact to your PC. | diff --git a/windows/security/index.yml b/windows/security/index.yml index 9553388f93c..6bcbbcbb104 100644 --- a/windows/security/index.yml +++ b/windows/security/index.yml @@ -110,7 +110,7 @@ landingContent: - text: Microsoft Defender Application Guard (MDAG) url: /windows/security/application-security/application-isolation/microsoft-defender-application-guard/md-app-guard-overview - text: Windows Sandbox - url: /windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview + url: /windows/security/application-security/application-isolation/windows-sandbox/ - linkListType: how-to-guide links: - text: Configure Windows Sandbox diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md index 5dd0c7c3f09..326b453de12 100644 --- a/windows/security/threat-protection/index.md +++ b/windows/security/threat-protection/index.md @@ -25,7 +25,7 @@ See the following articles to learn more about the different areas of Windows th - [Virtualization-Based Protection of Code Integrity](../hardware-security/enable-virtualization-based-protection-of-code-integrity.md) - [Web Protection](/microsoft-365/security/defender-endpoint/web-protection-overview) - [Windows Firewall](../operating-system-security/network-security/windows-firewall/index.md) -- [Windows Sandbox](../application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md) +- [Windows Sandbox](../application-security/application-isolation/windows-sandbox/index.md) ## Next-generation protection From e6613bb5f4fd15010b5c0aa91e3a53e8d765b0ce Mon Sep 17 00:00:00 2001 From: "Vinay Pamnani (from Dev Box)" Date: Tue, 22 Oct 2024 10:44:07 -0600 Subject: [PATCH 13/23] Updates --- .../windows-sandbox/toc.yml | 4 +- .../windows-sandbox/windows-sandbox-cli.md | 101 ++++++++++++++++++ ...indows-sandbox-configure-using-wsb-file.md | 4 +- .../windows-sandbox-sample-configuration.md | 4 +- .../windows-sandbox-versions.md | 26 ++++- 5 files changed, 133 insertions(+), 6 deletions(-) create mode 100644 windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-cli.md diff --git a/windows/security/application-security/application-isolation/windows-sandbox/toc.yml b/windows/security/application-security/application-isolation/windows-sandbox/toc.yml index 6a17c8dd4a1..9654e55dcd5 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/toc.yml +++ b/windows/security/application-security/application-isolation/windows-sandbox/toc.yml @@ -4,7 +4,7 @@ items: - name: Overview expanded: true items: - - name: Compare versions + - name: Windows Sandbox versions href: windows-sandbox-versions.md - name: Architecture href: windows-sandbox-architecture.md @@ -12,6 +12,8 @@ items: href: windows-sandbox-install.md - name: Use & configure Windows Sandbox href: windows-sandbox-configure-using-wsb-file.md +- name: Windows Sandbox command line interface + href: windows-sandbox-cli.md - name: Tutorials items: - name: Sample configuration files diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-cli.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-cli.md new file mode 100644 index 00000000000..b68d31277e1 --- /dev/null +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-cli.md @@ -0,0 +1,101 @@ +--- +title: Windows Sandbox command line +description: Windows Sandbox command line interface +ms.topic: how-to +ms.date: 10/22/2024 +--- + +# Windows Sandbox command line interface + +Starting with Windows 11, version 24H2, the Windows Command Line Interface (CLI) offers powerful tools for creating, managing, and controlling sandboxes, executing commands, and sharing folders within sandbox sessions. This functionality is especially valuable for scripting, task automation, and improving development workflows. In this section, you'll explore how the Windows Sandbox CLI operates, with examples demonstrating how to use each command to enhance your development process. + +**Common parameters**: + +- `--raw`: Formats all outputs in JSON format. +- `-?, -h, --help`: Show help and usage information + +## Start + +The start command creates and launches a new sandbox. The command returns the sandbox ID, which is a unique identifier for the sandbox. The sandbox ID can be used to refer to the sandbox in other commands. + +- `--id `: ID of the Windows Sandbox environment. +- `--c, --config `: Formatted string with the settings that should be used to create the Windows Sandbox environment. + +**Examples**: + +- Create a Windows Sandbox environment with the default settings: + + ```cmd + wsb start + ``` + +- Create a Windows Sandbox environment with a custom configuration: + + ```cmd + wsb start --config "Disabled" + ``` + +## List + +The list command displays a table that shows the information the running Windows Sandbox sessions for the current user. The table includes the sandbox ID. The status can be either running or stopped. The uptime is the duration that the sandbox has been running. + +```cmd +wsb list +``` + +## Exec + +The exec command executes a command in the sandbox. The command takes two arguments: the sandbox ID and the command to execute. The command can be either a built-in command or an executable file. The exec command runs the command in the sandbox and returns the exit code. The exec command can also take optional arguments that are passed to the process started in the sandbox. + +> [!NOTE] +> Currently, there is no support for process I/O meaning that there is no way to retrieve the output of a command run in Sandbox. + +Commands in Windows Sandbox can be executed in the system context or in the context of the currently logged on user. However, there is no way to log on a user without an active RDP session. Therefore, there currently is no way to execute commands in the user context unless there is an active RDP session. + +- `--id ` (REQUIRED): ID of the Windows Sandbox environment. +- `-c, --command ` (REQUIRED): The command to execute within Windows Sandbox. +- `-r, --run-as ` (REQUIRED): Specifies the user context to execute the command within. If the System option is selected, the command will run in the system context. If the ExistingLogin option is selected, the command will run in the currently active user session or fail if there is no active user session. +- `-d, --working-directory `: Directory to execute command in. + +```cmd +wsb exec –-id 12345678-1234-1234-1234-1234567890AB -c app.exe -r System +``` + +## Stop + +The stop command stops a running Windows Sandbox session. The command takes the sandbox ID as an argument. + +The stop command terminates the sandbox process and releases the resources allocated to the sandbox. The stop command also closes the window that shows the sandbox desktop. + +```cmd +wsb stop --id 12345678-1234-1234-1234-1234567890AB +``` + +## Map + +The map command maps a host folder to a folder in the sandbox. The command takes three arguments: the sandbox ID, the host path, and the sandbox path. The host path should be a folder. The sandbox path can be either an existing or a new folder. The share command allows the user to share files and folders between the host and the sandbox. An Additional, `--allow-write` option can be used to allow or disallow the Windows Sandbox environment to write to the folder. + +- `--id ` (REQUIRED): ID of the Windows Sandbox environment. +- `-f, --host-path ` (REQUIRED): Path to folder that will be mapped from the host. +- `-s, --sandbox-path ` (REQUIRED): Path to the folder within the Windows Sandbox. +- `-w, --allow-write`: If specified, the Windows Sandbox environment will be allowed to write to the shared folder. + +```cmd +wsb map --id 12345678-1234-1234-1234-1234567890AB -f C:\host\folder -s C:\sandbox\folder --allow-write +``` + +## Connect + +The connect command starts a remote session within the sandbox. The command takes the sandbox ID as an argument. The connect command opens a new window with a remote desktop session. The connect command allows the user to interact with the sandbox using the mouse and keyboard. + +```cmd +wsb connect --id 12345678-1234-1234-1234-1234567890AB +``` + +## IP + +The ip command displays the IP address of the sandbox. The command takes the sandbox ID as an argument. + +```cmd +wsb ip --id 12345678-1234-1234-1234-1234567890AB +``` diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md index 512d72f4c55..0dd5cdf7611 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md @@ -7,7 +7,7 @@ ms.date: 09/09/2024 # Use and configure Windows Sandbox -To launch a Windows Sandbox with default settings, locate and select Windows Sandbox on the Start menu or search for 'Windows Sandbox'. This launches a basic Sandbox with 4GB memory with the following properties: +To launch a Windows Sandbox with default settings, locate and select Windows Sandbox on the Start menu or search for 'Windows Sandbox'. This launches a basic Sandbox with maximum capacity of 4GB memory with the following properties: - **vGPU (virtualized GPU)**: Enabled on non-ARM64 devices. - **Networking**: Enabled. The sandbox uses the Hyper-V default switch. @@ -231,4 +231,4 @@ Specifies the amount of memory that the sandbox can use in megabytes (MB). value ``` -If the memory value specified is insufficient to boot a sandbox, it's automatically increased to the required minimum amount. +If the memory value specified is insufficient to boot a sandbox, it's automatically increased to the required minimum amount of 2048 MB. diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-sample-configuration.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-sample-configuration.md index 91efb7e8186..8d1a0ca697d 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-sample-configuration.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-sample-configuration.md @@ -75,9 +75,9 @@ C:\temp\vscode.exe /verysilent /suppressmsgboxes ## Example 3 - Mapping Folders and running a PowerShell script as a Logon Command -The following config file runs a PowerShell script as a logon command to swap the primary mouse button for left-handed users. +Beginning in Windows 11, version 24H2, Windows Sandbox adheres to the mouse settings of the host system. If you are on an older build and if the host system is set to use a left-handed mouse, you must apply these settings in Windows Sandbox manually when Windows Sandbox starts. Alternatively, you can use a sandbox configuration file to run a logon command to swap the mouse setting. -`C:\sandbox` folder on the host is mapped to the `C:\sandbox` folder in the sandbox, so the `SwapMouse.ps1` script can be referenced in the sandbox configuration file. +In this example, the `C:\sandbox` folder on the host is mapped to the `C:\sandbox` folder in the sandbox, so the `SwapMouse.ps1` script can be referenced in the sandbox configuration file. ### SwapMouse.ps1 diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions.md index 7a957abe53f..4249eb5e923 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions.md @@ -2,7 +2,31 @@ title: Windows Sandbox versions description: Windows Sandbox versions ms.topic: conceptual -ms.date: 09/09/2024 +ms.date: 10/22/2024 --- # Windows Sandbox versions + +Starting with Windows 11, version 24H2, a newer version of Windows Sandbox is available from the Microsoft Store, featuring an improved user experience and new command line functionality. + +- **Faster Updates**: With the app now being updated through the Microsoft Store, you can install the bug fixes and new features as soon as they're available, rather than needing to wait for an update of the Windows operating system. +- **Revamped UI**: The app now features WinUI 3, a modern and sleek user interface built on the Fluent design system. +- **New Runtime Features**: Users can now access clipboard redirection, audio/video input control, and folder sharing directly during runtime using the "…" icon in the top-right corner. No need for pre-configured .wsb files. +- **Command Line Preview**: We've introduced an early version of command line support for Windows Sandbox. Check out ---- for more details. + +## Upgrading to the newer version + +### Prerequisites + +- Windows Sandbox must already be installed. If it isn't already installed, [install Windows Sandbox](windows-sandbox-install.md). +- Device must be running Windows 11, version 24H2, with KB10D or later. +- Microsoft Store and Windows Update must be accessible. + +### Upgrade + +- Launch **Windows Sandbox** from the Start menu. +- If the app hasn't been upgraded to the latest version, a progress dialog appears as it automatically attempts to update. This process typically takes 30 seconds to 2 minutes. +- Once the installation is complete, you'll be directed to the updated version of the app. + +> [!NOTE] +> If the upgrade fails on the first try, the installation continues in the background while you use the older version of the app. Additionally, the app is queued in the "Updates & downloads" section of the Microsoft Store app for users who wish to manually install it. \ No newline at end of file From 284258a52408a2f069e90c9a9fd4fd1f05ba92f5 Mon Sep 17 00:00:00 2001 From: "Vinay Pamnani (from Dev Box)" Date: Tue, 22 Oct 2024 15:57:56 -0600 Subject: [PATCH 14/23] Acro-updates --- .../windows-sandbox/windows-sandbox-cli.md | 8 ++++---- .../windows-sandbox-configure-using-wsb-file.md | 2 +- .../windows-sandbox/windows-sandbox-install.md | 2 +- .../windows-sandbox/windows-sandbox-versions.md | 8 ++++---- 4 files changed, 10 insertions(+), 10 deletions(-) diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-cli.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-cli.md index b68d31277e1..896af70b77d 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-cli.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-cli.md @@ -50,11 +50,11 @@ The exec command executes a command in the sandbox. The command takes two argume > [!NOTE] > Currently, there is no support for process I/O meaning that there is no way to retrieve the output of a command run in Sandbox. -Commands in Windows Sandbox can be executed in the system context or in the context of the currently logged on user. However, there is no way to log on a user without an active RDP session. Therefore, there currently is no way to execute commands in the user context unless there is an active RDP session. +Commands in Windows Sandbox can be executed in the system context or in the context of the currently logged on user. However, there's no way to sign-in a user without an active RDP session. Therefore, there currently is no way to execute commands in the user context unless there's an active RDP session. - `--id ` (REQUIRED): ID of the Windows Sandbox environment. - `-c, --command ` (REQUIRED): The command to execute within Windows Sandbox. -- `-r, --run-as ` (REQUIRED): Specifies the user context to execute the command within. If the System option is selected, the command will run in the system context. If the ExistingLogin option is selected, the command will run in the currently active user session or fail if there is no active user session. +- `-r, --run-as ` (REQUIRED): Specifies the user context to execute the command within. If the System option is selected, the command runs in the system context. If the ExistingLogin option is selected, the command runs in the currently active user session or fails if there's no active user session. - `-d, --working-directory `: Directory to execute command in. ```cmd @@ -76,9 +76,9 @@ wsb stop --id 12345678-1234-1234-1234-1234567890AB The map command maps a host folder to a folder in the sandbox. The command takes three arguments: the sandbox ID, the host path, and the sandbox path. The host path should be a folder. The sandbox path can be either an existing or a new folder. The share command allows the user to share files and folders between the host and the sandbox. An Additional, `--allow-write` option can be used to allow or disallow the Windows Sandbox environment to write to the folder. - `--id ` (REQUIRED): ID of the Windows Sandbox environment. -- `-f, --host-path ` (REQUIRED): Path to folder that will be mapped from the host. +- `-f, --host-path ` (REQUIRED): Path to folder that is mapped from the host. - `-s, --sandbox-path ` (REQUIRED): Path to the folder within the Windows Sandbox. -- `-w, --allow-write`: If specified, the Windows Sandbox environment will be allowed to write to the shared folder. +- `-w, --allow-write`: If specified, the Windows Sandbox environment is allowed to write to the shared folder. ```cmd wsb map --id 12345678-1234-1234-1234-1234567890AB -f C:\host\folder -s C:\sandbox\folder --allow-write diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md index 0dd5cdf7611..71c365b89e0 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md @@ -9,7 +9,7 @@ ms.date: 09/09/2024 To launch a Windows Sandbox with default settings, locate and select Windows Sandbox on the Start menu or search for 'Windows Sandbox'. This launches a basic Sandbox with maximum capacity of 4GB memory with the following properties: -- **vGPU (virtualized GPU)**: Enabled on non-ARM64 devices. +- **vGPU (virtualized GPU)**: Enabled on non-Arm64 devices. - **Networking**: Enabled. The sandbox uses the Hyper-V default switch. - **Audio input**: Enabled. The sandbox shares the host's microphone input into the sandbox. - **Video input**: Disabled. The sandbox doesn't share the host's video input into the sandbox. diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md index d634d4aa6a9..32b1aee636a 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-install.md @@ -9,7 +9,7 @@ ms.date: 09/09/2024 ## Prerequisites -- ARM64 (for Windows 11, version 22H2 and later) or AMD64 architecture +- Arm64 (for Windows 11, version 22H2 and later) or AMD64 architecture - Virtualization capabilities enabled in BIOS - At least 4 GB of RAM (8 GB recommended) - At least 1 GB of free disk space (SSD recommended) diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions.md index 4249eb5e923..be0502cecd6 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions.md @@ -11,8 +11,8 @@ Starting with Windows 11, version 24H2, a newer version of Windows Sandbox is av - **Faster Updates**: With the app now being updated through the Microsoft Store, you can install the bug fixes and new features as soon as they're available, rather than needing to wait for an update of the Windows operating system. - **Revamped UI**: The app now features WinUI 3, a modern and sleek user interface built on the Fluent design system. -- **New Runtime Features**: Users can now access clipboard redirection, audio/video input control, and folder sharing directly during runtime using the "…" icon in the top-right corner. No need for pre-configured .wsb files. -- **Command Line Preview**: We've introduced an early version of command line support for Windows Sandbox. Check out ---- for more details. +- **New Runtime Features**: Users can now access clipboard redirection, audio/video input control, and folder sharing directly during runtime using the "…" icon in the top-right corner without needing a preconfigured `.wsb` file. +- **Command Line Preview**: An early version of [command line support](windows-sandbox-cli.md) for Windows Sandbox is now available. ## Upgrading to the newer version @@ -25,8 +25,8 @@ Starting with Windows 11, version 24H2, a newer version of Windows Sandbox is av ### Upgrade - Launch **Windows Sandbox** from the Start menu. -- If the app hasn't been upgraded to the latest version, a progress dialog appears as it automatically attempts to update. This process typically takes 30 seconds to 2 minutes. -- Once the installation is complete, you'll be directed to the updated version of the app. +- If the app isn't upgraded to the latest version, a progress dialog appears as it automatically attempts to update. This process typically takes 30 seconds to 2 minutes. +- Once the installation is complete, you're directed to the updated version of the app. > [!NOTE] > If the upgrade fails on the first try, the installation continues in the background while you use the older version of the app. Additionally, the app is queued in the "Updates & downloads" section of the Microsoft Store app for users who wish to manually install it. \ No newline at end of file From 78a8b00b0de9f6c59f47ddd80b193cdce4b707d0 Mon Sep 17 00:00:00 2001 From: "Vinay Pamnani (from Dev Box)" Date: Wed, 23 Oct 2024 16:17:04 -0600 Subject: [PATCH 15/23] Implement feedback items from Kavya --- ...indows-sandbox-configure-using-wsb-file.md | 6 ++--- .../windows-sandbox/windows-sandbox-faq.yml | 26 +++++++++++++++++++ .../windows-sandbox-troubleshoot.md | 4 ++- .../windows-sandbox-versions.md | 4 +-- 4 files changed, 34 insertions(+), 6 deletions(-) diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md index 71c365b89e0..f1a42226e34 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md @@ -107,7 +107,7 @@ Supported values: An array of folders, each representing a location on the host machine that is shared with the sandbox at the specified path. Currently, relative paths aren't supported. -When using `` to map folders, the folders are mapped before the execution of the [Logon command](#logon-command). +When using `` to map folders, the folders are mapped before the execution of the [Logon command](#logon-command). Beginning in Windows 11, version 23H2, you can use environment variables in the path. ```xml @@ -123,11 +123,11 @@ When using `` to map folders, the folders are mapped before the e ``` - **HostFolder**: Specifies the folder on the host machine to share into the sandbox. The folder must already exist on the host, or the container fails to start. -- **SandboxFolder**: Specifies the destination in the sandbox to map the folder to. If the folder doesn't exist, it gets created. If no sandbox folder is specified, the folder is mapped to the container desktop. +- **SandboxFolder**: Specifies the destination in the sandbox to map the folder to. If the folder doesn't exist, it gets created. If no sandbox folder is specified, the folder is mapped to the container user's desktop. The default user of Sandbox is `WDAGUtilityAccount`. - **ReadOnly**: If *true*, enforces read-only access to the shared folder from within the container. Supported values: *true*/*false*. Defaults to *false*. > [!NOTE] -> Files and folders mapped in from the host can be compromised by apps in the sandbox or potentially affect the host. Changes made during a Sandbox session to a mapped folder with write-permissions will persist after a Sandbox is disposed. +> Files and folders mapped from the host can be compromised by apps in the sandbox or potentially affect the host. Changes made during a Sandbox session to a mapped folder with write-permissions will persist after a Sandbox is disposed. ### Logon command diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml index 6fa2f42583d..1cb0a58a9f3 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml @@ -48,6 +48,32 @@ sections: answer: | Today, Windows Sandbox only allows users to launch one Sandbox instance at a time. + - question: Installing the latest version of Windows Sandbox fails. How do I fix this? + answer: | + Ensure that your device has access to the Internet, Windows Update and Microsoft Store. Beginning from Windows 11 24H2, the old Windows Sandbox app attempts to download the latest version from the Store. If the upgrade fails initially, installation continues in the background while the user can still use the app. Additionally, the app is queued in the "Updates & Downloads" section of the Microsoft Store app for users who wish to manually install it manually. + + - question: How do I know which version of Windows Sandbox I am running? + answer: | + Run `Get-AppxPackage -Name WindowsSandbox | Select-Object Version` in a PowerShell prompt. If the version is empty, you are running an older version of Windows Sandbox. If this returns a set of digits, you are running the newer version. + Alternatively, if your Windows Sandbox app has a '...' button in the top-right corner that opens a drop-down menu, you're using the new version. + + - question: How do I save the Sandbox state? + answer: | + Windows Sandbox is temporary; closing it deletes all software, files, and state. + + - question: How can I open Windows Sandbox with a different OS version? + answer: | + Windows Sandbox only allows you to use the same build as your host OS. This allows us to keep Windows Sandbox 'lightweight'. + + - question: What applications aren't supported inside a Windows Sandbox? + answer: | + Inbox apps (for example, Store, Notepad) and Optional features turned on via 'Turn Windows Features On or Off' are not supported. + While Store apps can be installed, you can't download them directly from the Store since the Store app isn't available in the Sandbox. However, if you have an `.appx` package, you can still install those apps. + + - question: How do I uninstall Windows Sandbox? + answer: | + Run the following PowerShell cmdlet to uninstall the app: `Get-AppxPackage -name WindowsSandbox | Remove-AppxPackage` + - name: Feedback questions: diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md index 23b9f622635..a908b5875ce 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-troubleshoot.md @@ -16,4 +16,6 @@ This article lists some common issues with Windows Sandbox and possible solution | `E_INVALIDARG` | The `.wsb` file provided by the user is invalid or has errors. Check the `.wsb` file. | | `REGDB_E_IIDNOTREG` | Verify if Windows Sandbox component is enabled under 'Turn Windows features on or off'. For more information, see [Install Windows Sandbox](windows-sandbox-install.md) | | `The following settings are enforced by your IT administrator.` | `.wsb` file has a setting enabled that is controlled via group policy. | -| General failure during installation. | Possible causes:

- Installing Windows Sandbox is disabled via group policy. Check with your IT Admin.
- Timeout error where we can't reach the Microsoft Store. Try again later. | +| `No hypervisor was found. Please enable hypervisor support.` | Windows Sandbox only supports Hyper-V Hypervisor. Third-party hypervisors are not supported. Ensure that Hyper-V is enabled. | +| `Cannot upgrade to the latest version of Windows Sandbox` | Ensure that your device has access to the Internet, Windows Update and Microsoft Store. Beginning with Windows 11, version 24H2, the old Windows Sandbox app attempts to download the latest version from the Store. If the upgrade fails initially, installation continues in the background while the user can still use the app. Additionally, the app is queued in the "Updates & downloads" section of the Microsoft Store app for users who wish to install it manually. | +| `E_FAIL`, or `E_UNEXPECTED` or general failure during installation. | Possible causes:

- Installing Windows Sandbox is disabled via group policy. Check with your IT Admin.
- Timeout error where we can't reach the Microsoft Store. Try again later. | diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions.md index be0502cecd6..42ffe331cce 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-versions.md @@ -20,7 +20,7 @@ Starting with Windows 11, version 24H2, a newer version of Windows Sandbox is av - Windows Sandbox must already be installed. If it isn't already installed, [install Windows Sandbox](windows-sandbox-install.md). - Device must be running Windows 11, version 24H2, with KB10D or later. -- Microsoft Store and Windows Update must be accessible. +- Internet access for Microsoft Store and Windows Update. ### Upgrade @@ -29,4 +29,4 @@ Starting with Windows 11, version 24H2, a newer version of Windows Sandbox is av - Once the installation is complete, you're directed to the updated version of the app. > [!NOTE] -> If the upgrade fails on the first try, the installation continues in the background while you use the older version of the app. Additionally, the app is queued in the "Updates & downloads" section of the Microsoft Store app for users who wish to manually install it. \ No newline at end of file +> If the upgrade fails on the first try, the installation continues in the background while you use the older version of the app. Additionally, the app is queued in the "Updates & downloads" section of the Microsoft Store app for users who wish to install it manually. \ No newline at end of file From 470aff9146bcf6c2783db482737413c8c85ffeb4 Mon Sep 17 00:00:00 2001 From: "Vinay Pamnani (from Dev Box)" Date: Wed, 23 Oct 2024 16:20:55 -0600 Subject: [PATCH 16/23] Minor update --- .../windows-sandbox/windows-sandbox-faq.yml | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml index 1cb0a58a9f3..015bb5dd5dd 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml @@ -14,6 +14,7 @@ sections: - name: Concepts questions: + - question: Who can use WSB? answer: | WSB can be used in various scenarios by anyone without any technical skills. Here are some ways in which you can use WSB: @@ -40,6 +41,14 @@ sections: - **Windows Sandbox**: Simple to use—just open it, test your software, and close it. No complex setup or management. - **Hyper-V VMs**: Require more configuration, including setting up virtual switches, network adapters, and managing VM snapshots. + - question: What applications aren't supported inside a Windows Sandbox? + answer: | + Inbox apps (for example, Store, Notepad) and Optional features turned on via 'Turn Windows Features On or Off' are not supported. + While Store apps can be installed, you can't download them directly from the Store since the Store app isn't available in the Sandbox. However, if you have an `.appx` package, you can still install those apps. + + - name: Usage + questions: + - question: Why can I not change certain settings using a config file? answer: | You can't make changes to properties if they're controlled by Group Policy. Contact your IT Administrator for more details. @@ -65,11 +74,6 @@ sections: answer: | Windows Sandbox only allows you to use the same build as your host OS. This allows us to keep Windows Sandbox 'lightweight'. - - question: What applications aren't supported inside a Windows Sandbox? - answer: | - Inbox apps (for example, Store, Notepad) and Optional features turned on via 'Turn Windows Features On or Off' are not supported. - While Store apps can be installed, you can't download them directly from the Store since the Store app isn't available in the Sandbox. However, if you have an `.appx` package, you can still install those apps. - - question: How do I uninstall Windows Sandbox? answer: | Run the following PowerShell cmdlet to uninstall the app: `Get-AppxPackage -name WindowsSandbox | Remove-AppxPackage` From ba82227826b7cacbf69c0a20306d3c73b99af6bb Mon Sep 17 00:00:00 2001 From: "Vinay Pamnani (from Dev Box)" Date: Wed, 23 Oct 2024 16:32:28 -0600 Subject: [PATCH 17/23] Update FAQ --- .../windows-sandbox/windows-sandbox-faq.yml | 26 +++++++++---------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml index 015bb5dd5dd..bcec797106b 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml @@ -5,7 +5,7 @@ metadata: author: vinaypamnani-msft ms.author: vinpa ms.topic: faq - ms.date: 09/09/2024 + ms.date: 10/23/2024 title: Common questions about Windows Sandbox summary: Windows Sandbox (WSB) provides a lightweight desktop environment to safely run applications in isolation. This Frequently Asked Questions (FAQ) article is intended to help you learn more about Windows Sandbox. @@ -29,21 +29,21 @@ sections: - question: What's the difference between a Hyper-V virtual machine (VM) and Windows Sandbox? answer: | 1. **Lightweight and Temporary**: - - **Windows Sandbox**: It's a lightweight, disposable environment that runs within your existing Windows installation. You can quickly launch it, test applications, and discard it without affecting your main system. - - **Hyper-V VMs**: Hyper-V VMs are more heavyweight. They require dedicated resources (CPU, memory, disk space) and take longer to set up. + - Windows Sandbox: It's a lightweight, disposable environment that runs within your existing Windows installation. You can quickly launch it, test applications, and discard it without affecting your main system. + - Hyper-V VMs: Hyper-V VMs are more heavyweight. They require dedicated resources (CPU, memory, disk space) and take longer to set up. 1. **Security Isolation**: - - **Windows Sandbox**: Provides a secure, isolated environment for testing untrusted software. Any changes made within the sandbox are discarded when you close it. - - **Hyper-V VMs**: While VMs also offer isolation, they persistently store changes unless you revert them manually. + - Windows Sandbox: Provides a secure, isolated environment for testing untrusted software. Any changes made within the sandbox are discarded when you close it. + - Hyper-V VMs: While VMs also offer isolation, they persistently store changes unless you revert them manually. 1. **Resource Efficiency**: - - **Windows Sandbox**: More resource efficient than full VM. It adjusts memory usage according to the demand. It also reuses many of the host’s read only OS files. - - **Hyper-V VMs**: VMs have fixed resource allocations, which can impact overall system performance. + - Windows Sandbox: More resource efficient than full VM. It adjusts memory usage according to the demand. It also reuses many of the host's read only OS files. + - Hyper-V VMs: VMs have fixed resource allocations, which can impact overall system performance. 1. **Ease of Use**: - - **Windows Sandbox**: Simple to use—just open it, test your software, and close it. No complex setup or management. - - **Hyper-V VMs**: Require more configuration, including setting up virtual switches, network adapters, and managing VM snapshots. + - Windows Sandbox: Simple to use—just open it, test your software, and close it. No complex setup or management. + - Hyper-V VMs: Require more configuration, including setting up virtual switches, network adapters, and managing VM snapshots. - question: What applications aren't supported inside a Windows Sandbox? answer: | - Inbox apps (for example, Store, Notepad) and Optional features turned on via 'Turn Windows Features On or Off' are not supported. + Inbox apps (for example, Store, Notepad) and Optional features turned on via 'Turn Windows Features On or Off' aren't supported. While Store apps can be installed, you can't download them directly from the Store since the Store app isn't available in the Sandbox. However, if you have an `.appx` package, you can still install those apps. - name: Usage @@ -59,11 +59,11 @@ sections: - question: Installing the latest version of Windows Sandbox fails. How do I fix this? answer: | - Ensure that your device has access to the Internet, Windows Update and Microsoft Store. Beginning from Windows 11 24H2, the old Windows Sandbox app attempts to download the latest version from the Store. If the upgrade fails initially, installation continues in the background while the user can still use the app. Additionally, the app is queued in the "Updates & Downloads" section of the Microsoft Store app for users who wish to manually install it manually. + Ensure that your device has access to the Internet, Windows Update, and Microsoft Store. Beginning from Windows 11 24H2, the old Windows Sandbox app attempts to download the latest version from the Store. If the upgrade fails initially, installation continues in the background while the user can still use the app. Additionally, the app is queued in the "Updates & Downloads" section of the Microsoft Store app for users who wish to manually install it manually. - - question: How do I know which version of Windows Sandbox I am running? + - question: How do I know which version of Windows Sandbox am I running? answer: | - Run `Get-AppxPackage -Name WindowsSandbox | Select-Object Version` in a PowerShell prompt. If the version is empty, you are running an older version of Windows Sandbox. If this returns a set of digits, you are running the newer version. + Run `Get-AppxPackage -Name WindowsSandbox | Select-Object Version` in a PowerShell prompt. If the version is empty, you're running an older version of Windows Sandbox. If it returns a version number, you're running the newer version. Alternatively, if your Windows Sandbox app has a '...' button in the top-right corner that opens a drop-down menu, you're using the new version. - question: How do I save the Sandbox state? From 53fd912111cc3fcf1695e7add01770d19041783c Mon Sep 17 00:00:00 2001 From: "Vinay Pamnani (from Dev Box)" Date: Tue, 26 Nov 2024 10:11:54 -0700 Subject: [PATCH 18/23] Update link --- .../security/book/application-security-application-isolation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/book/application-security-application-isolation.md b/windows/security/book/application-security-application-isolation.md index f5a440d04bf..bedd6481b27 100644 --- a/windows/security/book/application-security-application-isolation.md +++ b/windows/security/book/application-security-application-isolation.md @@ -91,7 +91,7 @@ A **Virtualization-based security enclave** is a software-based trusted executio [LINK-6]: /windows/win32/secauthz/app-isolation-packaging-with-vs [LINK-7]: https://blogs.windows.com/windowsdeveloper/2024/03/06/sandboxing-python-with-win32-app-isolation/ [LINK-8]: /windows/apps/windows-app-sdk/migrate-to-windows-app-sdk/feature-mapping-table?source=recommendations -[LINK-9]: /windows/security/application-security/application-isolation/windows-sandbox +[LINK-9]: /windows/security/application-security/application-isolation/windows-sandbox/index [LINK-10]: /windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall [LINK-11]: /windows/wsl/networking#dns-tunneling [LINK-12]: /windows/wsl/networking#auto-proxy From bd4ae8fe0beba497de490eda13c92173f6205d76 Mon Sep 17 00:00:00 2001 From: "Vinay Pamnani (from Dev Box)" Date: Tue, 26 Nov 2024 10:14:53 -0700 Subject: [PATCH 19/23] Update link --- .../security/book/application-security-application-isolation.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/book/application-security-application-isolation.md b/windows/security/book/application-security-application-isolation.md index bedd6481b27..f5a440d04bf 100644 --- a/windows/security/book/application-security-application-isolation.md +++ b/windows/security/book/application-security-application-isolation.md @@ -91,7 +91,7 @@ A **Virtualization-based security enclave** is a software-based trusted executio [LINK-6]: /windows/win32/secauthz/app-isolation-packaging-with-vs [LINK-7]: https://blogs.windows.com/windowsdeveloper/2024/03/06/sandboxing-python-with-win32-app-isolation/ [LINK-8]: /windows/apps/windows-app-sdk/migrate-to-windows-app-sdk/feature-mapping-table?source=recommendations -[LINK-9]: /windows/security/application-security/application-isolation/windows-sandbox/index +[LINK-9]: /windows/security/application-security/application-isolation/windows-sandbox [LINK-10]: /windows/security/operating-system-security/network-security/windows-firewall/hyper-v-firewall [LINK-11]: /windows/wsl/networking#dns-tunneling [LINK-12]: /windows/wsl/networking#auto-proxy From 7742185b2bdb537fcb6ff81d702d2c3a263d6d2a Mon Sep 17 00:00:00 2001 From: "Vinay Pamnani (from Dev Box)" Date: Wed, 15 Jan 2025 09:43:25 -0700 Subject: [PATCH 20/23] Fix link --- windows/security/book/includes/windows-sandbox.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/windows/security/book/includes/windows-sandbox.md b/windows/security/book/includes/windows-sandbox.md index 8e2f55f7473..d8d6385b3f1 100644 --- a/windows/security/book/includes/windows-sandbox.md +++ b/windows/security/book/includes/windows-sandbox.md @@ -14,4 +14,4 @@ Once Windows Sandbox is closed, nothing persists on the device. All the software [!INCLUDE [learn-more](learn-more.md)] -- [Windows Sandbox](/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview) +- [Windows Sandbox](/windows/security/application-security/application-isolation/windows-sandbox) From b34d3f8baadc0a6e220399a86b5a9a4e1a12cc58 Mon Sep 17 00:00:00 2001 From: "Vinay Pamnani (from Dev Box)" Date: Wed, 15 Jan 2025 10:13:34 -0700 Subject: [PATCH 21/23] Implement feedback --- .../application-isolation/windows-sandbox/index.md | 3 +++ .../windows-sandbox/windows-sandbox-cli.md | 12 ++++++------ .../windows-sandbox/windows-sandbox-faq.yml | 13 ++++++++----- 3 files changed, 17 insertions(+), 11 deletions(-) diff --git a/windows/security/application-security/application-isolation/windows-sandbox/index.md b/windows/security/application-security/application-isolation/windows-sandbox/index.md index 33aa59a1b89..90957adc4bb 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/index.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/index.md @@ -33,6 +33,9 @@ WSB can be used without any technical skills in various scenarios where users ne - **Testing or demoing new software for the first time**: Test drive or demo new software, preview versions, extensions, or add-ons without the hassle of installing and then uninstalling on your host machine. - **Maintaining multiple dev environments**: Streamline your development process by utilizing WSB to maintain multiple sandboxes for different development environments. For example, maintain a sandbox for each python version and its dependencies! +> [!NOTE] +> Windows Sandbox currently doesn't allow multiple instances to run simultaneously. + [!INCLUDE [windows-sandbox](../../../../../includes/licensing/windows-sandbox.md)] diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-cli.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-cli.md index 896af70b77d..c181a80a915 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-cli.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-cli.md @@ -32,7 +32,7 @@ The start command creates and launches a new sandbox. The command returns the sa - Create a Windows Sandbox environment with a custom configuration: ```cmd - wsb start --config "Disabled" + wsb start --config "Disabled" ``` ## List @@ -50,7 +50,7 @@ The exec command executes a command in the sandbox. The command takes two argume > [!NOTE] > Currently, there is no support for process I/O meaning that there is no way to retrieve the output of a command run in Sandbox. -Commands in Windows Sandbox can be executed in the system context or in the context of the currently logged on user. However, there's no way to sign-in a user without an active RDP session. Therefore, there currently is no way to execute commands in the user context unless there's an active RDP session. +An active user session is required to execute a command in the context of the currently logged on user. Therefore, before running this command a remote desktop connection should be established. This can be done using the [connect](#connect) command. - `--id ` (REQUIRED): ID of the Windows Sandbox environment. - `-c, --command ` (REQUIRED): The command to execute within Windows Sandbox. @@ -71,17 +71,17 @@ The stop command terminates the sandbox process and releases the resources alloc wsb stop --id 12345678-1234-1234-1234-1234567890AB ``` -## Map +## Share -The map command maps a host folder to a folder in the sandbox. The command takes three arguments: the sandbox ID, the host path, and the sandbox path. The host path should be a folder. The sandbox path can be either an existing or a new folder. The share command allows the user to share files and folders between the host and the sandbox. An Additional, `--allow-write` option can be used to allow or disallow the Windows Sandbox environment to write to the folder. +The share command shares a host folder with the sandbox. The command takes three arguments: the sandbox ID, the host path, and the sandbox path. The host path should be a folder. The sandbox path can be either an existing or a new folder. An Additional, `--allow-write` option can be used to allow or disallow the Windows Sandbox environment to write to the folder. - `--id ` (REQUIRED): ID of the Windows Sandbox environment. -- `-f, --host-path ` (REQUIRED): Path to folder that is mapped from the host. +- `-f, --host-path ` (REQUIRED): Path to folder that is shared from the host. - `-s, --sandbox-path ` (REQUIRED): Path to the folder within the Windows Sandbox. - `-w, --allow-write`: If specified, the Windows Sandbox environment is allowed to write to the shared folder. ```cmd -wsb map --id 12345678-1234-1234-1234-1234567890AB -f C:\host\folder -s C:\sandbox\folder --allow-write +wsb share --id 12345678-1234-1234-1234-1234567890AB -f C:\host\folder -s C:\sandbox\folder --allow-write ``` ## Connect diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml index bcec797106b..16847cf3717 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml @@ -35,7 +35,7 @@ sections: - Windows Sandbox: Provides a secure, isolated environment for testing untrusted software. Any changes made within the sandbox are discarded when you close it. - Hyper-V VMs: While VMs also offer isolation, they persistently store changes unless you revert them manually. 1. **Resource Efficiency**: - - Windows Sandbox: More resource efficient than full VM. It adjusts memory usage according to the demand. It also reuses many of the host's read only OS files. + - Windows Sandbox: More resource efficient than a full VM. It adjusts memory usage according to the demand. It also reuses many of the host's read only OS files. - Hyper-V VMs: VMs have fixed resource allocations, which can impact overall system performance. 1. **Ease of Use**: - Windows Sandbox: Simple to use—just open it, test your software, and close it. No complex setup or management. @@ -59,12 +59,13 @@ sections: - question: Installing the latest version of Windows Sandbox fails. How do I fix this? answer: | - Ensure that your device has access to the Internet, Windows Update, and Microsoft Store. Beginning from Windows 11 24H2, the old Windows Sandbox app attempts to download the latest version from the Store. If the upgrade fails initially, installation continues in the background while the user can still use the app. Additionally, the app is queued in the "Updates & Downloads" section of the Microsoft Store app for users who wish to manually install it manually. + Ensure that your device has access to the Internet, Windows Update, and Microsoft Store. Beginning from Windows 11 24H2, the old Windows Sandbox app attempts to download the latest version from the Store. If the upgrade fails on the first attempt, subsequent attempts continue in the background. Meanwhile, the app can still be used. Additionally, the installation app is queued in the "Updates & Downloads" section of the Microsoft Store app for users who wish to manually install. - question: How do I know which version of Windows Sandbox am I running? answer: | Run `Get-AppxPackage -Name WindowsSandbox | Select-Object Version` in a PowerShell prompt. If the version is empty, you're running an older version of Windows Sandbox. If it returns a version number, you're running the newer version. - Alternatively, if your Windows Sandbox app has a '...' button in the top-right corner that opens a drop-down menu, you're using the new version. + Alternatively, you can run `wsb --version`. If `wsb` is not available, you're running an older version of Windows Sandbox. + The new version of Windows Sandbox also appears in Windows Settings under **System** > **System components**. - question: How do I save the Sandbox state? answer: | @@ -76,7 +77,9 @@ sections: - question: How do I uninstall Windows Sandbox? answer: | - Run the following PowerShell cmdlet to uninstall the app: `Get-AppxPackage -name WindowsSandbox | Remove-AppxPackage` + Run the following PowerShell cmdlet to uninstall the Windows Sandbox app: `Get-AppxPackage -name WindowsSandbox | Remove-AppxPackage` + + To completely remove Windows Sandbox, and all its components, navigate to **Settings > System > Optional features**, then select **More Windows features**, scroll down and unselect Windows Sandbox, then select OK. - name: Feedback questions: @@ -95,7 +98,7 @@ sections: - Behavior you were expecting. 1. Select an appropriate category and subcategory by using the dropdown menus. There's a dedicated option in Feedback Hub to file **Windows Sandbox** bugs and feedback. It's located under **Security and Privacy** category. 1. Select **Next**. - 1. If necessary, you can collect traces for the issue as follows: Select the Recreate my problem tile, then select Start capture, reproduce the issue, and then select **Stop capture**. + 1. If you are able to reproduce the issue, please collect traces as follows: Select the Recreate my problem tile, then select Start capture, reproduce the issue, and then select **Stop capture**. 1. Attach any relevant screenshots or files for the problem, then select **Submit**. Alternatively, you can also use the [Windows Sandbox GitHub repository](https://github.com/microsoft/Windows-Sandbox) to: From a86ca422c4884bb8ebafef9c706d96dbd0d130b7 Mon Sep 17 00:00:00 2001 From: "Vinay Pamnani (from Dev Box)" Date: Wed, 15 Jan 2025 13:20:15 -0700 Subject: [PATCH 22/23] Feedback --- .../windows-sandbox/windows-sandbox-faq.yml | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml index 16847cf3717..ca1408a957d 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-faq.yml @@ -59,7 +59,8 @@ sections: - question: Installing the latest version of Windows Sandbox fails. How do I fix this? answer: | - Ensure that your device has access to the Internet, Windows Update, and Microsoft Store. Beginning from Windows 11 24H2, the old Windows Sandbox app attempts to download the latest version from the Store. If the upgrade fails on the first attempt, subsequent attempts continue in the background. Meanwhile, the app can still be used. Additionally, the installation app is queued in the "Updates & Downloads" section of the Microsoft Store app for users who wish to manually install. + Ensure that your device has access to the Internet, Windows Update, and Microsoft Store. Beginning from Windows 11 24H2, the old Windows Sandbox app attempts to download the latest version from the Store. If the upgrade fails on the first attempt, subsequent attempts continue in the background. Meanwhile, the app can still be used. Additionally, the update is queued in the "Updates & Downloads" section of the Microsoft Store app for users who wish to manually install. + - question: How do I know which version of Windows Sandbox am I running? answer: | @@ -77,9 +78,7 @@ sections: - question: How do I uninstall Windows Sandbox? answer: | - Run the following PowerShell cmdlet to uninstall the Windows Sandbox app: `Get-AppxPackage -name WindowsSandbox | Remove-AppxPackage` - - To completely remove Windows Sandbox, and all its components, navigate to **Settings > System > Optional features**, then select **More Windows features**, scroll down and unselect Windows Sandbox, then select OK. + To remove Windows Sandbox, and all its components, navigate to **Settings > System > Optional features**, then select **More Windows features**, scroll down and unselect Windows Sandbox, then select OK. - name: Feedback questions: From 17443cb81b95b7ceb225aaad2cf16e627d0c1ddf Mon Sep 17 00:00:00 2001 From: Aditi Srivastava <133841950+aditisrivastava07@users.noreply.github.com> Date: Fri, 24 Jan 2025 13:59:38 +0530 Subject: [PATCH 23/23] removed .md from redirect_url path to make redirection work --- .openpublishing.redirection.windows-security.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.openpublishing.redirection.windows-security.json b/.openpublishing.redirection.windows-security.json index 075b0bf165f..52233f5ad09 100644 --- a/.openpublishing.redirection.windows-security.json +++ b/.openpublishing.redirection.windows-security.json @@ -7,7 +7,7 @@ }, { "source_path": "windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md", - "redirect_url": "/windows/security/application-security/application-isolation/windows-sandbox/index.md", + "redirect_url": "/windows/security/application-security/application-isolation/windows-sandbox/index", "redirect_document_id": false }, {