diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md index 693bd37571..fbc753ac22 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-architecture.md @@ -15,13 +15,13 @@ ms.reviewer: # Windows Sandbox architecture -Windows Sandbox benefits from new container technology in Windows in order to achieve a combination of security, density, and performance that is not available in traditional VMs. +Windows Sandbox benefits from new container technology in Windows to achieve a combination of security, density, and performance that's not available in traditional VMs. ## Dynamically generated image -Containers requires an operating system image to boot from. Rather than providing a separate copy of Windows to boot from, Dynamic Base Image technology leverages the copy of Windows that's already installed on the host. +Containers require an operating system image to boot from. Rather than providing a separate copy of Windows to boot from, Dynamic Base Image technology leverages the copy of Windows that's already installed on the host. -Most OS files are immutable and can be freely shared with Windows Sandbox. A small portion of the OS files are mutable and we can't be shared. But the container base image contains pristine copies of these files. A complete Windows image can be constructed from a combination of the sharable immutable files on the host and the pristine copies of mutable files. By using this scheme, Windows Sandbox has a full Windows installation to boot from without needing to download or store an additional copy of Windows. +Most OS files are immutable and can be freely shared with Windows Sandbox. A small portion of the OS files are mutable and we can't be shared. But the container base image contains pristine copies of these files. A complete Windows image can be constructed from a combination of the sharable immutable files on the host and the pristine copies of the mutable files. By using this scheme, Windows Sandbox has a full Windows installation to boot from without needing to download or store an additional copy of Windows. Before Windows Sandbox is installed, the dynamic base image package is stored as a compressed 30-MB package. Once it's installed, the dynamic base image occupies about 500 MB of disk space. @@ -29,13 +29,13 @@ Before Windows Sandbox is installed, the dynamic base image package is stored as ## Memory management -Traditional VM's apportion statically sized allocations of host memory. When resource needs change, classic VM's have limited mechanisms for adjusting their resource needs. On the other hand, containers collaborate with the host in order to dynamically determine how host resources are allocated. This is similar to how processes normally compete for memory on the host. If the host is under memory pressure, it is able to reclaim memory from the container much like it would with a process. +Traditional VMs apportion statically sized allocations of host memory. When resource needs change, classic VMs have limited mechanisms for adjusting their resource needs. On the other hand, containers collaborate with the host to dynamically determine how host resources are allocated. This is similar to how processes normally compete for memory on the host. If the host is under memory pressure, it can reclaim memory from the container much like it would with a process. ![A chart compares memory sharing in Windows Sandbox versus a traditional VM.](images/2-dynamic-working.png) ## Memory sharing -Because Windows Sandbox runs the same operating system image as the host, it has been enhanced to use the same physical memory pages as the host for operating system binaries via a technology referred to as "direct map." For example, when *ntdll.dll* is loaded into memory in the sandbox, it uses the same physical pages as those of the binary when loaded on the host. Memory sharing between the host and sandbox results in a smaller memory footprint when compared to traditional VMs without compromising valuable host secrets. +Because Windows Sandbox runs the same operating system image as the host, it has been enhanced to use the same physical memory pages as the host for operating system binaries via a technology referred to as "direct map." For example, when *ntdll.dll* is loaded into memory in the sandbox, it uses the same physical pages as those of the binary when loaded on the host. Memory sharing between the host and the sandbox results in a smaller memory footprint when compared to traditional VMs, without compromising valuable host secrets. ![A chart compares the memory footprint in Windows Sandbox versus a traditional VM.](images/3-memory-sharing.png) @@ -45,17 +45,17 @@ With ordinary virtual machines, the Microsoft hypervisor controls the scheduling ![A chart compares the scheduling in Windows Sandbox versus a traditional VM.](images/4-integrated-kernal.png) -Windows Sandbox employs a unique policy that allows the virtual processors of the Sandbox to be scheduled like host threads. Under this scheme, high-priority tasks on the host can preempt less important work in the Sandbox. This means that the most important work will be prioritized, whether it is on the host or in the container. +Windows Sandbox employs a unique policy that allows the virtual processors of the Sandbox to be scheduled like host threads. Under this scheme, high-priority tasks on the host can preempt less important work in the Sandbox. This means that the most important work will be prioritized, whether it's on the host or in the container. ## WDDM GPU virtualization -Hardware accelerated rendering is key to a smooth and responsive user experience, especially for graphics-intensive use cases. Microsoft has worked with its graphics ecosystem partners to integrate modern graphics virtualization capabilities directly into DirectX and WDDM, the driver model used by display drivers on Windows. +Hardware accelerated rendering is key to a smooth and responsive user experience, especially for graphics-intensive use cases. Microsoft works with its graphics ecosystem partners to integrate modern graphics virtualization capabilities directly into DirectX and Windows Display Driver Model (WDDM), the driver model used by Windows. -This allows programs running inside of the Sandbox to compete for GPU resources with applications running on the host. +This allows programs running inside the sandbox to compete for GPU resources with applications that are running on the host. ![A chart illustrates graphics kernel use in Sandbox managed alongside apps on the host.](images/5-wddm-gpu-virtualization.png) -To take advantage of these benefits, a system with a compatible GPU and graphics drivers (WDDM 2.5 or newer) is required. Incompatible systems will render apps in Windows Sandbox with Microsoft's CPU-based rendering technology (WARP). +To take advantage of these benefits, a system with a compatible GPU and graphics drivers (WDDM 2.5 or newer) is required. Incompatible systems will render apps in Windows Sandbox with Microsoft's CPU-based rendering technology, Windows Advanced Rasterization Platform (WARP). ## Battery pass-through diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md index ba2f4e2d3d..1c995e8174 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md @@ -22,7 +22,7 @@ Windows Sandbox configuration files are formatted as XML and are associated with **C:\Temp> MyConfigFile.wsb** A configuration file enables the user to control the following aspects of Windows Sandbox: -- **vGPU (virtualized GPU)**: Enable or disable the virtualized GPU. If vGPU is disabled, the sandbox will use WARP (software rasterizer). +- **vGPU (virtualized GPU)**: Enable or disable the virtualized GPU. If vGPU is disabled, the sandbox will use Windows Advanced Rasterization Platform (WARP). - **Networking**: Enable or disable network access within the sandbox. - **Mapped folders**: Share folders from the host with *read* or *write* permissions. Note that exposing host directories may allow malicious software to affect the system or steal data. - **Logon command**: A command that's executed when Windows Sandbox starts. @@ -41,7 +41,7 @@ Windows Sandbox configuration files are formatted as XML and are associated with Supported values: - *Enable*: Enables vGPU support in the sandbox. -- *Disable*: Disables vGPU support in the sandbox. If this value is set, the sandbox will use software rendering, which can be slower than virtualized GPU. +- *Disable*: Disables vGPU support in the sandbox. If this value is set, the sandbox will use software rendering, which may be slower than virtualized GPU. - *Default* This is the default value for vGPU support. Currently this means vGPU is disabled. > [!NOTE] @@ -58,8 +58,9 @@ Supported values: > [!NOTE] > Enabling networking can expose untrusted applications to the internal network. -**Mapped Folders**: An array of folders, each representing a location on the host machine which will be shared into the sandbox at the specified path. If no path is specified, the folder will be mapped to the container user's desktop. +**Mapped folders**: An array of folders, each representing a location on the host machine that will be shared into the sandbox at the specified path. If no path is specified, the folder will be mapped to the container user's desktop. +``` `` list of MappedFolder objects path to the host folder @@ -69,22 +70,20 @@ Supported values: ... - `` - ``` -*HostFolder*: Specifies the folder on the host machine to share into the sandbox. Note that the folder must already exist on the host or the container will fail to start. +*HostFolder*: Specifies the folder on the host machine to share into the sandbox. Note that the folder must already exist on the host, or the container will fail to start. -*SandboxFolder*: Specifies the destination in the sandbox to map the folder to. If the folder does not exist, it will be created. If no sandbox folder is specified, the folder will be mapped to the container desktop. +*SandboxFolder*: Specifies the destination in the sandbox to map the folder to. If the folder doesn't exist, it will be created. If no sandbox folder is specified, the folder will be mapped to the container desktop. -*ReadOnly*: If *true*, enforces read-only access to the shared folder from within the container. Supported values: true/false. Defaults to false. +*ReadOnly*: If *true*, enforces read-only access to the shared folder from within the container. Supported values: *true*/*false*. Defaults to *false*. > [!NOTE] > Files and folders mapped in from the host can be compromised by apps in the sandbox or potentially affect the host. -**Logon Command**: Specifies a single command which will be invoked automatically after the sandbox logs on. Apps in the sandbox are run under the container user account. +**Logon command**: Specifies a single command that will be invoked automatically after the sandbox logs on. Apps in the sandbox are run under the container user account. ``` @@ -95,9 +94,9 @@ Supported values: *Command*: A path to an executable or script inside the container that will be executed after login. > [!NOTE] -> Although very simple commands will work (launching an executable or script), more complicated scenarios involving multiple steps should be placed into a script file. This script file may be mapped into the container via a shared folder, and then executed via the *LogonCommand* directive. +> Although very simple commands will work (such as launching an executable or script), more complicated scenarios involving multiple steps should be placed into a script file. This script file may be mapped into the container via a shared folder, and then executed via the *LogonCommand* directive. -**AudioInput**: Enables or disables audio input to the sandbox. +**Audio input**: Enables or disables audio input to the sandbox. `value` @@ -109,7 +108,7 @@ Supported values: > [!NOTE] > There may be security implications of exposing host audio input to the container. -**VideoInput**: Enables or disables video input to the sandbox. +**Video input**: Enables or disables video input to the sandbox. `value` @@ -121,7 +120,7 @@ Supported values: > [!NOTE] > There may be security implications of exposing host video input to the container. -**Protected Client**: Implements increased-security settings on the sandbox RDP session. These settings decrease the attack surface of the sandbox. +**Protected client**: Implements increased-security settings on the sandbox RDP session. These settings decrease the attack surface of the sandbox. `value` @@ -133,7 +132,7 @@ Supported values: > [!NOTE] > This setting may restrict the user's ability to copy/paste files in and out of the sandbox. -**Printer Redirection**: Enables or disables printer sharing from the host into the sandbox. +**Printer redirection**: Enables or disables printer sharing from the host into the sandbox. `value` @@ -142,7 +141,7 @@ Supported values: - *Disable*: Disables printer redirection in the sandbox. If this value is set, the sandbox can't view printers from the host. - *Default*: This is the default value for printer redirection support. Currently this means printer redirection is disabled. -**ClipboardRedirection**: Enables or disables sharing of the host clipboard with the sandbox. +**Clipboard redirection**: Enables or disables sharing of the host clipboard with the sandbox. `value` @@ -150,14 +149,14 @@ Supported values: - *Disable*: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox will be restricted. - *Default*: This is the default value for clipboard redirection. Currently copy/paste between the host and sandbox are permitted under *Default*. -**MemoryInMB**: Specifies the amount of memory that the sandbox can use in megabytes (MB). +**Memory in MB**: Specifies the amount of memory that the sandbox can use in megabytes (MB). `value` If the memory value specified is insufficient to boot a sandbox, it will be automatically increased to the required minimum amount. ***Example 1*** -The following config file can be used to easily test downloaded files inside of the sandbox. To achieve this, the script disables networking and vGPU, and restricts the shared downloads folder to read-only access in the container. For convenience, the logon command opens the downloads folder inside of the container when it is started. +The following config file can be used to easily test downloaded files inside the sandbox. To achieve this, the script disables networking and vGPU and restricts the shared downloads folder to read-only access in the container. For convenience, the logon command opens the downloads folder inside the container when it's started. *Downloads.wsb* @@ -175,26 +174,27 @@ The following config file can be used to easily test downloaded files inside of explorer.exe C:\users\WDAGUtilityAccount\Downloads - + ``` ***Example 2*** + The following config file installs Visual Studio Code in the sandbox, which requires a slightly more complicated LogonCommand setup. -Two folders are mapped into the sandbox; the first (SandboxScripts) contains VSCodeInstall.cmd, which will install and run VSCode. The second folder (CodingProjects) is assumed to contain project files that the developer wants to modify using VSCode. +Two folders are mapped into the sandbox; the first (SandboxScripts) contains VSCodeInstall.cmd, which will install and run Visual Studio Code. The second folder (CodingProjects) is assumed to contain project files that the developer wants to modify using Visual Studio Code. -With the VSCode installer script already mapped into the sandbox, the LogonCommand can reference it. +With the Visual Studio Code installer script already mapped into the sandbox, the LogonCommand can reference it. *VSCodeInstall.cmd* ``` -REM Download VSCode +REM Download Visual Studio Code curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\users\WDAGUtilityAccount\Desktop\vscode.exe -REM Install and run VSCode +REM Install and run Visual Studio Code C:\users\WDAGUtilityAccount\Desktop\vscode.exe /verysilent /suppressmsgboxes ``` -8VSCode.wsb* +*8VSCode.wsb* ``` diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md index a01cada336..200557bec3 100644 --- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md +++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md @@ -15,7 +15,7 @@ ms.reviewer: # Windows Sandbox overview -Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software that's installed inside the Windows Sandbox environment remains in the "sandboxed" and can't affect the host machine. +Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software that's installed inside the Windows Sandbox environment remains "sandboxed" and can't affect the host machine. A sandbox is temporary. When it's closed, all the software and files and the state are permanently deleted. You get a brand-new instance of the sandbox every time you open the application. @@ -44,7 +44,7 @@ The following video provides an overview of Windows Sandbox. ## Installation -1. Ensure that your machine is using Windows 10 Pro or Enterprise build version 18305 or later. +1. Ensure that your machine is using Windows 10 Pro or Enterprise, build version 18305 or later. 2. Enable virtualization on the machine. - If you're using a physical machine, make sure virtualization capabilities are enabled in the BIOS.