From 66ddb1be927e37a6de14d16514da2fb9ab78d580 Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Wed, 26 Apr 2023 11:15:02 -0400
Subject: [PATCH 1/3] Add another example for sandbox
---
...indows-sandbox-configure-using-wsb-file.md | 70 +++++++++++++++----
.../windows-sandbox-overview.md | 12 ++--
2 files changed, 64 insertions(+), 18 deletions(-)
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
index e9790d83e9..e9dc1bb0cc 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
@@ -5,7 +5,7 @@ ms.prod: windows-client
author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
-ms.collection:
+ms.collection:
- highpri
- tier2
ms.topic: article
@@ -53,7 +53,7 @@ To create a configuration file:
To use a configuration file, double-click it to start Windows Sandbox according to its settings. You can also invoke it via the command line as shown here:
```batch
-C:\Temp> MyConfigFile.wsb
+C:\Temp> MyConfigFile.wsb
```
## Keywords, values, and limits
@@ -80,6 +80,7 @@ Enables or disables networking in the sandbox. You can disable network access to
`value`
Supported values:
+
- *Enable*: Enables networking in the sandbox.
- *Disable*: Disables networking in the sandbox.
- *Default*: This value is the default value for networking support. This value enables networking by creating a virtual switch on the host and connects the sandbox to it via a virtual NIC.
@@ -93,12 +94,12 @@ An array of folders, each representing a location on the host machine that will
```xml
-
- absolute path to the host folder
- absolute path to the sandbox folder
- value
+
+ absolute path to the host folder
+ absolute path to the sandbox folder
+ value
-
+
...
@@ -110,8 +111,7 @@ An array of folders, each representing a location on the host machine that will
*ReadOnly*: If *true*, enforces read-only access to the shared folder from within the container. Supported values: *true*/*false*. Defaults to *false*.
-
-> [!NOTE]
+> [!NOTE]
> Files and folders mapped in from the host can be compromised by apps in the sandbox or potentially affect the host.
### Logon command
@@ -136,13 +136,14 @@ Enables or disables audio input to the sandbox.
`value`
Supported values:
+
- *Enable*: Enables audio input in the sandbox. If this value is set, the sandbox will be able to receive audio input from the user. Applications that use a microphone may require this capability.
- *Disable*: Disables audio input in the sandbox. If this value is set, the sandbox can't receive audio input from the user. Applications that use a microphone may not function properly with this setting.
- *Default*: This value is the default value for audio input support. Currently, this default value denotes that audio input is enabled.
> [!NOTE]
> There may be security implications of exposing host audio input to the container.
-
+
### Video input
Enables or disables video input to the sandbox.
@@ -150,7 +151,8 @@ Enables or disables video input to the sandbox.
`value`
Supported values:
-- *Enable*: Enables video input in the sandbox.
+
+- *Enable*: Enables video input in the sandbox.
- *Disable*: Disables video input in the sandbox. Applications that use video input may not function properly in the sandbox.
- *Default*: This value is the default value for video input support. Currently, this default value denotes that video input is disabled. Applications that use video input may not function properly in the sandbox.
@@ -164,6 +166,7 @@ Applies more security settings to the sandbox Remote Desktop client, decreasing
`value`
Supported values:
+
- *Enable*: Runs Windows sandbox in Protected Client mode. If this value is set, the sandbox runs with extra security mitigations enabled.
- *Disable*: Runs the sandbox in standard mode without extra security mitigations.
- *Default*: This value is the default value for Protected Client mode. Currently, this default value denotes that the sandbox doesn't run in Protected Client mode.
@@ -178,6 +181,7 @@ Enables or disables printer sharing from the host into the sandbox.
`value`
Supported values:
+
- *Enable*: Enables sharing of host printers into the sandbox.
- *Disable*: Disables printer redirection in the sandbox. If this value is set, the sandbox can't view printers from the host.
- *Default*: This value is the default value for printer redirection support. Currently, this default value denotes that printer redirection is disabled.
@@ -189,8 +193,9 @@ Enables or disables sharing of the host clipboard with the sandbox.
`value`
Supported values:
+
- *Enable*: Enables sharing of the host clipboard with the sandbox.
-- *Disable*: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox will be restricted.
+- *Disable*: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox will be restricted.
- *Default*: This value is the default value for clipboard redirection. Currently, copy/paste between the host and sandbox are permitted under *Default*.
### Memory in MB
@@ -202,6 +207,7 @@ Specifies the amount of memory that the sandbox can use in megabytes (MB).
If the memory value specified is insufficient to boot a sandbox, it will be automatically increased to the required minimum amount.
## Example 1
+
The following config file can be used to easily test the downloaded files inside the sandbox. To achieve this testing, networking and vGPU are disabled, and the sandbox is allowed read-only access to the shared downloads folder. For convenience, the logon command opens the downloads folder inside the sandbox when it's started.
### Downloads.wsb
@@ -233,7 +239,7 @@ With the Visual Studio Code installer script already mapped into the sandbox, th
### VSCodeInstall.cmd
-Download vscode to `downloads` folder and run from `downloads` folder
+Download vscode to `downloads` folder and run from `downloads` folder.
```batch
REM Download Visual Studio Code
@@ -264,3 +270,41 @@ C:\users\WDAGUtilityAccount\Downloads\vscode.exe /verysilent /suppressmsgboxes
```
+
+## Example 3
+
+The following config file runs a PowerShell script as a logon command to swap the primary mouse button for left-handed users.
+
+`C:\sandbox` folder on the host is mapped to the `C:\sandbox` folder in the sandbox, so the `SwapMouse.ps1` script can be referenced in the sandbox configuration file.
+
+### SwapMouse.ps1
+
+Create a powershell script using the following code, and save it in the `C:\sandbox` directory as `SwapMouse.ps1`.
+
+```powershell
+[Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | Out-Null
+
+$SwapButtons = Add-Type -MemberDefinition @'
+[DllImport("user32.dll")]
+public static extern bool SwapMouseButton(bool swap);
+'@ -Name "NativeMethods" -Namespace "PInvoke" -PassThru
+
+$SwapButtons::SwapMouseButton(!([System.Windows.Forms.SystemInformation]::MouseButtonsSwapped))
+```
+
+### SwapMouse.wsb
+
+```xml
+
+
+
+ C:\sandbox
+ C:\sandbox
+ True
+
+
+
+ powershell.exe -ExecutionPolicy Bypass -File C:\sandbox\SwapMouse.ps1
+
+
+```
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
index 6e2f83d198..846f0ed7f6 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
@@ -5,7 +5,7 @@ ms.prod: windows-client
author: vinaypamnani-msft
ms.author: vinpa
manager: aaroncz
-ms.collection:
+ms.collection:
- highpri
- tier2
ms.topic: article
@@ -22,6 +22,7 @@ A sandbox is temporary. When it's closed, all the software and files and the sta
Software and applications installed on the host aren't directly available in the sandbox. If you need specific applications available inside the Windows Sandbox environment, they must be explicitly installed within the environment.
Windows Sandbox has the following properties:
+
- **Part of Windows**: Everything required for this feature is included in Windows 10 Pro and Enterprise. There's no need to download a VHD.
- **Pristine**: Every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows.
- **Disposable**: Nothing persists on the device. Everything is discarded when the user closes the application.
@@ -32,7 +33,7 @@ Windows Sandbox has the following properties:
> Windows Sandbox enables network connection by default. It can be disabled using the [Windows Sandbox configuration file](/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file#networking).
## Prerequisites
-
+
- Windows 10 Pro, Enterprise or Education build 18305 or Windows 11 (*Windows Sandbox is currently not supported on Windows Home edition*)
- AMD64 or (as of [Windows 11 Build 22483](https://blogs.windows.com/windows-insider/2021/10/20/announcing-windows-11-insider-preview-build-22483/)) ARM64 architecture
- Virtualization capabilities enabled in BIOS
@@ -59,7 +60,7 @@ Windows Sandbox has the following properties:
> [!NOTE]
> To enable Sandbox using PowerShell, open PowerShell as Administrator and run the following command:
- >
+ >
> ```powershell
> Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online
> ```
@@ -67,9 +68,10 @@ Windows Sandbox has the following properties:
4. Locate and select **Windows Sandbox** on the Start menu to run it for the first time.
> [!NOTE]
- > Windows Sandbox does not adhere to the mouse settings of the host system, so if the host system is set to use a right-handed mouse, you should apply these settings in Windows Sandbox manually.
+ > Windows Sandbox does not adhere to the mouse settings of the host system, so if the host system is set to use a left-handed mouse, you must apply these settings in Windows Sandbox manually when Windows Sandbox starts. Alternatively, you can use a sandbox configuration file to run a logon command to swap the mouse setting. For an example, see [Example 3](windows-sandbox-configure-using-wsb-file.md#example-3).
+
+## Usage
-## Usage
1. Copy an executable file (and any other files needed to run the application) from the host and paste them into the **Windows Sandbox** window.
2. Run the executable file or installer inside the sandbox.
From 3fc85a8320997668afe20468db47156324c7028c Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Wed, 26 Apr 2023 12:22:57 -0400
Subject: [PATCH 2/3] Update prereqs
---
.../windows-sandbox/windows-sandbox-overview.md | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
index 846f0ed7f6..153162fd8e 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
@@ -34,12 +34,16 @@ Windows Sandbox has the following properties:
## Prerequisites
-- Windows 10 Pro, Enterprise or Education build 18305 or Windows 11 (*Windows Sandbox is currently not supported on Windows Home edition*)
-- AMD64 or (as of [Windows 11 Build 22483](https://blogs.windows.com/windows-insider/2021/10/20/announcing-windows-11-insider-preview-build-22483/)) ARM64 architecture
+- Windows 10, version 1903 or later, or Windows 11
+- Windows Pro, Enterprise or Education edition
+- ARM64 (as of Windows 11, version 22H2) or AMD64 architecture
- Virtualization capabilities enabled in BIOS
- At least 4 GB of RAM (8 GB recommended)
- At least 1 GB of free disk space (SSD recommended)
-- At least two CPU cores (four cores with hyperthreading recommended)
+- At least two CPU cores (four cores with hyper-threading recommended)
+
+> [!NOTE]
+> Windows Sandbox is currently not supported on Windows Home edition
## Installation
From 00f4fd0438668b43d613689b73431ed232ba5d6f Mon Sep 17 00:00:00 2001
From: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com>
Date: Wed, 26 Apr 2023 12:37:43 -0400
Subject: [PATCH 3/3] Minor changes
---
.../windows-sandbox/windows-sandbox-overview.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
index 153162fd8e..74e81b1a05 100644
--- a/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
+++ b/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview.md
@@ -34,9 +34,9 @@ Windows Sandbox has the following properties:
## Prerequisites
-- Windows 10, version 1903 or later, or Windows 11
+- Windows 10, version 1903 and later, or Windows 11
- Windows Pro, Enterprise or Education edition
-- ARM64 (as of Windows 11, version 22H2) or AMD64 architecture
+- ARM64 (for Windows 11, version 22H2 and later) or AMD64 architecture
- Virtualization capabilities enabled in BIOS
- At least 4 GB of RAM (8 GB recommended)
- At least 1 GB of free disk space (SSD recommended)