diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md index dac2d9f311..399efd6820 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md @@ -2,7 +2,7 @@ title: Windows Sandbox architecture description: Windows Sandbox architecture ms.topic: article -ms.date: 05/25/2023 +ms.date: 03/26/2024 --- # Windows Sandbox architecture @@ -15,7 +15,7 @@ Rather than requiring a separate copy of Windows to boot the sandbox, Dynamic Ba Most OS files are immutable and can be freely shared with Windows Sandbox. A small subset of operating system files are mutable and can't be shared, so the sandbox base image contains pristine copies of them. A complete Windows image can be constructed from a combination of the sharable immutable files on the host and the pristine copies of the mutable files. With the help of this scheme, Windows Sandbox has a full Windows installation to boot from without needing to download or store an extra copy of Windows. -Before Windows Sandbox is installed, the dynamic base image package is stored as a compressed 30-MB package. Once it's installed, the dynamic base image occupies about 500 MB of disk space. +Before Windows Sandbox is installed, the dynamic base image package is stored as a compressed 30-MB package. Once installed, the dynamic base image occupies about 500 MB of disk space. ![A chart compares scale of dynamic image of files and links with the host file system.](images/1-dynamic-host.png) @@ -27,7 +27,7 @@ Traditional VMs apportion statically sized allocations of host memory. When reso ## Memory sharing -Because Windows Sandbox runs the same operating system image as the host, it has been enhanced to use the same physical memory pages as the host for operating system binaries via a technology referred to as "direct map." For example, when *ntdll.dll* is loaded into memory in the sandbox, it uses the same physical pages as those pages of the binary when loaded on the host. Memory sharing between the host and the sandbox results in a smaller memory footprint when compared to traditional VMs, without compromising valuable host secrets. +Because Windows Sandbox runs the same operating system image as the host, it's enhanced to use the same physical memory pages as the host for operating system binaries via a technology referred to as "direct map." For example, when *ntdll.dll* is loaded into memory in the sandbox, it uses the same physical pages as those pages of the binary when loaded on the host. Memory sharing between the host and the sandbox results in a smaller memory footprint when compared to traditional VMs, without compromising valuable host secrets. ![A chart compares the memory footprint in Windows Sandbox versus a traditional VM.](images/3-memory-sharing.png) @@ -37,7 +37,7 @@ With ordinary virtual machines, the Microsoft hypervisor controls the scheduling ![A chart compares the scheduling in Windows Sandbox versus a traditional VM.](images/4-integrated-kernal.png) -Windows Sandbox employs a unique policy that allows the virtual processors of the Sandbox to be scheduled like host threads. Under this scheme, high-priority tasks on the host can preempt less important work in the Sandbox. This preemption means that the most important work will be prioritized, whether it's on the host or in the container. +Windows Sandbox employs a unique policy that allows the virtual processors of the Sandbox to be scheduled like host threads. Under this scheme, high-priority tasks on the host can preempt less important work in the Sandbox. This preemption means that the most important work is prioritized, whether it's on the host or in the container. ## WDDM GPU virtualization @@ -47,7 +47,7 @@ This feature allows programs running inside the sandbox to compete for GPU resou ![A chart illustrates graphics kernel use in Sandbox managed alongside apps on the host.](images/5-wddm-gpu-virtualization.png) -To take advantage of these benefits, a system with a compatible GPU and graphics drivers (WDDM 2.5 or newer) is required. Incompatible systems will render apps in Windows Sandbox with Microsoft's CPU-based rendering technology, Windows Advanced Rasterization Platform (WARP). +To take advantage of these benefits, a system with a compatible GPU and graphics drivers (WDDM 2.5 or newer) is required. Incompatible systems render apps in Windows Sandbox with Microsoft's CPU-based rendering technology, Windows Advanced Rasterization Platform (WARP). ## Battery pass-through diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md index b33a5b9f67..236eeb8788 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-configure-using-wsb-file.md @@ -2,7 +2,7 @@ title: Windows Sandbox configuration description: Windows Sandbox configuration ms.topic: article -ms.date: 05/25/2023 +ms.date: 03/26/2024 --- # Windows Sandbox configuration @@ -11,13 +11,13 @@ Windows Sandbox supports simple configuration files, which provide a minimal set A configuration file enables the user to control the following aspects of Windows Sandbox: -- **vGPU (virtualized GPU)**: Enable or disable the virtualized GPU. If vGPU is disabled, the sandbox will use Windows Advanced Rasterization Platform (WARP). +- **vGPU (virtualized GPU)**: Enable or disable the virtualized GPU. If vGPU is disabled, the sandbox uses Windows Advanced Rasterization Platform (WARP). - **Networking**: Enable or disable network access within the sandbox. -- **Mapped folders**: Share folders from the host with *read* or *write* permissions. Exposing host directories may allow malicious software to affect the system or steal data. +- **Mapped folders**: Share folders from the host with *read* or *write* permissions. Exposing host directories might allow malicious software to affect the system or steal data. - **Logon command**: A command that's executed when Windows Sandbox starts. - **Audio input**: Shares the host's microphone input into the sandbox. - **Video input**: Shares the host's webcam input into the sandbox. -- **Protected client**: Places increased security settings on the RDP session to the sandbox. +- **Protected client**: Places increased security settings on the Remote Desktop Protocol (RDP) session to the sandbox. - **Printer redirection**: Shares printers from the host into the sandbox. - **Clipboard redirection**: Shares the host clipboard with the sandbox so that text and files can be pasted back and forth. - **Memory in MB**: The amount of memory, in megabytes, to assign to the sandbox. @@ -37,7 +37,7 @@ To create a configuration file: ``` -3. Add appropriate configuration text between the two lines. For details, see the correct syntax and the examples below. +3. Add appropriate configuration text between the two lines. For details, see [examples](#examples). 4. Save the file with the desired name, but make sure its filename extension is `.wsb`. In Notepad, you should enclose the filename and the extension inside double quotation marks, for example, `"My config file.wsb"`. ## Using a configuration file @@ -59,7 +59,7 @@ Enables or disables GPU sharing. Supported values: - *Enable*: Enables vGPU support in the sandbox. -- *Disable*: Disables vGPU support in the sandbox. If this value is set, the sandbox will use software rendering, which may be slower than virtualized GPU. +- *Disable*: Disables vGPU support in the sandbox. If this value is set, the sandbox uses software rendering, which might be slower than virtualized GPU. - *Default* This value is the default value for vGPU support. Currently, this default value denotes that vGPU is disabled. > [!NOTE] @@ -82,7 +82,7 @@ Supported values: ### Mapped folders -An array of folders, each representing a location on the host machine that will be shared into the sandbox at the specified path. At this time, relative paths aren't supported. If no path is specified, the folder will be mapped to the container user's desktop. +An array of folders, each representing a location on the host machine that is shared with the sandbox at the specified path. At this time, relative paths aren't supported. If no path is specified, the folder is mapped to the container user's desktop. ```xml @@ -97,11 +97,9 @@ An array of folders, each representing a location on the host machine that will ``` -*HostFolder*: Specifies the folder on the host machine to share into the sandbox. The folder must already exist on the host, or the container will fail to start. - -*SandboxFolder*: Specifies the destination in the sandbox to map the folder to. If the folder doesn't exist, it will be created. If no sandbox folder is specified, the folder will be mapped to the container desktop. - -*ReadOnly*: If *true*, enforces read-only access to the shared folder from within the container. Supported values: *true*/*false*. Defaults to *false*. +- *HostFolder*: Specifies the folder on the host machine to share into the sandbox. The folder must already exist on the host, or the container fails to start. +- *SandboxFolder*: Specifies the destination in the sandbox to map the folder to. If the folder doesn't exist, it is created. If no sandbox folder is specified, the folder is mapped to the container desktop. +- *ReadOnly*: If *true*, enforces read-only access to the shared folder from within the container. Supported values: *true*/*false*. Defaults to *false*. > [!NOTE] > Files and folders mapped in from the host can be compromised by apps in the sandbox or potentially affect the host. @@ -129,7 +127,7 @@ Enables or disables audio input to the sandbox. Supported values: -- *Enable*: Enables audio input in the sandbox. If this value is set, the sandbox will be able to receive audio input from the user. Applications that use a microphone may require this capability. +- *Enable*: Enables audio input in the sandbox. If this value is set, the sandbox can receive audio input from the user. Applications that use a microphone may require this capability. - *Disable*: Disables audio input in the sandbox. If this value is set, the sandbox can't receive audio input from the user. Applications that use a microphone may not function properly with this setting. - *Default*: This value is the default value for audio input support. Currently, this default value denotes that audio input is enabled. @@ -189,7 +187,7 @@ Enables or disables sharing of the host clipboard with the sandbox. Supported values: - *Enable*: Enables sharing of the host clipboard with the sandbox. -- *Disable*: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox will be restricted. +- *Disable*: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox is restricted. - *Default*: This value is the default value for clipboard redirection. Currently, copy/paste between the host and sandbox are permitted under *Default*. ### Memory in MB @@ -198,13 +196,15 @@ Specifies the amount of memory that the sandbox can use in megabytes (MB). `value` -If the memory value specified is insufficient to boot a sandbox, it will be automatically increased to the required minimum amount. +If the memory value specified is insufficient to boot a sandbox, it is automatically increased to the required minimum amount. -## Example 1 +## Examples + +### Example 1 The following config file can be used to easily test the downloaded files inside the sandbox. To achieve this testing, networking and vGPU are disabled, and the sandbox is allowed read-only access to the shared downloads folder. For convenience, the logon command opens the downloads folder inside the sandbox when it's started. -### Downloads.wsb +#### Downloads.wsb ```xml @@ -223,17 +223,17 @@ The following config file can be used to easily test the downloaded files inside ``` -## Example 2 +### Example 2 The following config file installs Visual Studio Code in the sandbox, which requires a slightly more complicated LogonCommand setup. -Two folders are mapped into the sandbox; the first (SandboxScripts) contains VSCodeInstall.cmd, which will install and run Visual Studio Code. The second folder (CodingProjects) is assumed to contain project files that the developer wants to modify using Visual Studio Code. +Two folders are mapped into the sandbox; the first (SandboxScripts) contains VSCodeInstall.cmd, which installs and runs Visual Studio Code. The second folder (CodingProjects) is assumed to contain project files that the developer wants to modify using Visual Studio Code. With the Visual Studio Code installer script already mapped into the sandbox, the LogonCommand can reference it. -### VSCodeInstall.cmd +#### VSCodeInstall.cmd -Download vscode to `downloads` folder and run from `downloads` folder. +Downloads VS Code to `downloads` folder and runs installation from `downloads` folder. ```batch REM Download Visual Studio Code @@ -243,7 +243,7 @@ REM Install and run Visual Studio Code C:\users\WDAGUtilityAccount\Downloads\vscode.exe /verysilent /suppressmsgboxes ``` -### VSCode.wsb +#### VSCode.wsb ```xml @@ -265,15 +265,15 @@ C:\users\WDAGUtilityAccount\Downloads\vscode.exe /verysilent /suppressmsgboxes ``` -## Example 3 +### Example 3 The following config file runs a PowerShell script as a logon command to swap the primary mouse button for left-handed users. `C:\sandbox` folder on the host is mapped to the `C:\sandbox` folder in the sandbox, so the `SwapMouse.ps1` script can be referenced in the sandbox configuration file. -### SwapMouse.ps1 +#### SwapMouse.ps1 -Create a powershell script using the following code, and save it in the `C:\sandbox` directory as `SwapMouse.ps1`. +Create a PowerShell script using the following code, and save it in the `C:\sandbox` directory as `SwapMouse.ps1`. ```powershell [Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms") | Out-Null diff --git a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md index 676b2a8179..1a0695eb98 100644 --- a/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md +++ b/windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md @@ -2,20 +2,20 @@ title: Windows Sandbox description: Windows Sandbox overview ms.topic: article -ms.date: 05/25/2023 +ms.date: 03/26/2024 --- # Windows Sandbox Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine. -A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application. Note, however, that as of Windows 11, version 22H2, your data will persist through a restart initiated from inside the virtualized environment—useful for installing applications that require the OS to reboot. +A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application. Note, however, that as of Windows 11, version 22H2, your data persists through a restart initiated from inside the virtualized environment—useful for installing applications that require the OS to reboot. Software and applications installed on the host aren't directly available in the sandbox. If you need specific applications available inside the Windows Sandbox environment, they must be explicitly installed within the environment. Windows Sandbox has the following properties: -- **Part of Windows**: Everything required for this feature is included in Windows 10 Pro and Enterprise. There's no need to download a VHD. +- **Part of Windows**: Everything required for this feature is included in Windows 10 Pro and Enterprise. There's no need to download a Virtual Hard Disk (VHD). - **Pristine**: Every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows. - **Disposable**: Nothing persists on the device. Everything is discarded when the user closes the application. - **Secure**: Uses hardware-based virtualization for kernel isolation. It relies on the Microsoft hypervisor to run a separate kernel that isolates Windows Sandbox from the host. @@ -70,9 +70,6 @@ Windows Sandbox has the following properties: ## Usage 1. Copy an executable file (and any other files needed to run the application) from the host and paste them into the **Windows Sandbox** window. - 2. Run the executable file or installer inside the sandbox. - 3. When you're finished experimenting, close the sandbox. A dialog box will state that all sandbox content will be discarded and permanently deleted. Select **Ok**. - 4. Confirm that your host machine doesn't exhibit any of the modifications that you made in Windows Sandbox.