mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-06-18 20:03:40 +00:00
Merge branch 'master' of https://github.com/MicrosoftDocs/windows-docs-pr into schema-updates
This commit is contained in:
Charles
@ -30,7 +30,12 @@ For the purposes of this guide, we will use one server computer: CM01.
|
||||
|
||||
## Add drivers for Windows PE
|
||||
|
||||
This section will show you how to import some network and storage drivers for Windows PE. This section assumes you have downloaded some drivers to the **D:\\Sources\\OSD\\DriverSources\\WinPE x64** folder on CM01.
|
||||
This section will show you how to import some network and storage drivers for Windows PE.
|
||||
|
||||
>[!NOTE]
|
||||
>Windows PE usually has a fairly comprehensive set of drivers out of the box, assuming that you are using a recent version of the Windows ADK. This is different than the full Windows OS which will often require drivers. You shouldn't add drivers to Windows PE unless you have an issue or are missing functionality, and in these cases you should only add the driver that you need. An example of a common driver that is added is the Intel I217 driver. Adding too many drivers can cause conflicts and lead to driver bloat in the Config Mgr database. This section shows you how to add drivers, but typically you can just skip this procedure.
|
||||
|
||||
This section assumes you have downloaded some drivers to the **D:\\Sources\\OSD\\DriverSources\\WinPE x64** folder on CM01.
|
||||
|
||||
|
||||
|
||||
|
||||
@ -22,6 +22,7 @@ ms.topic: article
|
||||
- Windows 10
|
||||
|
||||
In Microsoft Microsoft Endpoint Configuration Manager, you can create custom Windows Preinstallation Environment (Windows PE) boot images that include extra components and features. This topic shows you how to create a custom Windows PE 5.0 boot image with the Microsoft Deployment Toolkit (MDT) wizard. You can also add the Microsoft Diagnostics and Recovery Toolset (DaRT) 10 to the boot image as part of the boot image creation process.
|
||||
- The boot image that is created is based on the version of ADK that is installed.
|
||||
|
||||
For the purposes of this guide, we will use one server computer: CM01.
|
||||
- CM01 is a domain member server and Configuration Manager software distribution point. In this guide CM01 is a standalone primary site server. CM01 is running Windows Server 2019. However, an earlier, supported version of Windows Server can also be used.
|
||||
@ -30,7 +31,9 @@ For the purposes of this guide, we will use one server computer: CM01.
|
||||
|
||||
## Add DaRT 10 files and prepare to brand the boot image
|
||||
|
||||
The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. We assume you have downloaded [Microsoft Desktop Optimization Pack (MDOP) 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015) and copied the x64 version of MSDaRT100.msi to the **C:\\Setup\\DaRT 10** folder on CM01. We also assume you have created a custom background image and saved it in **C:\\Setup\\Branding** on CM01. In this section, we use a custom background image named <a href="../images/ContosoBackground.png">ContosoBackground.bmp</a>.
|
||||
The steps below outline the process for adding DaRT 10 installation files to the MDT installation directory. You also copy a custom background image to be used later. These steps are optional. If you do not wish to add DaRT, skip the steps below to copy DaRT tools and later skip adding the DaRT component to the boot image.
|
||||
|
||||
We assume you have downloaded [Microsoft Desktop Optimization Pack (MDOP) 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015) and copied the x64 version of MSDaRT100.msi to the **C:\\Setup\\DaRT 10** folder on CM01. We also assume you have created a custom background image and saved it in **C:\\Setup\\Branding** on CM01. In this section, we use a custom background image named <a href="../images/ContosoBackground.png">ContosoBackground.bmp</a>.
|
||||
|
||||
On **CM01**:
|
||||
|
||||
@ -61,6 +64,8 @@ On **CM01**:
|
||||
|
||||
Add the DaRT component to the Configuration Manager boot image.
|
||||
|
||||
>Note: Another common component to add here is Windows PowerShell to enable PowerShell support within Windows PE.
|
||||
|
||||
6. On the **Customization** page, select the **Use a custom background bitmap file** check box, and in the **UNC path:** text box, browse to **\\\\CM01\\Sources$\\OSD\\Branding\\ContosoBackground.bmp** and then click **Next** twice. Wait a few minutes while the boot image is generated, and then click **Finish**.
|
||||
7. Distribute the boot image to the CM01 distribution point by selecting the **Boot images** node, right-clicking the **Zero Touch WinPE x64** boot image, and selecting **Distribute Content**.
|
||||
8. In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard.
|
||||
|
||||
@ -35,7 +35,8 @@ In this topic, you will use [components](#components-of-configuration-manager-op
|
||||
- The Configuration Manager [reporting services](https://docs.microsoft.com/configmgr/core/servers/manage/configuring-reporting) point role has been added and configured.
|
||||
- A file system folder structure and Configuration Manager console folder structure for packages has been created. Steps to verify or create this folder structure are [provided below](#review-the-sources-folder-structure).
|
||||
- The [Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install) (including USMT) version 1903, Windows PE add-on, WSIM 1903 update, [MDT](https://www.microsoft.com/download/details.aspx?id=54259) version 8456, and DaRT 10 (part of [MDOP 2015](https://my.visualstudio.com/Downloads?q=Desktop%20Optimization%20Pack%202015)) are installed.
|
||||
- The CMTrace tool (part of the [Microsoft System 2012 R2 Center Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717)) is installed on the distribution point.
|
||||
- The [CMTrace tool](https://docs.microsoft.com/configmgr/core/support/cmtrace) (cmtrace.exe) is installed on the distribution point.
|
||||
- Note: CMTrace is automatically installed with the current branch of Configuration Manager at **Program Files\Microsoft Configuration Manager\tools\cmtrace.exe**. In previous releases of ConfigMgr it was necessary to install the [Configuration Manager Toolkit](https://www.microsoft.com/download/details.aspx?id=50012) separately to get the CMTrace tool, but this is no longer needed. Configuraton Manager version 1910 installs version 5.0.8913.1000 of the CMTrace tool.
|
||||
|
||||
For the purposes of this guide, we will use three server computers: DC01, CM01 and HV01.
|
||||
- DC01 is a domain controller and DNS server for the contoso.com domain. DHCP services are also available and optionally installed on DC01 or another server.
|
||||
@ -372,7 +373,6 @@ MDT Zero Touch simply extends Configuration Manager with many useful built-in op
|
||||
### Why use MDT Lite Touch to create reference images
|
||||
|
||||
You can create reference images for Configuration Manager in Configuration Manager, but in general we recommend creating them in MDT Lite Touch for the following reasons:
|
||||
- In a deployment project, it is typically much faster to create a reference image using MDT Lite Touch than Configuration Manager.
|
||||
- You can use the same image for every type of operating system deployment - Microsoft Virtual Desktop Infrastructure (VDI), Microsoft System Center Virtual Machine Manager (VMM), MDT, Configuration Manager, Windows Deployment Services (WDS), and more.
|
||||
- Configuration Manager performs deployment in the LocalSystem context. This means that you cannot configure the Administrator account with all of the settings that you would like to be included in the image. MDT runs in the context of the Local Administrator, which means you can configure the look and feel of the configuration and then use the CopyProfile functionality to copy these changes to the default user during deployment.
|
||||
- The Configuration Manager task sequence does not suppress user interface interaction.
|
||||
|
||||
@ -45,9 +45,9 @@ For a CSP to register Windows Autopilot devices on behalf of a customer, the cus
|
||||
|
||||
- Select the checkbox indicating whether or not you want delegated admin rights:
|
||||
|
||||
- NOTE: Depending on your partner, they might request Delegated Admin Permissions (DAP) when requesting this consent. You should ask them to use the newer DAP-free process (shown in this document) if possible. If not, you can easily remove their DAP status either from Microsoft Store for Business or the Office 365 admin portal: https://docs.microsoft.com/partner-center/customers_revoke_admin_privileges
|
||||
- NOTE: Depending on your partner, they might request Delegated Admin Permissions (DAP) when requesting this consent. You should ask them to use the newer DAP-free process (shown in this document) if possible. If not, you can easily remove their DAP status either from Microsoft Admin Center or the Office 365 admin portal: https://docs.microsoft.com/partner-center/customers_revoke_admin_privileges
|
||||
- Send the template above to the customer via email.
|
||||
2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link in the body of the email once they receive it from the CSP, which takes them directly to the following Microsoft 365 admin center page:
|
||||
2. Customer with global administrator privileges in Microsoft Admin Center clicks the link in the body of the email once they receive it from the CSP, which takes them directly to the following Microsoft 365 admin center page:
|
||||
|
||||
|
||||
|
||||
|
||||
@ -696,6 +696,9 @@
|
||||
#### [Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md)
|
||||
#### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md)
|
||||
|
||||
### [Windows Sandbox](windows-sandbox/windows-sandbox-overview.md)
|
||||
#### [Windows Sandbox architecture](windows-sandbox/windows-sandbox-architecture.md)
|
||||
#### [Windows Sandbox configuration](windows-sandbox/windows-sandbox-configure-using-wsb-file.md)
|
||||
|
||||
### [Windows Defender Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
|
||||
|
||||
|
||||
@ -42,7 +42,7 @@ The following tables provide more information about the hardware, firmware, and
|
||||
| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
|
||||
| Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
|
||||
| Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](https://docs.microsoft.com/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
|
||||
| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.</p></blockquote> | Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. |
|
||||
| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.</p></blockquote> | Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. |
|
||||
|
||||
> **Important** The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide.
|
||||
|
||||
@ -75,6 +75,6 @@ The following tables describe additional hardware and firmware qualifications, a
|
||||
|
||||
| Protections for Improved Security | Description | Security benefits |
|
||||
|---------------------------------------------|----------------------------------------------------|------|
|
||||
| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.<br>• UEFI runtime service must meet these requirements: <br> • Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br> • PE sections need to be page-aligned in memory (not required for in non-volitile storage).<br> • The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br> • All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br> • No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>• Do not use sections that are both writeable and exceutable<br>• Do not attempt to directly modify executable system memory<br>• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware. |
|
||||
| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.<br>• UEFI runtime service must meet these requirements: <br> • Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br> • PE sections need to be page-aligned in memory (not required for in non-volitile storage).<br> • The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br> • All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br> • No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>• Do not use sections that are both writeable and executable<br>• Do not attempt to directly modify executable system memory<br>• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware. |
|
||||
| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.<br>• Blocks additional security attacks against SMM. |
|
||||
|
||||
|
||||
@ -15,7 +15,7 @@ manager: dansimp
|
||||
audience: ITPro
|
||||
ms.collection: M365-security-compliance
|
||||
ms.topic: article
|
||||
ms.date: 04/24/2018
|
||||
ms.date: 03/27/2020
|
||||
---
|
||||
|
||||
# View and organize the Microsoft Defender Advanced Threat Protection Alerts queue
|
||||
@ -27,6 +27,9 @@ ms.date: 04/24/2018
|
||||
|
||||
The **Alerts queue** shows a list of alerts that were flagged from machines in your network. By default, the queue displays alerts seen in the last 30 days in a grouped view, with the most recent alerts showing at the top of the list, helping you see the most recent alerts first.
|
||||
|
||||
>[!NOTE]
|
||||
>The alerts queue is significantly reduced with automated investigation and remediation, allowing security operations experts to focus on more sophisticated threats and other high value initiatives. When an alert contains a supported entity for automated investigation (for example, a file) in a machine that has a supported operating system for it, an automated investigation and remediation can start. For more information on automated investigations, see [Overview of Automated investigations](automated-investigations.md).
|
||||
|
||||
There are several options you can choose from to customize the alerts queue view.
|
||||
|
||||
On the top navigation you can:
|
||||
@ -45,10 +48,10 @@ You can apply the following filters to limit the list of alerts and get a more f
|
||||
|
||||
Alert severity | Description
|
||||
:---|:---
|
||||
High </br>(Red) | Threats often associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on machines.
|
||||
Medium </br>(Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
|
||||
Low </br>(Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization.
|
||||
Informational </br>(Grey) | Informational alerts are those that might not be considered harmful to the network but might be good to keep track of.
|
||||
High </br>(Red) | Alerts commonly seen associated with advanced persistent threats (APT). These alerts indicate a high risk due to the severity of damage they can inflict on machines. Some examples of these are credential theft tools activities, ransomware activities not associated with any group, tampering with security sensors, or any malicious activities indicative of a human adversary.
|
||||
Medium </br>(Orange) | Alerts from endpoint detection and response post-breach behaviors that might be a part of an advanced persistent threat (APT). This includes observed behaviors typical of attack stages, anomalous registry change, execution of suspicious files, and so forth. Although some might be part of internal security testing, it requires investigation as it might also be a part of an advanced attack.
|
||||
Low </br>(Yellow) | Alerts on threats associated with prevalent malware, hack-tools, non-malware hack tools, such as running exploration commands, clearing logs, etc., that often do not indicate an advanced threat targeting the organization. It could also come from an isolated security tool testing by a user in your organization.
|
||||
Informational </br>(Grey) | Alerts that might not be considered harmful to the network but can drive organizational security awareness on potential security issues.
|
||||
|
||||
#### Understanding alert severity
|
||||
It is important to understand that the Windows Defender Antivirus (Windows Defender AV) and Microsoft Defender ATP alert severities are different because they represent different scopes.
|
||||
|
||||
@ -81,6 +81,9 @@ The following are examples of scenarios in which AppLocker can be used:
|
||||
- Some computers in your organization are shared by people who have different software usage needs, and you need to protect specific apps.
|
||||
- In addition to other measures, you need to control the access to sensitive data through app usage.
|
||||
|
||||
> [!NOTE]
|
||||
> AppLocker is a defense-in-depth security feature and **not** a [security boundary](https://www.microsoft.com/msrc/windows-security-servicing-criteria). [Windows Defender Application Control](https://www.microsoft.com/msrc/windows-security-servicing-criteria) should be used when the goal is to provide robust protection against a threat and there are expected to be no by-design limitations that would prevent the security feature from achieving this goal.
|
||||
|
||||
AppLocker can help you protect the digital assets within your organization, reduce the threat of malicious software being introduced into your environment, and improve the management of application control and the maintenance of application control policies.
|
||||
|
||||
## Installing AppLocker
|
||||
|
||||
Binary file not shown.
|
After Width: | Height: | Size: 33 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 18 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 20 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 49 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 26 KiB |
Binary file not shown.
|
After Width: | Height: | Size: 30 KiB |
@ -0,0 +1,62 @@
|
||||
---
|
||||
title: Windows Sandbox architecture
|
||||
description:
|
||||
ms.prod: w10
|
||||
audience: ITPro
|
||||
author: dansimp
|
||||
ms.author: dansimp
|
||||
manager: dansimp
|
||||
ms.collection:
|
||||
ms.topic: article
|
||||
ms.localizationpriority:
|
||||
ms.date:
|
||||
ms.reviewer:
|
||||
---
|
||||
|
||||
# Windows Sandbox architecture
|
||||
|
||||
Windows Sandbox benefits from new container technology in Windows to achieve a combination of security, density, and performance that isn't available in traditional VMs.
|
||||
|
||||
## Dynamically generated image
|
||||
|
||||
Rather than requiring a separate copy of Windows to boot the sandbox, Dynamic Base Image technology leverages the copy of Windows already installed on the host.
|
||||
|
||||
Most OS files are immutable and can be freely shared with Windows Sandbox. A small subset of operating system files are mutable and cannot be shared, so the sandbox base image contains pristine copies of them. A complete Windows image can be constructed from a combination of the sharable immutable files on the host and the pristine copies of the mutable files. By using this scheme, Windows Sandbox has a full Windows installation to boot from without needing to download or store an additional copy of Windows.
|
||||
|
||||
Before Windows Sandbox is installed, the dynamic base image package is stored as a compressed 30-MB package. Once it's installed, the dynamic base image occupies about 500 MB of disk space.
|
||||
|
||||
|
||||
|
||||
## Memory management
|
||||
|
||||
Traditional VMs apportion statically sized allocations of host memory. When resource needs change, classic VMs have limited mechanisms for adjusting their resource needs. On the other hand, containers collaborate with the host to dynamically determine how host resources are allocated. This is similar to how processes normally compete for memory on the host. If the host is under memory pressure, it can reclaim memory from the container much like it would with a process.
|
||||
|
||||
|
||||
|
||||
## Memory sharing
|
||||
|
||||
Because Windows Sandbox runs the same operating system image as the host, it has been enhanced to use the same physical memory pages as the host for operating system binaries via a technology referred to as "direct map." For example, when *ntdll.dll* is loaded into memory in the sandbox, it uses the same physical pages as those of the binary when loaded on the host. Memory sharing between the host and the sandbox results in a smaller memory footprint when compared to traditional VMs, without compromising valuable host secrets.
|
||||
|
||||
|
||||
|
||||
## Integrated kernel scheduler
|
||||
|
||||
With ordinary virtual machines, the Microsoft hypervisor controls the scheduling of the virtual processors running in the VMs. Windows Sandbox uses new technology called "integrated scheduling," which allows the host scheduler to decide when the sandbox gets CPU cycles.
|
||||
|
||||
|
||||
|
||||
Windows Sandbox employs a unique policy that allows the virtual processors of the Sandbox to be scheduled like host threads. Under this scheme, high-priority tasks on the host can preempt less important work in the Sandbox. This means that the most important work will be prioritized, whether it's on the host or in the container.
|
||||
|
||||
## WDDM GPU virtualization
|
||||
|
||||
Hardware accelerated rendering is key to a smooth and responsive user experience, especially for graphics-intensive use cases. Microsoft works with its graphics ecosystem partners to integrate modern graphics virtualization capabilities directly into DirectX and Windows Display Driver Model (WDDM), the driver model used by Windows.
|
||||
|
||||
This allows programs running inside the sandbox to compete for GPU resources with applications that are running on the host.
|
||||
|
||||
|
||||
|
||||
To take advantage of these benefits, a system with a compatible GPU and graphics drivers (WDDM 2.5 or newer) is required. Incompatible systems will render apps in Windows Sandbox with Microsoft's CPU-based rendering technology, Windows Advanced Rasterization Platform (WARP).
|
||||
|
||||
## Battery pass-through
|
||||
|
||||
Windows Sandbox is also aware of the host's battery state, which allows it to optimize its power consumption. This functionality is critical for technology that is used on laptops, where battery life is often critical.
|
||||
@ -0,0 +1,216 @@
|
||||
---
|
||||
title: Windows Sandbox configuration
|
||||
description:
|
||||
ms.prod: w10
|
||||
audience: ITPro
|
||||
author: dansimp
|
||||
ms.author: dansimp
|
||||
manager: dansimp
|
||||
ms.collection:
|
||||
ms.topic: article
|
||||
ms.localizationpriority:
|
||||
ms.date:
|
||||
ms.reviewer:
|
||||
---
|
||||
|
||||
# Windows Sandbox configuration
|
||||
|
||||
Windows Sandbox supports simple configuration files, which provide a minimal set of customization parameters for Sandbox. This feature can be used with Windows 10 build 18342 or later.
|
||||
|
||||
Windows Sandbox configuration files are formatted as XML and are associated with Sandbox via the .wsb file extension. To use a configuration file, double-click it to open it in the sandbox. You can also invoke it via the command line as shown here:
|
||||
|
||||
**C:\Temp> MyConfigFile.wsb**
|
||||
|
||||
A configuration file enables the user to control the following aspects of Windows Sandbox:
|
||||
- **vGPU (virtualized GPU)**: Enable or disable the virtualized GPU. If vGPU is disabled, the sandbox will use Windows Advanced Rasterization Platform (WARP).
|
||||
- **Networking**: Enable or disable network access within the sandbox.
|
||||
- **Mapped folders**: Share folders from the host with *read* or *write* permissions. Note that exposing host directories may allow malicious software to affect the system or steal data.
|
||||
- **Logon command**: A command that's executed when Windows Sandbox starts.
|
||||
- **Audio input**: Shares the host's microphone input into the sandbox.
|
||||
- **Video input**: Shares the host's webcam input into the sandbox.
|
||||
- **Protected client**: Places increased security settings on the RDP session to the sandbox.
|
||||
- **Printer redirection**: Shares printers from the host into the sandbox.
|
||||
- **Clipboard redirection**: Shares the host clipboard with the sandbox so that text and files can be pasted back and forth.
|
||||
- **Memory in MB**: The amount of memory, in megabytes, to assign to the sandbox.
|
||||
|
||||
**Keywords, values, and limits**
|
||||
|
||||
**vGPU**: Enables or disables GPU sharing.
|
||||
|
||||
`<vGPU>value</vGPU>`
|
||||
|
||||
Supported values:
|
||||
- *Enable*: Enables vGPU support in the sandbox.
|
||||
- *Disable*: Disables vGPU support in the sandbox. If this value is set, the sandbox will use software rendering, which may be slower than virtualized GPU.
|
||||
- *Default* This is the default value for vGPU support. Currently this means vGPU is disabled.
|
||||
|
||||
> [!NOTE]
|
||||
> Enabling virtualized GPU can potentially increase the attack surface of the sandbox.
|
||||
|
||||
**Networking**: Enables or disables networking in the sandbox. You can disable network access to decrease the attack surface exposed by the sandbox.
|
||||
|
||||
`<Networking>value</Networking>`
|
||||
|
||||
Supported values:
|
||||
- *Disable*: Disables networking in the sandbox.
|
||||
- *Default*: This is the default value for networking support. This value enables networking by creating a virtual switch on the host and connects the sandbox to it via a virtual NIC.
|
||||
|
||||
> [!NOTE]
|
||||
> Enabling networking can expose untrusted applications to the internal network.
|
||||
|
||||
**Mapped folders**: An array of folders, each representing a location on the host machine that will be shared into the sandbox at the specified path. At this time, relative paths are not supported. If no path is specified, the folder will be mapped to the container user's desktop.
|
||||
|
||||
```xml
|
||||
<MappedFolders>
|
||||
<MappedFolder>
|
||||
<HostFolder>absolute path to the host folder</HostFolder>
|
||||
<SandboxFolder>absolute path to the sandbox folder</SandboxFolder>
|
||||
<ReadOnly>value</ReadOnly>
|
||||
</MappedFolder>
|
||||
<MappedFolder>
|
||||
...
|
||||
</MappedFolder>
|
||||
</MappedFolders>
|
||||
```
|
||||
|
||||
*HostFolder*: Specifies the folder on the host machine to share into the sandbox. Note that the folder must already exist on the host, or the container will fail to start.
|
||||
|
||||
*SandboxFolder*: Specifies the destination in the sandbox to map the folder to. If the folder doesn't exist, it will be created. If no sandbox folder is specified, the folder will be mapped to the container desktop.
|
||||
|
||||
*ReadOnly*: If *true*, enforces read-only access to the shared folder from within the container. Supported values: *true*/*false*. Defaults to *false*.
|
||||
|
||||
|
||||
> [!NOTE]
|
||||
> Files and folders mapped in from the host can be compromised by apps in the sandbox or potentially affect the host.
|
||||
|
||||
**Logon command**: Specifies a single command that will be invoked automatically after the sandbox logs on. Apps in the sandbox are run under the container user account.
|
||||
|
||||
```xml
|
||||
<LogonCommand>
|
||||
<Command>command to be invoked</Command>
|
||||
</LogonCommand>
|
||||
```
|
||||
|
||||
*Command*: A path to an executable or script inside the container that will be executed after login.
|
||||
|
||||
> [!NOTE]
|
||||
> Although very simple commands will work (such as launching an executable or script), more complicated scenarios involving multiple steps should be placed into a script file. This script file may be mapped into the container via a shared folder, and then executed via the *LogonCommand* directive.
|
||||
|
||||
**Audio input**: Enables or disables audio input to the sandbox.
|
||||
|
||||
`<AudioInput>value</AudioInput>`
|
||||
|
||||
Supported values:
|
||||
- *Enable*: Enables audio input in the sandbox. If this value is set, the sandbox will be able to receive audio input from the user. Applications that use a microphone may require this capability.
|
||||
- *Disable*: Disables audio input in the sandbox. If this value is set, the sandbox can't receive audio input from the user. Applications that use a microphone may not function properly with this setting.
|
||||
- *Default*: This is the default value for audio input support. Currently this means audio input is enabled.
|
||||
|
||||
> [!NOTE]
|
||||
> There may be security implications of exposing host audio input to the container.
|
||||
|
||||
**Video input**: Enables or disables video input to the sandbox.
|
||||
|
||||
`<VideoInput>value</VideoInput>`
|
||||
|
||||
Supported values:
|
||||
- *Enable*: Enables video input in the sandbox.
|
||||
- *Disable*: Disables video input in the sandbox. Applications that use video input may not function properly in the sandbox.
|
||||
- *Default*: This is the default value for video input support. Currently this means video input is disabled. Applications that use video input may not function properly in the sandbox.
|
||||
|
||||
> [!NOTE]
|
||||
> There may be security implications of exposing host video input to the container.
|
||||
|
||||
**Protected client**: Applies additional security settings to the sandbox Remote Desktop client, decreasing its attack surface.
|
||||
|
||||
`<ProtectedClient>value</ProtectedClient>`
|
||||
|
||||
Supported values:
|
||||
- *Enable*: Runs Windows sandbox in Protected Client mode. If this value is set, the sandbox runs with extra security mitigations enabled.
|
||||
- *Disable*: Runs the sandbox in standard mode without extra security mitigations.
|
||||
- *Default*: This is the default value for Protected Client mode. Currently, this means the sandbox doesn't run in Protected Client mode.
|
||||
|
||||
> [!NOTE]
|
||||
> This setting may restrict the user's ability to copy/paste files in and out of the sandbox.
|
||||
|
||||
**Printer redirection**: Enables or disables printer sharing from the host into the sandbox.
|
||||
|
||||
`<PrinterRedirection>value</PrinterRedirection>`
|
||||
|
||||
Supported values:
|
||||
- *Enable*: Enables sharing of host printers into the sandbox.
|
||||
- *Disable*: Disables printer redirection in the sandbox. If this value is set, the sandbox can't view printers from the host.
|
||||
- *Default*: This is the default value for printer redirection support. Currently this means printer redirection is disabled.
|
||||
|
||||
**Clipboard redirection**: Enables or disables sharing of the host clipboard with the sandbox.
|
||||
|
||||
`<ClipboardRedirection>value</ClipboardRedirection>`
|
||||
|
||||
Supported values:
|
||||
- *Disable*: Disables clipboard redirection in the sandbox. If this value is set, copy/paste in and out of the sandbox will be restricted.
|
||||
- *Default*: This is the default value for clipboard redirection. Currently copy/paste between the host and sandbox are permitted under *Default*.
|
||||
|
||||
**Memory in MB**: Specifies the amount of memory that the sandbox can use in megabytes (MB).
|
||||
|
||||
`<MemoryInMB>value</MemoryInMB>`
|
||||
|
||||
If the memory value specified is insufficient to boot a sandbox, it will be automatically increased to the required minimum amount.
|
||||
|
||||
***Example 1***
|
||||
The following config file can be used to easily test downloaded files inside the sandbox. To achieve this, networking and vGPU are disabled, and the sandbox is allowed read-only access to the shared downloads folder. For convenience, the logon command opens the downloads folder inside the sandbox when it's started.
|
||||
|
||||
*Downloads.wsb*
|
||||
|
||||
```xml
|
||||
<Configuration>
|
||||
<VGpu>Disable</VGpu>
|
||||
<Networking>Disable</Networking>
|
||||
<MappedFolders>
|
||||
<MappedFolder>
|
||||
<HostFolder>C:\Users\Public\Downloads</HostFolder>
|
||||
<SandboxFolder>C:\Users\WDAGUtilityAccount\Downloads</SandboxFolder>
|
||||
<ReadOnly>true</ReadOnly>
|
||||
</MappedFolder>
|
||||
</MappedFolders>
|
||||
<LogonCommand>
|
||||
<Command>explorer.exe C:\users\WDAGUtilityAccount\Downloads</Command>
|
||||
</LogonCommand>
|
||||
</Configuration>
|
||||
```
|
||||
|
||||
***Example 2***
|
||||
|
||||
The following config file installs Visual Studio Code in the sandbox, which requires a slightly more complicated LogonCommand setup.
|
||||
|
||||
Two folders are mapped into the sandbox; the first (SandboxScripts) contains VSCodeInstall.cmd, which will install and run Visual Studio Code. The second folder (CodingProjects) is assumed to contain project files that the developer wants to modify using Visual Studio Code.
|
||||
|
||||
With the Visual Studio Code installer script already mapped into the sandbox, the LogonCommand can reference it.
|
||||
|
||||
*VSCodeInstall.cmd*
|
||||
|
||||
```console
|
||||
REM Download Visual Studio Code
|
||||
curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\users\WDAGUtilityAccount\Desktop\vscode.exe
|
||||
|
||||
REM Install and run Visual Studio Code
|
||||
C:\users\WDAGUtilityAccount\Desktop\vscode.exe /verysilent /suppressmsgboxes
|
||||
```
|
||||
|
||||
*VSCode.wsb*
|
||||
|
||||
```xml
|
||||
<Configuration>
|
||||
<MappedFolders>
|
||||
<MappedFolder>
|
||||
<HostFolder>C:\SandboxScripts</HostFolder>
|
||||
<ReadOnly>true</ReadOnly>
|
||||
</MappedFolder>
|
||||
<MappedFolder>
|
||||
<HostFolder>C:\CodingProjects</HostFolder>
|
||||
<ReadOnly>false</ReadOnly>
|
||||
</MappedFolder>
|
||||
</MappedFolders>
|
||||
<LogonCommand>
|
||||
<Command>C:\Users\WDAGUtilityAccount\Desktop\SandboxScripts\VSCodeInstall.cmd</Command>
|
||||
</LogonCommand>
|
||||
</Configuration>
|
||||
```
|
||||
@ -0,0 +1,61 @@
|
||||
---
|
||||
title: Windows Sandbox
|
||||
description:
|
||||
ms.prod: w10
|
||||
audience: ITPro
|
||||
author: dansimp
|
||||
ms.author: dansimp
|
||||
manager: dansimp
|
||||
ms.collection:
|
||||
ms.topic: article
|
||||
ms.localizationpriority:
|
||||
ms.date:
|
||||
ms.reviewer:
|
||||
---
|
||||
|
||||
# Windows Sandbox
|
||||
|
||||
Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine.
|
||||
|
||||
A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application.
|
||||
|
||||
Software and applications installed on the host aren't directly available in the sandbox. If you need specific applications available inside the Windows Sandbox environment, they must be explicitly installed within the environment.
|
||||
|
||||
Windows Sandbox has the following properties:
|
||||
- **Part of Windows**: Everything required for this feature is included in Windows 10 Pro and Enterprise. There's no need to download a VHD.
|
||||
- **Pristine**: Every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows.
|
||||
- **Disposable**: Nothing persists on the device. Everything is discarded when the user closes the application.
|
||||
- **Secure**: Uses hardware-based virtualization for kernel isolation. It relies on the Microsoft hypervisor to run a separate kernel that isolates Windows Sandbox from the host.
|
||||
- **Efficient:** Uses the integrated kernel scheduler, smart memory management, and virtual GPU.
|
||||
|
||||
The following video provides an overview of Windows Sandbox.
|
||||
|
||||
> [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4rFAo]
|
||||
|
||||
|
||||
## Prerequisites
|
||||
|
||||
- Windows 10 Pro or Enterprise build 18305 or later (*Windows Sandbox is currently not supported on Home SKUs*)
|
||||
- AMD64 architecture
|
||||
- Virtualization capabilities enabled in BIOS
|
||||
- At least 4 GB of RAM (8 GB recommended)
|
||||
- At least 1 GB of free disk space (SSD recommended)
|
||||
- At least two CPU cores (four cores with hyperthreading recommended)
|
||||
|
||||
## Installation
|
||||
|
||||
1. Ensure that your machine is using Windows 10 Pro or Enterprise, build version 18305 or later.
|
||||
2. Enable virtualization on the machine.
|
||||
|
||||
- If you're using a physical machine, make sure virtualization capabilities are enabled in the BIOS.
|
||||
- If you're using a virtual machine, run the following PowerShell command to enable nested virtualization:<br/> **Set -VMProcessor -VMName \<VMName> -ExposeVirtualizationExtensions $true**
|
||||
1. Use the search bar on the task bar and type **Turn Windows Features on and off** to access the Windows Optional Features tool. Select **Windows Sandbox** and then **OK**. Restart the computer if you're prompted.
|
||||
|
||||
- If the **Windows Sandbox** option is unavailable, your computer doesn't meet the requirements to run Windows Sandbox. If you think this is incorrect, review the prerequisite list as well as steps 1 and 2.
|
||||
1. Locate and select **Windows Sandbox** on the Start menu to run it for the first time.
|
||||
|
||||
## Usage
|
||||
1. Copy an executable file (and any other files needed to run the application) from the host into the Windows Sandbox window.
|
||||
2. Run the executable file or installer inside the sandbox.
|
||||
3. When you're finished experimenting, close the sandbox. A dialog box will state that all sandbox content will be discarded and permanently deleted. Select **ok**.
|
||||
4. Confirm that your host machine doesn't exhibit any of the modifications that you made in Windows Sandbox.
|
||||
Reference in New Issue
Block a user