mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 13:27:23 +00:00
Jeff Borsecnik
GitHub
commit
aebeb70911
@ -1,6 +1,6 @@
|
||||
---
|
||||
title: Create a list of apps deployed to each business group (Windows 10)
|
||||
description: This topic describes the process of gathering app usage requirements from each business group in order to implement application control policies by using AppLocker.
|
||||
description: This topic describes the process of gathering app usage requirements from each business group to implement application control policies by using AppLocker.
|
||||
ms.assetid: d713aa07-d732-4bdc-8656-ba616d779321
|
||||
ms.reviewer:
|
||||
ms.author: dansimp
|
||||
@ -27,7 +27,7 @@ This topic describes the process of gathering app usage requirements from each b
|
||||
|
||||
## Determining app usage
|
||||
|
||||
For each business group, determine the following:
|
||||
For each business group, determine the following information:
|
||||
|
||||
- The complete list of apps used, including different versions of an app
|
||||
- The full installation path of the app
|
||||
@ -37,12 +37,12 @@ For each business group, determine the following:
|
||||
|
||||
### How to perform the app usage assessment
|
||||
|
||||
Although you might already have a method in place to understand app usage for each business group, you will need to use this information to help create your AppLocker rule collection. AppLocker includes the Automatically Generate
|
||||
You might already have a method in place to understand app usage for each business group. You'll need to use this information to help create your AppLocker rule collection. AppLocker includes the Automatically Generate
|
||||
Rules wizard and the **Audit only** enforcement configuration to assist you with planning and creating your rule collection.
|
||||
|
||||
**Application inventory methods**
|
||||
|
||||
Using the Automatically Generate Rules wizard quickly creates rules for the applications you specify. The wizard is designed specifically to build a rule collection. You can use the Local Security Policy snap-in to view and edit the rules. This method is very useful when creating rules from a reference computer, and when creating and evaluating AppLocker policies in a testing environment. However, it does require that the files be accessible on the reference computer or through a network drive. This might mean additional work in setting up the reference computer and determining a maintenance policy for that computer.
|
||||
Using the Automatically Generate Rules wizard quickly creates rules for the applications you specify. The wizard is designed specifically to build a rule collection. You can use the Local Security Policy snap-in to view and edit the rules. This method is useful when creating rules from a reference computer and when creating and evaluating AppLocker policies in a testing environment. However, it does require that the files be accessible on the reference computer or through a network drive. This might mean additional work in setting up the reference computer and determining a maintenance policy for that computer.
|
||||
|
||||
Using the **Audit only** enforcement method permits you to view the logs because it collects information about every process on the computers receiving the Group Policy Object (GPO). Therefore, you can see what the enforcement will be on the computers in a business group. AppLocker includes Windows PowerShell cmdlets that you can use to analyze the events from the event log and cmdlets to create rules. However, when you use Group Policy to deploy to several computers, a means to collect events in a central location is very important for manageability. Because AppLocker logs information about files that users or other processes start on a computer, you could miss creating some rules initially. Therefore, you should continue your evaluation until you can verify that all required applications that are allowed to run are accessed successfully.
|
||||
|
||||
@ -72,7 +72,7 @@ After you have created the list of apps, the next step is to identify the rule c
|
||||
- Allow or deny
|
||||
- GPO name
|
||||
|
||||
To do this, see the following topics:
|
||||
For guidance, see the following topics:
|
||||
|
||||
- [Select the types of rules to create](select-types-of-rules-to-create.md)
|
||||
- [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
|
||||
|
||||
@ -23,9 +23,9 @@ ms.date: 09/21/2017
|
||||
- Windows 10
|
||||
- Windows Server
|
||||
|
||||
This topic helps you with the decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker.
|
||||
This article helps with decisions you need to make to determine what applications to control and how to control them by comparing Software Restriction Policies (SRP) and AppLocker.
|
||||
|
||||
AppLocker is very effective for organizations with app restriction requirements whose environments have a simple topography and the application control policy goals are straightforward. For example, AppLocker can benefit an environment where non-employees have access to computers connected to the organizational network, such as a school or library. Large organizations also benefit from AppLocker policy deployment when the goal is to achieve a detailed level of control on the PCs that they manage for a relatively small number of apps.
|
||||
AppLocker is effective for organizations with app restriction requirements whose environments have a simple topography and whose application control policy goals are straightforward. For example, AppLocker can benefit an environment where non-employees have access to computers connected to the organizational network, such as a school or library. Large organizations also benefit from AppLocker policy deployment when the goal is a detailed level of control on the PCs they manage for a relatively small number of apps.
|
||||
|
||||
There are management and maintenance costs associated with a list of allowed apps. In addition, the purpose of application control policies is to allow or prevent employees from using apps that might actually be productivity tools. Keeping employees or users productive while implementing the policies can cost time and effort. Lastly, creating user support processes and network support processes to keep the organization productive are also concerns.
|
||||
|
||||
@ -59,7 +59,7 @@ Use the following table to develop your own objectives and determine which appli
|
||||
<tr class="odd">
|
||||
<td align="left"><p>Policy maintenance</p></td>
|
||||
<td align="left"><p>SRP policies must be updated by using the Local Security Policy snap-in (if the policies are created locally) or the Group Policy Management Console (GPMC).</p></td>
|
||||
<td align="left"><p>AppLocker policies can be updated by using the Local Security Policy snap-in (if the policies are created locally), or the GPMC, or the Windows PowerShell AppLocker cmdlets.</p></td>
|
||||
<td align="left"><p>AppLocker policies can be updated by using the Local Security Policy snap-in, if the policies are created locally, or the GPMC, or the Windows PowerShell AppLocker cmdlets.</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td align="left"><p>Policy application</p></td>
|
||||
@ -68,9 +68,9 @@ Use the following table to develop your own objectives and determine which appli
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td align="left"><p>Enforcement mode</p></td>
|
||||
<td align="left"><p>SRP works in the “deny list mode” where administrators can create rules for files that they do not want to allow in this Enterprise whereas the rest of the file are allowed to run by default.</p>
|
||||
<p>SRP can also be configured in the “allow list mode” such that the by default all files are blocked and administrators need to create allow rules for files that they want to allow.</p></td>
|
||||
<td align="left"><p>AppLocker by default works in the “allow list mode” where only those files are allowed to run for which there is a matching allow rule.</p></td>
|
||||
<td align="left"><p>SRP works in the “deny list mode” where administrators can create rules for files that they don't want to allow in this Enterprise, but the rest of the files are allowed to run by default.</p>
|
||||
<p>SRP can also be configured in the “allow list mode” such that by default all files are blocked and administrators need to create allow rules for files that they want to allow.</p></td>
|
||||
<td align="left"><p>By default, AppLocker works in allow list mode. Only those files are allowed to run for which there's a matching allow rule.</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td align="left"><p>File types that can be controlled</p></td>
|
||||
@ -95,7 +95,7 @@ Use the following table to develop your own objectives and determine which appli
|
||||
<tr class="odd">
|
||||
<td align="left"><p>Designated file types</p></td>
|
||||
<td align="left"><p>SRP supports an extensible list of file types that are considered executable. You can add extensions for files that should be considered executable.</p></td>
|
||||
<td align="left"><p>AppLocker does not support this. AppLocker currently supports the following file extensions:</p>
|
||||
<td align="left"><p>AppLocker doesn't support this. AppLocker currently supports the following file extensions:</p>
|
||||
<ul>
|
||||
<li><p>Executables (.exe, .com)</p></li>
|
||||
<li><p>DLLs (.ocx, .dll)</p></li>
|
||||
@ -123,11 +123,11 @@ Use the following table to develop your own objectives and determine which appli
|
||||
<tr class="odd">
|
||||
<td align="left"><p>Editing the hash value</p></td>
|
||||
<td align="left"><p>SRP allows you to select a file to hash.</p></td>
|
||||
<td align="left"><p>AppLocker computes the hash value itself. Internally it uses the SHA2 Authenticode hash for Portable Executables (exe and DLL) and Windows Installers and a SHA2 flat file hash for the rest.</p></td>
|
||||
<td align="left"><p>AppLocker computes the hash value itself. Internally it uses the SHA2 Authenticode hash for Portable Executables (exe and DLL) and Windows Installers and an SHA2 flat file hash for the rest.</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td align="left"><p>Support for different security levels</p></td>
|
||||
<td align="left"><p>With SRP, you can specify the permissions with which an app can run. So, you can configure a rule such that notepad always runs with restricted permissions and never with administrative privileges.</p>
|
||||
<td align="left"><p>With SRP, you can specify the permissions with which an app can run. Then configure a rule such that Notepad always runs with restricted permissions and never with administrative privileges.</p>
|
||||
<p>SRP on Windows Vista and earlier supported multiple security levels. On Windows 7, that list was restricted to just two levels: Disallowed and Unrestricted (Basic User translates to Disallowed).</p></td>
|
||||
<td align="left"><p>AppLocker does not support security levels.</p></td>
|
||||
</tr>
|
||||
@ -144,12 +144,12 @@ Use the following table to develop your own objectives and determine which appli
|
||||
<tr class="odd">
|
||||
<td align="left"><p>Support for rule exceptions</p></td>
|
||||
<td align="left"><p>SRP does not support rule exceptions</p></td>
|
||||
<td align="left"><p>AppLocker rules can have exceptions which allow administrators to create rules such as “Allow everything from Windows except for Regedit.exe”.</p></td>
|
||||
<td align="left"><p>AppLocker rules can have exceptions that allow administrators to create rules such as “Allow everything from Windows except for Regedit.exe”.</p></td>
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td align="left"><p>Support for audit mode</p></td>
|
||||
<td align="left"><p>SRP does not support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.</p></td>
|
||||
<td align="left"><p>AppLocker supports audit mode which allows administrators to test the effect of their policy in the real production environment without impacting the user experience. Once you are satisfied with the results, you can start enforcing the policy.</p></td>
|
||||
<td align="left"><p>SRP doesn't support audit mode. The only way to test SRP policies is to set up a test environment and run a few experiments.</p></td>
|
||||
<td align="left"><p>AppLocker supports audit mode that allows administrators to test the effect of their policy in the real production environment without impacting the user experience. Once you are satisfied with the results, you can start enforcing the policy.</p></td>
|
||||
</tr>
|
||||
<tr class="odd">
|
||||
<td align="left"><p>Support for exporting and importing policies</p></td>
|
||||
@ -158,8 +158,8 @@ Use the following table to develop your own objectives and determine which appli
|
||||
</tr>
|
||||
<tr class="even">
|
||||
<td align="left"><p>Rule enforcement</p></td>
|
||||
<td align="left"><p>Internally, SRP rules enforcement happens in the user-mode which is less secure.</p></td>
|
||||
<td align="left"><p>Internally, AppLocker rules for exes and dlls are enforced in the kernel-mode which is more secure than enforcing them in the user-mode.</p></td>
|
||||
<td align="left"><p>Internally, SRP rules enforcement happens in user-mode, which is less secure.</p></td>
|
||||
<td align="left"><p>Internally, AppLocker rules for exes and dlls are enforced in kernel-mode, which is more secure than enforcing them in the user-mode.</p></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
@ -29,19 +29,19 @@ manager: dansimp
|
||||
|
||||
- Group Policy
|
||||
|
||||
You can add information about your organization in a contact card to the Windows Security app. This can include a link to a support site, a phone number for a help desk, and an email address for email-based support.
|
||||
You can add information about your organization in a contact card to the Windows Security app. You can include a link to a support site, a phone number for a help desk, and an email address for email-based support.
|
||||
|
||||
|
||||
|
||||
This information will also be shown in some enterprise-specific notifications (including those for the [Block at first sight feature](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus), and [potentially unwanted applications](/windows/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus).
|
||||
This information will also be shown in some enterprise-specific notifications (including notifications for the [Block at first sight feature](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus), and [potentially unwanted applications](/windows/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus)).
|
||||
|
||||
|
||||
|
||||
Users can click on the displayed information to initiate a support request:
|
||||
Users can select the displayed information to initiate a support request:
|
||||
|
||||
- Clicking **Call** or the phone number will open Skype to start a call to the displayed number
|
||||
- Clicking **Email** or the email address will create a new email in the machine's default email app address to the displayed email
|
||||
- Clicking **Help portal** or the website URL will open the machine's default web browser and go to the displayed address
|
||||
- Select **Call** or the phone number to open Skype to start a call to the displayed number.
|
||||
- Select **Email** or the email address to create a new email in the machine's default email app address to the displayed email.
|
||||
- Select **Help portal** or the website URL to open the machine's default web browser and go to the displayed address.
|
||||
|
||||
## Requirements
|
||||
|
||||
@ -67,12 +67,12 @@ This can only be done in Group Policy.
|
||||
|
||||
5. After you've enabled the contact card or the customized notifications (or both), you must configure the **Specify contact company name** to **Enabled**. Enter your company or organization's name in the field in the **Options** section. Click **OK**.
|
||||
|
||||
6. To ensure the custom notifications or contact card appear, you must also configure at least one of the following settings by opening them, setting them to **Enabled** and adding the contact information in the field under **Options**:
|
||||
6. To ensure the custom notifications or contact card appear, you must also configure at least one of the following settings. Open the setting, select **Enabled**, and then add the contact information in the field under **Options**:
|
||||
1. **Specify contact email address or Email ID**
|
||||
2. **Specify contact phone number or Skype ID**
|
||||
3. **Specify contact website**
|
||||
|
||||
7. Click **OK** after configuring each setting to save your changes.
|
||||
7. Select **OK** after you configure each setting to save your changes.
|
||||
|
||||
>[!IMPORTANT]
|
||||
>You must specify the contact company name and at least one contact method - email, phone number, or website URL. If you do not specify the contact name and a contact method the customization will not apply, the contact card will not show, and notifications will not be customized.
|
||||
|
||||
@ -24,7 +24,7 @@ manager: dansimp
|
||||
|
||||
The **Firewall & network protection** section contains information about the firewalls and network connections used by the machine, including the status of Windows Defender Firewall and any other third-party firewalls. IT administrators and IT pros can get configuration guidance from the [Windows Defender Firewall with Advanced Security documentation library](../windows-firewall/windows-firewall-with-advanced-security.md).
|
||||
|
||||
In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
|
||||
In Windows 10, version 1709 and later, the section can be hidden from users of the machine. This information is useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
|
||||
|
||||
|
||||
## Hide the Firewall & network protection section
|
||||
|
||||
@ -25,9 +25,9 @@ manager: dansimp
|
||||
|
||||
The **Virus & threat protection** section contains information and settings for antivirus protection from Microsoft Defender Antivirus and third-party AV products.
|
||||
|
||||
In Windows 10, version 1803, this section also contains information and settings for ransomware protection and recovery. This includes Controlled folder access settings to prevent unknown apps from changing files in protected folders, plus Microsoft OneDrive configuration to help you recover from a ransomware attack. This area also notifies users and provides recovery instructions in the event of a ransomware attack.
|
||||
In Windows 10, version 1803, this section also contains information and settings for ransomware protection and recovery. This includes Controlled folder access settings to prevent unknown apps from changing files in protected folders, plus Microsoft OneDrive configuration to help you recover from a ransomware attack. This area also notifies users and provides recovery instructions in case of a ransomware attack.
|
||||
|
||||
IT administrators and IT pros can get more information and documentation about configuration from the following:
|
||||
IT administrators and IT pros can get more configuration information from these articles:
|
||||
|
||||
- [Microsoft Defender Antivirus in the Windows Security app](../microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md)
|
||||
- [Microsoft Defender Antivirus documentation library](../microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md)
|
||||
@ -36,7 +36,7 @@ IT administrators and IT pros can get more information and documentation about c
|
||||
- [Office 365 advanced protection](https://support.office.com/en-us/article/office-365-advanced-protection-82e72640-39be-4dc7-8efd-740fb289123a)
|
||||
- [Ransomware detection and recovering your files](https://support.office.com/en-us/article/ransomware-detection-and-recovering-your-files-0d90ec50-6bfd-40f4-acc7-b8c12c73637f?ui=en-US&rs=en-US&ad=US)
|
||||
|
||||
You can choose to hide the **Virus & threat protection** section or the **Ransomware protection** area from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for the features shown in the section.
|
||||
You can hide the **Virus & threat protection** section or the **Ransomware protection** area from users of the machine. This can be useful if you don't want employees in your organization to see or have access to user-configured options for these features.
|
||||
|
||||
|
||||
## Hide the Virus & threat protection section
|
||||
|
||||
@ -23,9 +23,9 @@ ms.date: 04/19/2017
|
||||
- Windows 10
|
||||
- Windows Server 2016
|
||||
|
||||
Some servers in the organization host data that is very sensitive, including medical, financial, or other personally identifying data. Government or industry regulations might require that this sensitive information must be encrypted when it is transferred between devices.
|
||||
Some servers in the organization host data that's very sensitive, including medical, financial, or other personal data. Government or industry regulations might require that this sensitive information must be encrypted when it is transferred between devices.
|
||||
|
||||
To support the additional security requirements of these servers, we recommend that you create an encryption zone to contain the devices and that requires that the sensitive inbound and outbound network traffic be encrypted.
|
||||
To support the additional security requirements of these servers, we recommend that you create an encryption zone to contain the devices and that requires that the sensitive inbound and outbound network traffic is encrypted.
|
||||
|
||||
You must create a group in Active Directory to contain members of the encryption zone. The settings and rules for the encryption zone are typically similar to those for the isolated domain, and you can save time and effort by copying those GPOs to serve as a starting point. You then modify the security methods list to include only algorithm combinations that include encryption protocols.
|
||||
|
||||
|
||||
@ -25,6 +25,4 @@ ms.date: 04/19/2017
|
||||
|
||||
All the devices on Woodgrove Bank's network that run Windows are part of the isolated domain, except domain controllers. To configure firewall rules, the GPO described in this section is linked to the domain container in the Active Directory OU hierarchy, and then filtered by using security group filters and WMI filters.
|
||||
|
||||
The GPO created for the example Woodgrove Bank scenario include the following:
|
||||
|
||||
- [GPO\_DOMISO\_Firewall](gpo-domiso-firewall.md)
|
||||
The GPO created for the example Woodgrove Bank scenario includes [GPO\_DOMISO\_Firewall](gpo-domiso-firewall.md).
|
||||
|
||||
@ -25,9 +25,9 @@ ms.date: 08/17/2017
|
||||
|
||||
Before starting the planning process for a Windows Defender Firewall with Advanced Security deployment, you must collect and analyze up-to-date information about the network, the directory services, and the devices that are already deployed in the organization. This information enables you to create a design that accounts for all possible elements of the existing infrastructure. If the gathered information is not accurate, problems can occur when devices and devices that were not considered during the planning phase are encountered during implementation.
|
||||
|
||||
Review each of the following topics for guidance about the kinds of information that you must gather:
|
||||
Review each of the following articles for guidance about the kinds of information that you must gather:
|
||||
|
||||
- [Gathering Information about Your Current Network Infrastructure](gathering-information-about-your-current-network-infrastructure.md)
|
||||
- [Gathering Information about Your Conversational Network Infrastructure](gathering-information-about-your-current-network-infrastructure.md)
|
||||
|
||||
- [Gathering Information about Your Active Directory Deployment](gathering-information-about-your-active-directory-deployment.md)
|
||||
|
||||
|
||||
@ -22,14 +22,14 @@ ms.date: 08/17/2017
|
||||
|
||||
This GPO is authored by using the Windows Defender Firewall with Advanced Security interface in the Group Policy editing tools. Woodgrove Bank began by copying and pasting the GPO for the Windows Server 2008 version of the isolated domain GPO, and then renamed the copy to reflect its new purpose.
|
||||
|
||||
This GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests. It is intended to only apply to server computers that are running Windows Server 2012, Windows Server 2008 R2 or Windows Server 2008.
|
||||
This GPO supports the ability for servers that contain sensitive data to require encryption for all connection requests. It is intended to only apply to server computers that are running Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008.
|
||||
|
||||
## IPsec settings
|
||||
|
||||
|
||||
The copied GPO includes and continues to use the IPsec settings that configure key exchange, main mode, and quick mode algorithms for the isolated domain The following changes are made to encryption zone copy of the GPO:
|
||||
The copied GPO includes and continues to use the IPsec settings that configure key exchange, main mode, and quick mode algorithms for the isolated domain. The following changes are made to encryption zone copy of the GPO:
|
||||
|
||||
The encryption zone servers require all connections to be encrypted. To do this, change the IPsec default settings for the GPO to enable the setting **Require encryption for all connection security rules that use these settings**. This disables all integrity-only algorithm combinations.
|
||||
The encryption zone servers require all connections to be encrypted. To do this, change the IPsec default settings for the GPO to enable the setting **Require encryption for all connection security rules that use these settings**. This setting disables all integrity-only algorithm combinations.
|
||||
|
||||
## Connection security rules
|
||||
|
||||
|
||||
@ -37,9 +37,9 @@ To create a domain isolation or server isolation design, you must understand the
|
||||
|
||||
## IPsec performance considerations
|
||||
|
||||
Although IPsec is critically important in securing network traffic going to and from your devices, there are costs associated with its use. The mathematically intensive cryptographic algorithms require a significant amount of computing power, which can prevent your device from making use of all of the available bandwidth. For example, an IPsec-enabled device using the AES encryption protocols on a 10 gigabits per second (Gbps) network link might see a throughput of 4.5 Gbps. This is due to the demands placed on the CPU to perform the cryptographic functions required by the IPsec integrity and encryption algorithms.
|
||||
Although IPsec is critically important in securing network traffic going to and from your devices, there are costs associated with its use. The mathematically intensive cryptographic algorithms require a significant amount of computing power, which can prevent your device from making use of all of the available bandwidth. For example, an IPsec-enabled device using the AES encryption protocols on a 10 gigabits per second (Gbps) network link might see a throughput of 4.5 Gbps. This reduction is due to the demands placed on the CPU to perform the cryptographic functions required by the IPsec integrity and encryption algorithms.
|
||||
|
||||
IPsec task offload is a Windows technology that supports network adapters equipped with dedicated cryptographic processors to perform the computationally intensive work required by IPsec. This frees up a device’s CPU and can dramatically increase network throughput. For the same network link as above, the throughput with IPsec task offload enabled improves to about 9.2 Gbps.
|
||||
IPsec task offload is a Windows technology that supports network adapters equipped with dedicated cryptographic processors to perform the computationally intensive work required by IPsec. This configuration frees up a device’s CPU and can dramatically increase network throughput. For the same network link as above, the throughput with IPsec task offload enabled improves to about 9.2 Gbps.
|
||||
|
||||
## Domain isolation design
|
||||
|
||||
|
||||
@ -29,7 +29,7 @@ Before Windows Sandbox is installed, the dynamic base image package is stored as
|
||||
|
||||
## Memory management
|
||||
|
||||
Traditional VMs apportion statically sized allocations of host memory. When resource needs change, classic VMs have limited mechanisms for adjusting their resource needs. On the other hand, containers collaborate with the host to dynamically determine how host resources are allocated. This is similar to how processes normally compete for memory on the host. If the host is under memory pressure, it can reclaim memory from the container much like it would with a process.
|
||||
Traditional VMs apportion statically sized allocations of host memory. When resource needs change, classic VMs have limited mechanisms for adjusting their resource needs. On the other hand, containers collaborate with the host to dynamically determine how host resources are allocated. This method is similar to how processes normally compete for memory on the host. If the host is under memory pressure, it can reclaim memory from the container much like it would with a process.
|
||||
|
||||
|
||||
|
||||
@ -51,7 +51,7 @@ Windows Sandbox employs a unique policy that allows the virtual processors of th
|
||||
|
||||
Hardware accelerated rendering is key to a smooth and responsive user experience, especially for graphics-intensive use cases. Microsoft works with its graphics ecosystem partners to integrate modern graphics virtualization capabilities directly into DirectX and Windows Display Driver Model (WDDM), the driver model used by Windows.
|
||||
|
||||
This allows programs running inside the sandbox to compete for GPU resources with applications that are running on the host.
|
||||
This feature allows programs running inside the sandbox to compete for GPU resources with applications that are running on the host.
|
||||
|
||||
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user