11 KiB
title, description, ms.author, ms.topic, ms.prod, ms.technology, author, ms.localizationpriority, ms.date
| title | description | ms.author | ms.topic | ms.prod | ms.technology | author | ms.localizationpriority | ms.date |
|---|---|---|---|---|---|---|---|---|
| Policy CSP - WindowsSandbox | Policy CSP - WindowsSandbox | dansimp | article | w10 | windows | dansimp | medium | 10/14/2020 |
Policy CSP - WindowsSandbox
WindowsSandbox policies
- WindowsSandbox/AllowAudioInput
- WindowsSandbox/AllowClipboardRedirection
- WindowsSandbox/AllowNetworking
- WindowsSandbox/AllowPrinterRedirection
- WindowsSandbox/AllowVGPU
- WindowsSandbox/AllowVideoInput
WindowsSandbox/AllowAudioInput
Available in the latest Windows 10 insider preview build.
The table below shows the applicability of Windows:
| Edition | Windows 10 | Windows 11 |
|---|---|---|
| Home | No | No |
| Pro | Yes | Yes |
| Business | No | No |
| Enterprise | Yes | Yes |
| Education | Yes | Yes |
[!div class = "checklist"]
- Device
This policy setting allows the IT admin to enable or disable audio input to the Sandbox.
Note
There may be security implications of exposing host audio input to the container.
If this policy isn't configured, end-users get the default behavior (audio input enabled).
If audio input is disabled, a user won't be able to enable audio input from their own configuration file.
If audio input is enabled, a user will be able to disable audio input from their own configuration file to make the device more secure.
Note
You must restart Windows Sandbox for any changes to this policy setting to take effect.
ADMX Info:
- GP Friendly name: Allow audio input in Windows Sandbox
- GP name: AllowAudioInput
- GP path: Windows Components/Windows Sandbox
- GP ADMX file name: WindowsSandbox.admx
The following are the supported values:
- 0 - Disabled
- 1 (default) - Enabled
WindowsSandbox/AllowClipboardRedirection
Available in the latest Windows 10 insider preview build.
The table below shows the applicability of Windows:
| Edition | Windows 10 | Windows 11 |
|---|---|---|
| Home | No | No |
| Pro | Yes | Yes |
| Business | No | No |
| Enterprise | Yes | Yes |
| Education | Yes | Yes |
[!div class = "checklist"]
- Device
This policy setting allows the IT admin to enable or disable sharing of the host clipboard with the sandbox.
If this policy isn't configured, end-users get the default behavior (clipboard redirection enabled).
If clipboard sharing is disabled, a user won't be able to enable clipboard sharing from their own configuration file.
If clipboard sharing is enabled, a user will be able to disable clipboard sharing from their own configuration file to make the device more secure.
Note
You must restart Windows Sandbox for any changes to this policy setting to take effect.
ADMX Info:
- GP Friendly name: Allow clipboard sharing with Windows Sandbox
- GP name: AllowClipboardRedirection
- GP path: Windows Components/Windows Sandbox
- GP ADMX file name: WindowsSandbox.admx
The following are the supported values:
- 0 - Disabled
- 1 (default) - Enabled
WindowsSandbox/AllowNetworking
Available in the latest Windows 10 insider preview build.
The table below shows the applicability of Windows:
| Edition | Windows 10 | Windows 11 |
|---|---|---|
| Home | No | No |
| Pro | Yes | Yes |
| Business | No | No |
| Enterprise | Yes | Yes |
| Education | Yes | Yes |
[!div class = "checklist"]
- Device
This policy setting allows the IT admin to enable or disable networking in Windows Sandbox. Disabling network access can decrease the attack surface exposed by the Sandbox. Enabling networking can expose untrusted applications to the internal network.
If this policy isn't configured, end-users get the default behavior (networking enabled).
If networking is disabled, a user won't be able to enable networking from their own configuration file.
If networking is enabled, a user will be able to disable networking from their own configuration file to make the device more secure.
Note
You must restart Windows Sandbox for any changes to this policy setting to take effect.
ADMX Info:
- GP Friendly name: Allow networking in Windows Sandbox
- GP name: AllowNetworking
- GP path: Windows Components/Windows Sandbox
- GP ADMX file name: WindowsSandbox.admx
The following are the supported values:
- 0 - Disabled
- 1 (default) - Enabled
WindowsSandbox/AllowPrinterRedirection
Available in the latest Windows 10 insider preview build.
The table below shows the applicability of Windows:
| Edition | Windows 10 | Windows 11 |
|---|---|---|
| Home | No | No |
| Pro | Yes | Yes |
| Business | No | No |
| Enterprise | Yes | Yes |
| Education | Yes | Yes |
[!div class = "checklist"]
- Device
This policy setting allows the IT admin to enable or disable printer sharing from the host into the Sandbox.
If this policy isn't configured, end-users get the default behavior (printer sharing disabled).
If printer sharing is disabled, a user won't be able to enable printer sharing from their own configuration file.
If printer sharing is enabled, a user will be able to disable printer sharing from their own configuration file to make the device more secure.
Note
You must restart Windows Sandbox for any changes to this policy setting to take effect.
ADMX Info:
- GP Friendly name: Allow printer sharing with Windows Sandbox
- GP name: AllowPrinterRedirection
- GP path: Windows Components/Windows Sandbox
- GP ADMX file name: WindowsSandbox.admx
The following are the supported values:
- 0 - Disabled
- 1 (default) - Enabled
Available in the latest Windows 10 insider preview build.
The table below shows the applicability of Windows:
| Edition | Windows 10 | Windows 11 |
|---|---|---|
| Home | No | No |
| Pro | Yes | Yes |
| Business | No | No |
| Enterprise | Yes | Yes |
| Education | Yes | Yes |
[!div class = "checklist"]
- Device
This policy setting allows the IT admin to enable or disable virtualized GPU for Windows Sandbox.
Note
Enabling virtualized GPU can potentially increase the attack surface of Windows Sandbox.
If this policy isn't configured, end-users get the default behavior (vGPU is disabled).
If vGPU is disabled, a user won't be able to enable vGPU support from their own configuration file.
If vGPU is enabled, a user will be able to disable vGPU support from their own configuration file to make the device more secure.
Note
You must restart Windows Sandbox for any changes to this policy setting to take effect.
ADMX Info:
- GP Friendly name: Allow vGPU sharing for Windows Sandbox
- GP name: AllowVGPU
- GP path: Windows Components/Windows Sandbox
- GP ADMX file name: WindowsSandbox.admx
The following are the supported values:
- 0 (default) - Disabled
- 1 - Enabled
WindowsSandbox/AllowVideoInput
Available in the latest Windows 10 insider preview build.
The table below shows the applicability of Windows:
| Edition | Windows 10 | Windows 11 |
|---|---|---|
| Home | No | No |
| Pro | Yes | Yes |
| Business | No | No |
| Enterprise | Yes | Yes |
| Education | Yes | Yes |
[!div class = "checklist"]
- Device
This policy setting allows the IT admin to enable or disable video input to the Sandbox.
Note
There may be security implications of exposing host video input to the container.
If this policy isn't configured, users get the default behavior (video input disabled).
If video input is disabled, users won't be able to enable video input from their own configuration file.
If video input is enabled, users will be able to disable video input from their own configuration file to make the device more secure.
Note
You must restart Windows Sandbox for any changes to this policy setting to take effect.
ADMX Info:
- GP Friendly name: Allow video input in Windows Sandbox
- GP name: AllowVideoInput
- GP path: Windows Components/Windows Sandbox
- GP ADMX file name: WindowsSandbox.admx
The following are the supported values:
- 0 (default) - Disabled
- 1 - Enabled