ef1c69b439
* smb adds * smb adds * formatting * private preview and support content * edit removed and dep * Fix blocking issues * Acro-fix * 24H2 CSP Updates * Fix link * fix link in dep page * edit * edit index file * syntax-fix-24h2 * ltsc-edits * ltsc-edits * lichris-docs-1 * Acrolinx improvements * refresh for maxado-8631996 * update link for maxado-8631993 * additional edits, acrolinx * ltsc-tw * contentsource-8914508 * contentsource-8914508 * Updates for 1 October release * Set stale debug to false * update gp link for 24h2 * additional changes * Changes to updates, acrolinx changes * fixes broken links * Fixed alignment issues * updates from Rafal * fixed acrolinx * so many link fixes * added release notes and troubleshoot content * updates * Update security-compliance-toolkit-10.md Added Windows 11 24H2 * Update get-support-for-security-baselines.md Updated for Windows 11 24H2 * bump date * bump date * fix pde comment * fixing broken link * Fix broken redirections * fix to rel link * reset head, fix link * add cli to deploy, add script to cli * removing "mcce" * edits to create page * Update default and global release policies OS version and dates to latest release values * emoved e from mcce and other changes * updated example script * added important notice to update page * more update page changes * clarified how proxy configuration is used * anonymizing variables in example script * revise example script * acrolinx fixes to update page * changes to other pages and content in overview page * Update broken link Update broken link * Update windows-sandbox-configure-using-wsb-file.md Update `HostFolder` value description in `MappedFolder`, specifying that the path could be absolute or relative, not only absolute as, instead, is for the `SandboxFolder` value. * Remove bad link Removed bad link. There is already a second link referring to content so no need to replace the link. * docfx update for security book * Correct TOC entry changing Windows 10 to Windows * Update whats-new-do.md - Vpn to VPN - Minor improvements * Updated date for freshness reporting * Add EOS callout Fix some obvious Acrolinx issues * Fixed typo added clarity * Update mcc-ent-deploy-to-windows.md * Update .openpublishing.redirection.windows-deployment.json * Update .openpublishing.redirection.windows-deployment.json * Update policy-csp-localpoliciessecurityoptions.md * Correct indentation and spacing * Acrolinx: "Enteprise" * Update mcc-ent-edu-overview.md * refresh * Remove redirection and final bits of store-for-business store-for-business, AKA /microsoft-store/, is retired, and the content is archived in officearchive-pr. This archival was for ADO task 9268422. * added support content and other changes * fixed tabs * fixed tabs * Updated device reg policy and group information * Update delivery-optimization-endpoints.md Added a line item in MCC table for Outlook *res.cdn.office.net requirement * freshness review * Fix broken links * Minor change * content for faq * changes to landing page * more content to faqs * pencil edit * add copilot exps link * edits and ren cli file temporarily * ren file back and edit toc to lowercase * edit * edit * edit * Update windows-autopatch-configure-network.md Adding a new network endpoint required for the service 'device.autopatch.microsoft.com' @tiaraquan * Clarify some points and remove data that is confusing to customers. * fix syntax * Sentence correction * Update windows/deployment/do/waas-delivery-optimization-faq.yml Co-authored-by: Meghan Stewart <33289333+mestew@users.noreply.github.com> * Update windows/deployment/do/waas-delivery-optimization-faq.yml Co-authored-by: Meghan Stewart <33289333+mestew@users.noreply.github.com> * moved shortcuts under policy settings article --------- Co-authored-by: Alma Jenks <v-alje@microsoft.com> Co-authored-by: Meghan Stewart <33289333+mestew@users.noreply.github.com> Co-authored-by: Stacyrch140 <102548089+Stacyrch140@users.noreply.github.com> Co-authored-by: Nidhi Doshi <77081571+doshnid@users.noreply.github.com> Co-authored-by: Gary Moore <5432776+garycentric@users.noreply.github.com> Co-authored-by: Vinay Pamnani (from Dev Box) <vinpa@microsoft.com> Co-authored-by: Vinay Pamnani <37223378+vinaypamnani-msft@users.noreply.github.com> Co-authored-by: Aaron Czechowski <aczechowski@users.noreply.github.com> Co-authored-by: Aditi Srivastava <133841950+aditisrivastava07@users.noreply.github.com> Co-authored-by: Daniel H. Brown <32883970+DHB-MSFT@users.noreply.github.com> Co-authored-by: David Strome <21028455+dstrome@users.noreply.github.com> Co-authored-by: Padma Jayaraman <v-padmaj@microsoft.com> Co-authored-by: Paolo Matarazzo <74918781+paolomatarazzo@users.noreply.github.com> Co-authored-by: Rebecca Agiewich <16087112+rjagiewich@users.noreply.github.com> Co-authored-by: Rick Munck <33725928+jmunck@users.noreply.github.com> Co-authored-by: Tanaka <Huios@users.noreply.github.com> Co-authored-by: Tiara Quan <95256667+tiaraquan@users.noreply.github.com> Co-authored-by: Frank Rojas <45807133+frankroj@users.noreply.github.com> Co-authored-by: Davide Piccinini <davide.piccinini.95@gmail.com> Co-authored-by: Phil Garcia <phil@thinkedge.com> Co-authored-by: Learn Build Service GitHub App <Learn Build Service LearnBuild@microsoft.com> Co-authored-by: tiaraquan <tiaraquan@microsoft.com> Co-authored-by: Caitlin Hart <caithart@microsoft.com> Co-authored-by: Harman Thind <63820404+hathin@users.noreply.github.com> Co-authored-by: [cmknox] <[cmknox@gmail.com]> Co-authored-by: Carmen Forsmann <cmforsmann@live.com>
20 KiB
title, description, ms.date
| title | description | ms.date |
|---|---|---|
| WindowsSandbox Policy CSP | Learn more about the WindowsSandbox Area in Policy CSP. | 09/27/2024 |
Policy CSP - WindowsSandbox
AllowAudioInput
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowAudioInput
This policy setting enables or disables audio input to the Sandbox.
-
If you enable this policy setting, Windows Sandbox will be able to receive audio input from the user. Applications using a microphone may require this setting.
-
If you disable this policy setting, Windows Sandbox won't be able to receive audio input from the user. Applications using a microphone may not function properly with this setting.
-
If you don't configure this policy setting, audio input will be enabled.
Note that there may be security implications of exposing host audio input to the container.
Note
You must restart Windows Sandbox for any changes to this policy setting to take effect.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: [0-1] |
| Default Value | 1 |
Group policy mapping:
| Name | Value |
|---|---|
| Name | AllowAudioInput |
| Friendly Name | Allow audio input in Windows Sandbox |
| Location | Computer Configuration |
| Path | Windows Components > Windows Sandbox |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox |
| Registry Value Name | AllowAudioInput |
| ADMX File Name | WindowsSandbox.admx |
AllowClipboardRedirection
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowClipboardRedirection
This policy setting enables or disables clipboard sharing with the sandbox.
-
If you enable this policy setting, copy and paste between the host and Windows Sandbox are permitted.
-
If you disable this policy setting, copy and paste in and out of Sandbox will be restricted.
-
If you don't configure this policy setting, clipboard sharing will be enabled.
Note
You must restart Windows Sandbox for any changes to this policy setting to take effect.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: [0-1] |
| Default Value | 1 |
Group policy mapping:
| Name | Value |
|---|---|
| Name | AllowClipboardRedirection |
| Friendly Name | Allow clipboard sharing with Windows Sandbox |
| Location | Computer Configuration |
| Path | Windows Components > Windows Sandbox |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox |
| Registry Value Name | AllowClipboardRedirection |
| ADMX File Name | WindowsSandbox.admx |
AllowMappedFolders
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 24H2 [10.0.26100] and later |
./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowMappedFolders
This policy setting enables or disables mapping folders into sandbox.
-
If you enable this policy setting, mapping folders from the host into Sandbox will be permitted.
-
If you enable this policy setting and disable write to mapped folders, mapping folders from the host into Sandbox will be permitted, but Sandbox will only have permission to read the files.
-
If you disable this policy setting, mapping folders from the host into Sandbox won't be permitted.
-
If you don't configure this policy setting, mapped folders will be enabled.
Note that there may be security implications of exposing folders from the host into the container.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: [0-1] |
| Default Value | 1 |
Group policy mapping:
| Name | Value |
|---|---|
| Name | AllowMappedFolders |
| Friendly Name | Allow mapping folders into Windows Sandbox |
| Location | Computer Configuration |
| Path | Windows Components > Windows Sandbox |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox |
| Registry Value Name | AllowMappedFolders |
| ADMX File Name | WindowsSandbox.admx |
AllowNetworking
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowNetworking
This policy setting enables or disables networking in the sandbox. You can disable network access to decrease the attack surface exposed by the sandbox.
-
If you enable this policy setting, networking is done by creating a virtual switch on the host, and connects the Windows Sandbox to it via a virtual NIC.
-
If you disable this policy setting, networking is disabled in Windows Sandbox.
-
If you don't configure this policy setting, networking will be enabled.
Note that enabling networking can expose untrusted applications to the internal network.
Note
You must restart Windows Sandbox for any changes to this policy setting to take effect.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: [0-1] |
| Default Value | 1 |
Group policy mapping:
| Name | Value |
|---|---|
| Name | AllowNetworking |
| Friendly Name | Allow networking in Windows Sandbox |
| Location | Computer Configuration |
| Path | Windows Components > Windows Sandbox |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox |
| Registry Value Name | AllowNetworking |
| ADMX File Name | WindowsSandbox.admx |
AllowPrinterRedirection
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowPrinterRedirection
This policy setting enables or disables printer sharing from the host into the Sandbox.
-
If you enable this policy setting, host printers will be shared into Windows Sandbox.
-
If you disable this policy setting, Windows Sandbox won't be able to view printers from the host.
-
If you don't configure this policy setting, printer redirection will be disabled.
Note
You must restart Windows Sandbox for any changes to this policy setting to take effect.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: [0-1] |
| Default Value | 1 |
Group policy mapping:
| Name | Value |
|---|---|
| Name | AllowPrinterRedirection |
| Friendly Name | Allow printer sharing with Windows Sandbox |
| Location | Computer Configuration |
| Path | Windows Components > Windows Sandbox |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox |
| Registry Value Name | AllowPrinterRedirection |
| ADMX File Name | WindowsSandbox.admx |
AllowVGPU
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowVGPU
This policy setting is to enable or disable the virtualized GPU.
-
If you enable this policy setting, vGPU will be supported in the Windows Sandbox.
-
If you disable this policy setting, Windows Sandbox will use software rendering, which can be slower than virtualized GPU.
-
If you don't configure this policy setting, vGPU will be enabled.
Note that enabling virtualized GPU can potentially increase the attack surface of the sandbox.
Note
You must restart Windows Sandbox for any changes to this policy setting to take effect.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: [0-1] |
| Default Value | 1 |
Group policy mapping:
| Name | Value |
|---|---|
| Name | AllowVGPU |
| Friendly Name | Allow vGPU sharing for Windows Sandbox |
| Location | Computer Configuration |
| Path | Windows Components > Windows Sandbox |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox |
| Registry Value Name | AllowVGPU |
| ADMX File Name | WindowsSandbox.admx |
AllowVideoInput
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 21H2 [10.0.22000] and later |
./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowVideoInput
This policy setting enables or disables video input to the Sandbox.
-
If you enable this policy setting, video input is enabled in Windows Sandbox.
-
If you disable this policy setting, video input is disabled in Windows Sandbox. Applications using video input may not function properly in Windows Sandbox.
-
If you don't configure this policy setting, video input will be disabled. Applications that use video input may not function properly in Windows Sandbox.
Note that there may be security implications of exposing host video input to the container.
Note
You must restart Windows Sandbox for any changes to this policy setting to take effect.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: [0-1] |
| Default Value | 1 |
Group policy mapping:
| Name | Value |
|---|---|
| Name | AllowVideoInput |
| Friendly Name | Allow video input in Windows Sandbox |
| Location | Computer Configuration |
| Path | Windows Components > Windows Sandbox |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox |
| Registry Value Name | AllowVideoInput |
| ADMX File Name | WindowsSandbox.admx |
AllowWriteToMappedFolders
| Scope | Editions | Applicable OS |
|---|---|---|
| ✅ Device ❌ User |
✅ Pro ✅ Enterprise ✅ Education ✅ Windows SE ✅ IoT Enterprise / IoT Enterprise LTSC |
✅ Windows 11, version 24H2 [10.0.26100] and later |
./Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowWriteToMappedFolders
This policy setting enables or disables mapping folders into sandbox.
-
If you enable this policy setting, mapping folders from the host into Sandbox will be permitted.
-
If you enable this policy setting and disable write to mapped folders, mapping folders from the host into Sandbox will be permitted, but Sandbox will only have permission to read the files.
-
If you disable this policy setting, mapping folders from the host into Sandbox won't be permitted.
-
If you don't configure this policy setting, mapped folders will be enabled.
Note that there may be security implications of exposing folders from the host into the container.
Description framework properties:
| Property name | Property value |
|---|---|
| Format | int |
| Access Type | Add, Delete, Get, Replace |
| Allowed Values | Range: [0-1] |
| Default Value | 1 |
| Dependency [WindowsSandbox_AllowWriteToMappedFolders_DependencyGroup] | Dependency Type: DependsOn Dependency URI: Device/Vendor/MSFT/Policy/Config/WindowsSandbox/AllowMappedFolders Dependency Allowed Value: [1] Dependency Allowed Value Type: Range |
Group policy mapping:
| Name | Value |
|---|---|
| Name | AllowMappedFolders |
| Friendly Name | Allow mapping folders into Windows Sandbox |
| Location | Computer Configuration |
| Path | Windows Components > Windows Sandbox |
| Registry Key Name | SOFTWARE\Policies\Microsoft\Windows\Sandbox |
| Registry Value Name | AllowMappedFolders |
| ADMX File Name | WindowsSandbox.admx |