Microsoft describes features of upcoming Windows Sandbox

by Mark Tyson on 19 December 2018, 12:11

Tags: Microsoft (NASDAQ:MSFT), Windows 10

Quick Link: HEXUS.net/qad2sm

Add to My Vault: x

In August the first signs that Microsoft was preparing a sandbox feature for Windows 10 emerged. An official page in the Microsoft Feedback Hub briefly appeared to describe such a security feature, but it was hastily removed after a few sites reported upon its existence. At the time the sandbox functionality came under the feature name of InPrivate Desktop and would require Windows 10 Enterprise, and various minimal hardware specs.

A few hours ago Microsoft published a blog post, in the Windows Kernel Internals section, detailing "a new lightweight desktop environment tailored for safely running applications in isolation". Now, almost ready for prime time, it has been renamed succinctly and descriptively Windows Sandbox.

click to zoom

The Microsoft blog post covers everything you would need to know, in a brief summary and then in more depth. The purpose of the new Sandbox is, as you might expect, to provide "an isolated, temporary, desktop environment where you can run untrusted software without the fear of lasting impact to your PC". Once you close the sandbox down all files and its state are permanently deleted, adds Microsoft.

The following key qualities of Windows Sandbox are highlighted:

  • Part of Windows – everything required for this feature ships with Windows 10 Pro and Enterprise. No need to download a VHD!
  • Pristine – every time Windows Sandbox runs, it’s as clean as a brand-new installation of Windows
  • Disposable – nothing persists on the device; everything is discarded after you close the application
  • Secure – uses hardware-based virtualization for kernel isolation, which relies on the Microsoft’s hypervisor to run a separate kernel which isolates Windows Sandbox from the host
  • Efficient – uses integrated kernel scheduler, smart memory management, and virtual GPU

In some technical details it provides, Microsoft says that Windows Sandbox is based upon the same technologies as Windows Containers, designed to enable its cloud portfolio. Important changes to Windows Sandbox since it was known as InPrivate Desktop are; that it is now indicated to be available for both Enterprise and Pro customers, and that resource demands now seem to have been reduced. Users still need a PC capable of virtualisation.

ZDNet's Mary J Foley notes that Windows Sandbox is available to users of Windows 10 Pro or Enterprise running Insider Build 18301 or later – a version not available at the time of writing but expected later in the week. When it WIndows Sandbox is available it is selectable within the Windows Features control panel, see directly above. Foley thinks the feature could reach a finished release of Windows 10 in the first half of 2019.



HEXUS Forums :: 9 Comments

Login with Forum Account

Don't have an account? Register today!
This sounds like a really excellent feature, although can't help feeling it is hamstrung by not offering application persistence. It'd be handy to install select applications in their own sandbox environments. For example, it'd be useful to install Chrome or Firefox each in their own sandbox, for secure browsing, and similarly with an email client.

I'm reminded how XP mode on Win7 allowed XP apps to live on the Win7 Start Menu and run “transparently” from inside the XP VM. Something similar with MS-approved W10 sandbox would be really helpful.
Irien
This sounds like a really excellent feature, although can't help feeling it is hamstrung by not offering application persistence. It'd be handy to install select applications in their own sandbox environments. For example, it'd be useful to install Chrome or Firefox each in their own sandbox, for secure browsing, and similarly with an email client.

If you need that then you have the already available HyperV. Or install VMWare/VirtualBox. I'm also assuming, by not having persistence, it negates the issues of extra licenses too.
I used virtual PC to run any not so trusted software and this will make such work unnecessary and improve security greatly.
Isn't this just a VM without persistence (and no need for a VHD)? Or am I missing something? Nice to have I guess but I wouldn't download something I didn't trust.
cheesemp
Isn't this just a VM without persistence (and no need for a VHD)? Or am I missing something? Nice to have I guess but I wouldn't download something I didn't trust.
Essentially yes with 2 main changes as o read it.

1. No need for a second windows licence.

2. Much smaller hard drive footprint.