Merge pull request #10520 from MicrosoftDocs/main

Published main to live, Friday 5:00 PM IST, 01/24

.openpublishing.redirection.windows-security.json

@@ -5,6 +5,11 @@
       "redirect_url": "/windows/security/hardware-security/kernel-dma-protection-for-thunderbolt",
       "redirect_document_id": false
     },
+    {
+      "source_path": "windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-overview.md",
+      "redirect_url": "/windows/security/application-security/application-isolation/windows-sandbox/index",
+      "redirect_document_id": false
+    },
     {
       "source_path": "windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md",
       "redirect_url": "/windows/security/hardware-security/enable-virtualization-based-protection-of-code-integrity",

windows/security/application-security/application-isolation/toc.yml

@@ -1,20 +1,16 @@
 items:
 - name: Microsoft Defender Application Guard (MDAG)
   href: microsoft-defender-application-guard/md-app-guard-overview.md
-- name: MDAG for Edge standalone mode
-  href: microsoft-defender-application-guard/md-app-guard-overview.md
-- name: MDAG for Edge enterprise mode and enterprise management 🔗
-  href: /deployedge/microsoft-edge-security-windows-defender-application-guard
-- name: MDAG for Microsoft Office
-  href: https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46
-- name: MDAG configure via MDM 🔗
-  href: /windows/client-management/mdm/windowsdefenderapplicationguard-csp
+  items:
+  - name: MDAG for Microsoft Edge standalone mode
+    href: microsoft-defender-application-guard/md-app-guard-overview.md
+  - name: MDAG for Microsoft Edge enterprise mode and enterprise management 🔗
+    href: /deployedge/microsoft-edge-security-windows-defender-application-guard
+  - name: MDAG for Microsoft Office
+    href: https://support.microsoft.com/office/application-guard-for-office-9e0fb9c2-ffad-43bf-8ba3-78f785fdba46
+  - name: Configure MDAG via MDM 🔗
+    href: /windows/client-management/mdm/windowsdefenderapplicationguard-csp
 - name: App containers 🔗
   href: /virtualization/windowscontainers/about
 - name: Windows Sandbox
-  href: windows-sandbox/windows-sandbox-overview.md
-  items:
-  - name: Windows Sandbox architecture
-    href: windows-sandbox/windows-sandbox-architecture.md
-  - name: Windows Sandbox configuration
-    href: windows-sandbox/windows-sandbox-configure-using-wsb-file.md
+  href: windows-sandbox/index.md

windows/security/application-security/application-isolation/windows-sandbox/index.md

@@ -0,0 +1,43 @@
+---
+title: Windows Sandbox
+description: Windows Sandbox overview
+ms.topic: overview
+ms.date: 09/09/2024
+---
+
+# Windows Sandbox
+
+Windows Sandbox (WSB) offers a lightweight, isolated desktop environment for safely running applications. It's ideal for testing, debugging, exploring unknown files, and experimenting with tools. Applications installed within the sandbox remain isolated from the host machine using hypervisor-based virtualization. As a disposable virtual machine (VM), Windows Sandbox ensures reboot persistence, quick launch times, and a lower memory footprint compared to full VMs. Its one-click setup simplifies the user experience.
+
+The sandbox is temporary; closing it deletes all software, files, and state. Each launch provides a fresh instance. Host-installed software isn't available in the sandbox. Applications needed within the sandbox must be installed there explicitly.
+
+> [!NOTE]
+> Starting with Windows 11, version 22H2, data persists through restarts initiated within the sandbox, useful for applications requiring a reboot.
+
+Windows Sandbox offers the following features:
+
+- **Part of Windows**: Everything required for this feature is included in the supported Windows editions like Pro, Enterprise, and Education. There's no need to maintain a separate VM installation.
+- **Disposable**: Nothing persists on the device. Everything is discarded when the user closes the application.
+- **Pristine**: Every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows.
+- **Secure**: Uses hardware-based virtualization for kernel isolation. It relies on the Microsoft hypervisor to run a separate kernel that isolates Windows Sandbox from the host.
+- **Efficient**: Takes a few seconds to launch, supports virtual GPU, and has smart memory management that optimizes memory footprint.
+
+> [!IMPORTANT]
+> Windows Sandbox enables network connection by default. It can be disabled using the [Windows Sandbox configuration file](windows-sandbox-configure-using-wsb-file.md#networking). Enabling networking can expose untrusted applications to the internal network.
+
+WSB can be used without any technical skills in various scenarios where users need a secure, clean environment for testing or running potentially harmful software. Here are some ways in which you can use WSB:
+
+- **Clean environment for software testing**: Test or debug your applications in WSB's clean environment to identify and resolve bugs or compatibility issues.
+- **Secure web browsing**: Use WSB for secure web browsing, especially when accessing unfamiliar or potentially dangerous websites without putting your system at risk of malware infection.
+- **Running Untrusted Applications**: Mitigate security risks by opening untrusted applications or files, such as email attachments in WSB. Improve your safety and security by opening a sandbox with networking disabled and mapping the folder with the application or file you want to open to the sandbox in read-only mode. Check [Sample configuration files](windows-sandbox-sample-configuration.md) for more details.
+- **Testing or demoing new software for the first time**: Test drive or demo new software, preview versions, extensions, or add-ons without the hassle of installing and then uninstalling on your host machine.
+- **Maintaining multiple dev environments**: Streamline your development process by utilizing WSB to maintain multiple sandboxes for different development environments. For example, maintain a sandbox for each python version and its dependencies!
+
+> [!NOTE]
+> Windows Sandbox currently doesn't allow multiple instances to run simultaneously.
+
+
+[!INCLUDE [windows-sandbox](../../../../../includes/licensing/windows-sandbox.md)]
+
+> [!NOTE]
+> Windows Sandbox is currently not supported on Windows Home edition.

windows/security/application-security/application-isolation/windows-sandbox/toc.yml

@@ -0,0 +1,26 @@
+items:
+- name: Windows Sandbox
+  href: index.md
+- name: Overview
+  expanded: true
+  items:
+  - name: Windows Sandbox versions
+    href: windows-sandbox-versions.md
+  - name: Architecture
+    href: windows-sandbox-architecture.md
+- name: Install Windows Sandbox
+  href: windows-sandbox-install.md
+- name: Use & configure Windows Sandbox
+  href: windows-sandbox-configure-using-wsb-file.md
+- name: Windows Sandbox command line interface
+  href: windows-sandbox-cli.md
+- name: Tutorials
+  items:
+  - name: Sample configuration files
+    href: windows-sandbox-sample-configuration.md
+- name: WindowsSandbox Policy CSP 🔗
+  href: /windows/client-management/mdm/policy-csp-windowssandbox
+- name: Frequently asked questions
+  href: windows-sandbox-faq.yml
+- name: Troubleshooting
+  href: windows-sandbox-troubleshoot.md

windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-architecture.md

@@ -2,7 +2,7 @@
 title: Windows Sandbox architecture
 description: Windows Sandbox architecture
 ms.topic: conceptual
-ms.date: 03/26/2024
+ms.date: 09/09/2024
 ---
 
 # Windows Sandbox architecture
@@ -27,18 +27,10 @@ Traditional VMs apportion statically sized allocations of host memory. When reso
 
 ## Memory sharing
 
-Because Windows Sandbox runs the same operating system image as the host, it's enhanced to use the same physical memory pages as the host for operating system binaries via a technology referred to as "direct map." For example, when *ntdll.dll* is loaded into memory in the sandbox, it uses the same physical pages as those pages of the binary when loaded on the host. Memory sharing between the host and the sandbox results in a smaller memory footprint when compared to traditional VMs, without compromising valuable host secrets.
+Because Windows Sandbox runs the same operating system image as the host, it's enhanced to use the same physical memory pages as the host for operating system binaries via a technology referred to as "direct map." For example, when `ntdll.dll` is loaded into memory in the sandbox, it uses the same physical pages as those pages of the binary when loaded on the host. Memory sharing between the host and the sandbox results in a smaller memory footprint when compared to traditional VMs, without compromising valuable host secrets.
 
 ![A chart compares the memory footprint in Windows Sandbox versus a traditional VM.](images/3-memory-sharing.png)
 
-## Integrated kernel scheduler
-
-With ordinary virtual machines, the Microsoft hypervisor controls the scheduling of the virtual processors running in the VMs. Windows Sandbox uses a new technology called "integrated scheduling," which allows the host scheduler to decide when the sandbox gets CPU cycles.
-
-![A chart compares the scheduling in Windows Sandbox versus a traditional VM.](images/4-integrated-kernal.png)
-
-Windows Sandbox employs a unique policy that allows the virtual processors of the Sandbox to be scheduled like host threads. Under this scheme, high-priority tasks on the host can preempt less important work in the Sandbox. This preemption means that the most important work is prioritized, whether it's on the host or in the container.
-
 ## WDDM GPU virtualization
 
 Hardware accelerated rendering is key to a smooth and responsive user experience, especially for graphics-intensive use cases. Microsoft works with its graphics ecosystem partners to integrate modern graphics virtualization capabilities directly into DirectX and Windows Display Driver Model (WDDM), the driver model used by Windows.

windows/security/application-security/application-isolation/windows-sandbox/windows-sandbox-cli.md

@@ -0,0 +1,101 @@
+---
+title: Windows Sandbox command line
+description: Windows Sandbox command line interface
+ms.topic: how-to
+ms.date: 10/22/2024
+---
+
+# Windows Sandbox command line interface
+
+Starting with Windows 11, version 24H2, the Windows Command Line Interface (CLI) offers powerful tools for creating, managing, and controlling sandboxes, executing commands, and sharing folders within sandbox sessions. This functionality is especially valuable for scripting, task automation, and improving development workflows. In this section, you'll explore how the Windows Sandbox CLI operates, with examples demonstrating how to use each command to enhance your development process.
+
+**Common parameters**:
+
+- `--raw`: Formats all outputs in JSON format.
+- `-?, -h, --help`: Show help and usage information
+
+## Start
+
+The start command creates and launches a new sandbox. The command returns the sandbox ID, which is a unique identifier for the sandbox. The sandbox ID can be used to refer to the sandbox in other commands.
+
+- `--id <id>`:  ID of the Windows Sandbox environment.
+- `--c, --config <config>`: Formatted string with the settings that should be used to create the Windows Sandbox environment.
+
+**Examples**:
+
+- Create a Windows Sandbox environment with the default settings:
+
+    ```cmd
+    wsb start
+    ```
+
+- Create a Windows Sandbox environment with a custom configuration:
+
+    ```cmd
+    wsb start --config "<Configuration><Networking>Disabled</Networking></Configuration>"
+    ```
+
+## List
+
+The list command displays a table that shows the information the running Windows Sandbox sessions for the current user. The table includes the sandbox ID. The status can be either running or stopped. The uptime is the duration that the sandbox has been running.
+
+```cmd
+wsb list
+```
+
+## Exec
+
+The exec command executes a command in the sandbox. The command takes two arguments: the sandbox ID and the command to execute. The command can be either a built-in command or an executable file. The exec command runs the command in the sandbox and returns the exit code. The exec command can also take optional arguments that are passed to the process started in the sandbox.
+
+> [!NOTE]
+> Currently, there is no support for process I/O meaning that there is no way to retrieve the output of a command run in Sandbox.
+
+An active user session is required to execute a command in the context of the currently logged on user. Therefore, before running this command a remote desktop connection should be established. This can be done using the [connect](#connect) command.
+
+- `--id <id>` (REQUIRED): ID of the Windows Sandbox environment.
+- `-c, --command <command>` (REQUIRED): The command to execute within Windows Sandbox.
+- `-r, --run-as <ExistingLogin|System>` (REQUIRED): Specifies the user context to execute the command within. If the System option is selected, the command runs in the system context. If the ExistingLogin option is selected, the command runs in the currently active user session or fails if there's no active user session.
+- `-d, --working-directory <directory>`: Directory to execute command in.
+
+```cmd
+wsb exec –-id 12345678-1234-1234-1234-1234567890AB -c app.exe -r System
+```
+
+## Stop
+
+The stop command stops a running Windows Sandbox session. The command takes the sandbox ID as an argument.
+
+The stop command terminates the sandbox process and releases the resources allocated to the sandbox. The stop command also closes the window that shows the sandbox desktop.
+
+```cmd
+wsb stop --id 12345678-1234-1234-1234-1234567890AB
+```
+
+## Share
+
+The share command shares a host folder with the sandbox. The command takes three arguments: the sandbox ID, the host path, and the sandbox path. The host path should be a folder. The sandbox path can be either an existing or a new folder. An Additional, `--allow-write` option can be used to allow or disallow the Windows Sandbox environment to write to the folder.
+
+- `--id <id>` (REQUIRED): ID of the Windows Sandbox environment.
+- `-f, --host-path <host-path>` (REQUIRED): Path to folder that is shared from the host.
+- `-s, --sandbox-path <sandbox-path>` (REQUIRED): Path to the folder within the Windows Sandbox.
+- `-w, --allow-write`: If specified, the Windows Sandbox environment is allowed to write to the shared folder.
+
+```cmd
+wsb share --id 12345678-1234-1234-1234-1234567890AB -f C:\host\folder -s C:\sandbox\folder --allow-write
+```
+
+## Connect
+
+The connect command starts a remote session within the sandbox. The command takes the sandbox ID as an argument. The connect command opens a new window with a remote desktop session. The connect command allows the user to interact with the sandbox using the mouse and keyboard.
+
+```cmd
+wsb connect --id 12345678-1234-1234-1234-1234567890AB
+```
+
+## IP
+
+The ip command displays the IP address of the sandbox. The command takes the sandbox ID as an argument.
+
+```cmd
+wsb ip --id 12345678-1234-1234-1234-1234567890AB
+```