One of my favorite uses for this is creating .wsb files that would launch a script and install zoom/WebEx/etc so I would not have to install them on my PC. The video and audio worked just well enough for me to get away with and it was easier to screen share what I was doing within the container and avoid sharing anything extra (ex: notifications).
Not the op, but... The video chat my company uses is indeed a critical work software.
The 27 other obscure video chats that people around the world use, though, are not. And they all want to dig their claws into your registry and drive and startup. And then flash incomprehensible error messages on reboot. And constantly run in background and uodate and ask for ever more permissions.
In Windows 11 you can restart it without losing data, though, which is nice, since its so fast that it starts almost instantly. Because of that speed, I test all the funky software in it first, and some I run in it exclusivelly as you can create "run in Windows Sandbox" fairly easyly and customize what runs on startup via pwsh script.
I would love the option for it to survive the closure though, that would open entire new world of possibilities. It doesn't have to compete with full HyperV setup if you open just a few more options.
Yeah, I don't 100% trust the new CurseForge app for updating World of Warcraft addons, but it's kind of necessary when you have 10+ addons. But with some poking and a Windows Sandbox configuration file, I can just launch it in a sandbox now and mount the addons directory, update/install, and wipe the sandbox.
It's a neat Sandboxie replacement once you start playing with mounts and startup scripts.
In Windows 11 you can restart it without losing data,
So did they also fix the rather annoying issue that if you shutdown the OS in sandbox it displays a 'The connection to the sandbox was lost.' dialog instead of quitting the process? We use it to run automated tests, for which it is actually pretty great with the .wsb files makeing it easy to get data into it and run script, but it's a bit silly one needs to workaround detection of whether the thing exited by using files for signalling the script is done with a timeout then killing all involved processes.
There are various websites that resell MSDNAA keys for 2 Euros or so[1].
I got a Win11 Pro and Office 2021 Pro for dirt cheap there, the keys worked (after a phone activation IIRC), and haven't had any problems so far. Without access to such prices I would have switched to Linux and LibreOffice already as there's no way I can pay full retail prices for those.
Beware this is a legal gray area, I'm not affiliated, not endorsing this practice, and not responsible for your outcome. I assume Microsoft is aware of these practices but turns a blind eye as that just means more users into their ecosystem anyway, so why ruin the party.
Windows Sandbox, together with WSL, have liberated me from VirtualBox/VMware Workstation. So thankful for that. Now I only wait for native USB support in WSL.
It's a shame to see Windows Sandbox and also Docker touted as novel features. The operating system was supposed to be the original sandbox. Processes run on time slices of a virtual CPU using memory on a virtual address space and accessing a virtual file system. But there are many complicated APIs that are difficult to secure, and the VFS encourages persistent global state shared by all processes.
This is basically Microsoft's big chance to create Docker for windows. Prebaked images on top of this lightweight layer and shared folders which are already supported.
I'd love to see this happen on environments where you need Windows, but you still want the ease of deployment feature of Docker
Except Docker containers doesn't actually run on Windows as they do on Linux (Linux containers that is, I don't know how Windows containers does it). What Docker Desktop does is creating a WSL VM for running your containers, which is basically what everyone did before as well (on both macOS and Windows), but with a easier setup.
Windows Containers are a Windows-native container solution. No Linux kernel need be involved. This lives alongside Linux VM-based containers in Docker Desktop. Obviously you can only run Windows-based images, which confuses people that think Containers=linux. I think BSD has a similar concept as well. https://wiki.freebsd.org/Docker
Yeah, that's what I would have guessed. Fortunately (unfortunately for some?), most containers are Linux-based, both for deployment and development purposes.
At least on Windows, Hyper-V isolated containers are also a supported feature, which should also ensure kernel isolation.
I assume Kata containers or any other virtualization backed solution would give you similar guarantees.
They point of containers is that they do share the same kernel, and that each container is just a different namespace.
If each entity has a different kernel, they are VMs. VMs can be also pretty thin and have shared immutable store for their base image, but they are not containers anymore. Similarly, Xen DOM-Us are also VMs.
This feels like an opportunity for Microsoft to start finally cutting out legacy cruft. Guarantee a 100% pre-Windows 12 seamless emulation layer. Once that is established, it becomes more possible to port to ARM, RISC, or make foundational breaking API changes that have been desired for decades.
That was the plan for Windows 10X, this would’ve been used as a Win32 compatibility layer. But that plan was killed (hardware compatibility?) and the UI was ported to regular Windows 10 to make Windows 11.
Windows containers for docker exist for a long time already, they are even compatible with k8s. And they are just a mess. Windows is not really a suitable platform for containerized apps.
If you want a sandboxed App environment for windows, there are the UWP/Store apps, which are also not that great.
I have the feeling that Microsoft kind of gave up on windows and is trying to move everything into the cloud and the browser.
I think that’s what they are doing. Most new sever side products they release have first class Linux support. And most new desktop applications are web based. Also Edge is supported on Linux.
And Linux - every Azure blade has an embedded ARM SoC running a hardened Linux with various daemons that interface with both the Azure backend and the Windows host, control offloading of network and storage processing to the FPGA, and other tasks.
At least their managed Postgres service is running on Windows machines. I don’t know much about Azure but after seeing that I’m pretty convinced that most services they offer run on a Windows kernel.
Many of their PaaS platforms are controlled by Service Fabric running on Windows. For example, Azure SQL Managed Instance is in this category. You can see the "SF" paths in a few places.
I've been learning a bit about Service Fabric recently. It seems to predate Kubernetes and appears to scale far higher because it has native support for partitioning large clusters by "tenant id hash" or similar keys.
First time I started Windows Sandbox was to test install some software program I didn't trust and want to see if Windows Defender would detect virus, adware, etc before installing it for real. Turns out that Windows Defender is disabled in Windows Sandbox and you get an access denied when you try to enable it.
Installing it in the sandbox first does not help you determine if a script or software is malicious and that removes my primary use case for this feature. I sometimes wonder what exactly the Windows Sandbox if for if anti-virus wont run inside of it.
Can anyone elaborate why I am being downvoted? It is a fact that Windows Defender is disabled and that you get zero feedback from the sandbox if you try to install something malicious. You cannot even go into Windows Security settings. It seems like it is all entirely disabled.
Isn't that one of the main use cases for running something in a sandbox first instead of trying it out on a live system?
You are correct that this is one of the limitations of Sandbox today, and we are aware of the feedback on this.
I believe you should be able to install other anti virus software, but at least today unfortunately Defender isn’t part of Sandbox.
There are some pretty neat things about Windows Sandbox, it starts in about 3 or 4 seconds on my machine, and is integrated with file copy and paste.
One unconventional use I found for it was in troubleshooting the networking speeds of my desktop being lower than expected, and it turned out that network tuning was broken in some terrible way that went away with a simple reset command.
It would be nice if there was a way to persist this. There are instances where you want to have either a clean environment to work in or you want to isolate something from your primary machine but you also don't want it to just get destroyed when you are done. Maybe this is a feature of this and I'm just not understanding it properly.
For instances were I want to have a more persisted state I would create a Sandbox file (with file extension .wsb) which just runs a setup script when the environment starts.
So basically what you would do with a provisioning script when using VM's.
The sandbox persists through a restart (to allow for the installation of software that requires a reboot) but never persists after Windows Sandbox is closed.
That’s the big distinction from Hyper-V or other virtualization products; otherwise, it’s just a Hyper-V VM with a prebaked Windows image and fewer options.
Not completely, it uses the Krypton microVM part of Hyper-V that is used for WSL2, Application Guard, and nothing else. I wish I could arbitrarily run Windows microVMs outside of sandbox.
That's not how I'd interpret it, it makes sense that if you restart the sandbox from inside the sandbox it doesn't get destroyed, but it doesn't seem to change anything else. If you shutdown the sandbox from outside it would still be destroyed.
It is a Hyper-V backed VA backed VM.
It shared memory with the host in the same fashion that WSL does, as opposed to carving out physical memory.
We have some additional optimizations to make it snappier than running a full vm.
It's a great tool.
We've been using it as a windows replacment for Linux live.
I have 2 wishes from this feature.
1. Use more than one screen.
2. Have the ability to extend the dockerfile so i can preinstall software.
For (2.) I've been using wsb configs to script installs, or better yet map to storage that's preloaded with software that can be installed to an arbitrary location or is otherwise portable.
It’s a great tool but it’s becoming clear that this is another IE6 in 2002 situation. That is, MS has a killer feature but can’t recognize that and will let it fester until a competitor comes along in a decade. Real shame because even a small team could add some desperately needed updates.
All I want is to be able to sandbox Windows from all of Microsoft's crap. I don't leave my computers awake while windows is running anymore because the moment it detects inactivity it starts loading up a bunch of unsolicited processes that start scanning drives and stuff for who knows what reasons.
Running Hyper-V under the hood I imagine? The description makes it seem like this is targeted towards professional use cases (for example excluding it from Windows Home editions), but I'd like to see a future where every application installed on your computer gets such a sandbox by default.
Does it (respectively Hyper-V) still fundamentally break hibernation and/or hybrid sleep? In theory it sounds neat, but not having working suspend-to-disk is a no-go for me…
From a linked article[0], sandbox shares both memory pages and binaries with the host system. Which means it's always runs the exact same build as a host. Which means you can't use it to test Windows updates. Am I correct?
Developer on Sandbox here, if you were still interested in using sandbox for this, I’d love to hear more about the scenario you were working on and what roadblocks you hit.
Feel free to reach out (krithikrao at microsoft dot com).
This is technically a thing already on Windows. Games can run within UWP containers and they have everything they need to go and have far less universal access. But from what I've heard it's not fun to deal with and Steam will never support it.
wym "have their way with it"? I run both as my primary browser and AV, turned off all telemetry, any adware type service (News in Edge, Automatic Sample Submission in Defender), and they run alright. Not ideal of course, but what is?
It would be much more useful if you could save / restore checkpoints. And because it gets wiped on every reboot it means you can never test software that needs to restart the machine (to install services and whatnot).
> Note, however, that as of Windows 11 Build 22509, your data will persist through a restart initiated from inside the virtualized environment—useful for installing applications that require the OS to reboot.
At least 4 GB of RAM (8 GB recommended)
At least 1 GB of free disk space (SSD recommended)
At least two CPU cores (four cores with hyperthreading recommended)
1GB of free disk space is trivial, 2 CPU cores and 4GB is the minimum requirement for Windows 11; so its hardly “heavy requirements”, its basically “a relatively recent PC”.
Recommended is a bit more onerous, but, 8GB and 4 hyperthreading cores isn’t a lot . I’ve got a two-year-old midrange laptop (other than having a fairly nice dGPU for something not marketed for gaming, but that’s not really really relevant here) and its got 16GB of RAM and 6HT cores.
I would challenge recent. For a power user who would engage in these features, that feels like at least baseline specs from 10+ years ago. On a larf, I queried "dell 2012 laptop" and came to this review for a Dell XPS 15[0]. Probably a more performant laptop than the average user, but this thing has a quad-core with 8GB ram.
It’s fine to keep using old hardware, but with lower specs than that, windows 10/11 is completely unusable anyway. With such specs you probably want to use some lightweight Linux distribution, if you don’t enjoy looking at the hourglass-cursor most of your workday…
