For a while now, software makers have been making it safer, through various means, to run applications you don’t quite trust more safely. Various techniques such as protected memory have helped and the widespread availability of virtualisation lets you create disposable environments. But Microsoft is taking that a step further with a new feature called Windows Sandbox. It’s an extension of a feature that’s already part of Windows 10 that will let you run whatever app you want in a dynamically created and destroyed VM.
VMs are already a part of Windows 10. Microsoft uses them to protect specific elements of the operating system and to run tabs in the Edge browser so that one errant tab doesn’t break the rest of your system.
Windows Sandbox uses a few tricks, such as sharing files with the host operating system, Windows 10, so a new VM can be created quickly. It also means the VM is always at the same version number as the host system and, assuming you regularly patch your operating system, will always be up to date so you don’t have to maintain a virtual environment separately.
The virtualisation functions are quite impressive and include, if you’re running a video card with WDDM 2.5 drivers, hardware acceleration. Older cards use software-emulated graphics.
Virtualisation isn’t new and the ability to dynamically create and destroy VMs has been around for a while as well. Some security appliances, such those made by FireEye use a similar method to verify that software traversing a network is safe by testing attachments in VMs that are created in real-time. But bringing this to consumer software is a strong move.
I’ve been expecting this ability was coming for some time. It makes sense, in an era where “trust, but verify” should be standard operating procedure, that we need a way to safely run applications in isolation from each other quickly and easily.
Windows Sandbox is a strong move by Microsoft that will enhance endpoint security and reliability.