Win32 App Isolation: Another Sandbox

• Win32 App Isolation is a new Windows 11 feature, in preview, that could enhance protection against apps causing security and privacy breaches.
• Developers must package apps to use the feature; thus it protects against unintended breaches rather than rogue apps, and app support for it is optional.
• The feature adds to a long, somewhat confusing list of offerings that aim to protect against apps and content that cause breaches on Windows.

Win32 App Isolation uses new AppContainer technology coming in Windows 11 to limit an app’s access to resources beyond its boundaries that could lead to breaches. The feature is the latest in a long history of attempts to grant the fewest privileges necessary to Windows applications so they cannot perform detrimental actions.

Overview

Win32 App Isolation relies on the AppContainer feature (unrelated to Docker-style containers) to limit app privileges by running them in a “low integrity” mode. This mode restricts which Windows APIs apps can call and prevents them from injecting code into higher-integrity processes. Furthermore, it uses Brokering File System (BFS) to broker and restrict file access with the primary file system, virtualizing access to files, which can be safer than allowing apps direct access. Access to the registry, network, and other resources is also restricted and virtualized.