Internet Traffic blocked in Edge Sandbox Mode (Windows Defender Application Guard)
I have successfully activated Windows Defender Application Guard but it seems surfing in Edge Sandbox Mode has been impossible. All required gpos and addition requirements as described on here: https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/microsoft-defender-application-guard/configure-md-app-guard https://learn.microsoft.com/en-us/windows/security/application-security/application-isolation/microsoft-defender-application-guard/faq-md-app-guard have been configured accordingly. I had a tip from microsoft support that my firewall could be blocking traffic (NAT)coming from the Host Computer so should allow all IP subnets in the range of 172.x.x.x or 192.x.x.x. I have tested that by allowing this traffic in the Trellix including Remote Ports 49700–65535, as described in Trellix documentation here https://kcm.trellix.com/corporate/index?page=content&id=KB88788 but to no avail. Could there be any other underlying root causes in a typical Enterprise environment where systems have been hardened using Security policies defined by CIS. What rules can be exempted here in order to allow this kind of traffic. Anybody has experience with this kind of environment or issue. Some tips will be welcomed.[Resolved] Windows Sandbox has NO Internet when the host is connected to a VPN
When the host is connected to a VPN, such as PPTP/L2TP and then I launch Windows Sandbox, I have no internet in it. please fix this. this problem existed on build 19H1 and it still exists on build 20H1 (18885). Old post, no longer an issue.Blogpost - Starting Windows Sandbox with parameters
Wrote a blog post about how to start Windows Sandbox from a PowerShell function, below is the Start-Sandbox function that I made (Fore more details: https://powershellisfun.com/2022/06/25/start-windows-sandbox-with-parameters/) The script: #https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file function Start-Sandbox { param( [parameter(Mandatory = $false)][string]$MappedFolder, [parameter(Mandatory = $false)][string]$MemoryInMB, [parameter(Mandatory = $false)][string]$LogonCommand, [switch]$vGPUdisable, [switch]$AudioInputDisable, [switch]$ClipboardRedirectionDisable, [switch]$MappedFolderWriteAccess, [switch]$NetworkingDisable, [switch]$PrinterRedirectionEnable, [switch]$ProtectedClientEnable, [switch]$VideoInputEnable ) #Validate if $mappedfolder exists if ($MappedFolder) { if (Test-Path $MappedFolder -ErrorAction SilentlyContinue) { Write-Host ("Specified {0} path exists, continuing..." -f $MappedFolder) -ForegroundColor Green } else { Write-Host ("Specified {0} path doesn't exist, exiting..." -f $MappedFolder) -ForegroundColor Red return } } #Set Read-Only or Read-Write if ($MappedFolderWriteAccess) { $WriteAccess = 'false' } else { $WriteAccess = 'true' } #Create .wsb config file $wsb = @() $wsblocation = "$($env:Temp)\sandbox.wsb" $wsb += "<Configuration>" if ($vGPUdisable) { $wsb += "<VGpu>Disable</VGpu>" } if ($AudioInputDisable) { $wsb += "<AudioInput>Disable</AudioInput>" } if ($ClipboardRedirectionDisable) { $wsb += "<ClipboardRedirection>Disable</ClipboardRedirection>" } if ($MappedFolder) { $wsb += "<MappedFolders>" $wsb += "<MappedFolder>" $wsb += "<HostFolder>$($MappedFolder)</HostFolder>" $wsb += "<ReadOnly>$($WriteAccess)</ReadOnly>" $wsb += "</MappedFolder>" $wsb += "</MappedFolders>" } if ($null -ne $MemoryInMB) { $wsb += "<MemoryInMB>$($MemoryInMB)</MemoryInMB>" if ($MemoryInMB -le 2048) { Write-Host "$($MemoryInMB) Mb(s) specified, Windows Sandbox will automatically allocate more if needed..." -ForegroundColor Yellow } } if ($NetworkingDisable) { $wsb += "<Networking>Disable</Networking>" } if ($LogonCommand) { $wsb += "<LogonCommand>" $wsb += "<Command>$($LogonCommand)</Command>" $wsb += "</LogonCommand>" } if ($PrinterRedirectionEnable) { $wsb += "<PrinterRedirection>Enable</PrinterRedirection>" } if ($ProtectedClientEnable) { $wsb += "<ProtectedClient>Enable</ProtectedClient>" } if ($VideoInputEnable) { $wsb += "<VideoInput>Enable</VideoInput>" } $wsb += "</Configuration>" #Create sandbox .wsb file in $env:\temp and start Windows Sandbox using it $wsb | Out-File $wsblocation -Force:$true Write-Host ("Starting Sandbox...") -ForegroundColor Green Invoke-Item $wsblocation #Wait for Windows Sandbox to start and delete the sandbox config file Start-Sleep -Seconds 5 Remove-Item -Force:$true -Confirm:$false -Path $wsblocation Write-Host ("Done!") -ForegroundColor Green }[Request] be able to restart Windows Sandbox | Persistent vs Temporary Sandbox
Windows Sandbox cannot be used for testing any software installation which requires a restart. This is one of its shortcomings, I think Microsoft should implement some kind of setting in future to allow a 'persistent' Sandbox besides the current temporary Sandbox. so like user will be asked before launching it that whether they want a Temporary or Persistent sandbox. Temporary = everything is wiped clean after closing. Persistent = everything will be there even after host device restart/shutdown or Windows sandbox (guest OS) restart.Windows Sandbox has the old legacy Edge instead of new Edge browser, in Windows insider 20H2 Beta
This is the Windows 10 build that the new Edge officially replaces the legacy Edge by default, but in Windows Sandbox's image, the old Edge is still there, no sign of new Edge. OS Build: 19042.610 insider beta Feedback hub: https://aka.ms/AA9yilc
