In May, Microsoft announced a new security feature that will be introduced in Windows 11. The feature will enable Windows applications to run in isolated sandbox environments, which will enhance the overall security of the operating system. Recently, more information has been revealed about how this feature will work.
Microsoft has launched a public preview of the "Win32 app isolation" feature, which aims to enhance security by protecting against zero-day vulnerabilities and other potential threats. According to a blog post by Microsoft, this feature works by running apps with low privilege levels, making it more difficult for attackers to breach the container. This multi-step approach requires attackers to target specific vulnerabilities, as opposed to having broad access. As a result, mitigation patches can be quickly applied, reducing the lifespan of the attack. App isolation is similar to Snap or Flatpak applications on desktop Linux and the default permissions structure on macOS. Applications start with limited permissions and can request more as needed. Access to sensitive features such as the camera, microphone, location, images, files, and folders is blocked without the user's consent. Additionally, isolated apps have restricted access to the Windows Registry. Apps can request permission to specific files and folders, which are provided through a sandboxed file system called the Windows Brokering File System (BFS).
While the idea of limiting unnecessary permissions to improve privacy and security is appealing, it's important to note that Microsoft won't be automatically enabling this feature for all software. Instead, application developers must opt-in to this measure, which differs from macOS where file access and other functions require a permissions model for all software. While Microsoft has improved indicators for sensitive data usage, such as camera and VPN status icons on Windows 11, it may not be feasible to enable app isolation across all applications due to the current structure of Windows and the need for compatibility with legacy software for corporate customers.
Source: Windows Blog