Windows 11 ‘Win32 app isolation’ security feature now in preview

Posted on June 20, 2023 by

Microsoft announced the public preview launch of Win32 app isolation, a new Windows 11 security feature designed to sandbox Windows desktop applications using the Win32 API.

Recently announced during Microsoft’s Build 2023 conference, Win32 app isolation uses AppContainer to boost security by mitigating the potential harm caused by compromised applications and protecting the user’s privacy.

It also ensures that apps are running with low privilege and implements the principle of least privilege to prevent unauthorized access to the user’s information without first asking for consent.

“The Win32 application is launched as a low integrity process using AppContainer, which is recognized as a security boundary by Microsoft,” said David Weston, Microsoft VP for Enterprise & OS Security.

“Consequently, the process is limited to a specific set of Windows APIs by default and is unable to inject code into any process operating at a higher integrity level.”

If an app vulnerability is exploited, the AppContainer execution environment ensures that the Win32 app remains restricted to the resources granted within its confines.

This prevents malicious apps from seizing control of the entire system, providing an additional layer of defense and safeguarding the system against potential compromise attempts.

Application developers can update their Win32 apps by implementing isolation measures using tools made available by Microsoft.

This enables them to bolster the overall security of their software and the devices it will run on by ensuring that it doesn’t add to the system’s attack surface.

For comprehensive guidance and further details on Win32 app isolation, developers can visit this GitHub page which provides valuable information on getting started and the tools needed to repackage MSIX applications to run isolated.

“Win32 app isolation is an addition to the family of existing Windows sandbox options, such as Windows Sandbox and Microsoft Defender Application Guard,” said David Weston, Microsoft VP for Enterprise & OS Security.

“While these options are based on virtualization based security, Win32 app isolation is built on the foundation of AppContainers (and more).

“AppContainers are specifically designed to encapsulate and restrict the execution of processes, helping to ensure they operate with limited privileges, commonly referred to as low integrity levels.”

Update: Revised the article to clarify that the feature works with all apps using the Win32 API.


Original Posts: Windows 11 ‘Win32 app isolation’ security feature now in preview