Windows Defender Sandbox

mecanicogolf · Jan 5, 2023

I know WD Sandbox is off by default and I don't understand why MS has been doing this for the past 2 years. Is there something wrong with enabling it? Why isn't it on by default? Is it OK to turn it on? Will it help or hinder?
I am very curious why for the past 2 years everything is quite about it. Maybe it doesn't work or do anything and that's why it's off.
Like to get your feedback on this (these) question(s).

setx /M MP_FORCE_USE_SANDBOX 1

Thanks!

neemobeer · Jan 5, 2023

Microsoft does not enable quite a few security features by default. Many are likely overkill for home users or are not available without command line level changes or registry edits. Business environments using pro, ent or edu licensing will likely enable if they are applying OS hardening best practices through some type of management system.

IMO Microsoft will have a balanced security approach for all users with the optional hardening.

oldschool · Jan 5, 2023

mecanicogolf said:
I know WD Sandbox is off by default and I don't understand why MS has been doing this for the past 2 years. Is there something wrong with enabling it? Why isn't it on by default? Is it OK to turn it on? Will it help or hinder?
I am very curious why for the past 2 years everything is quite about it. Maybe it doesn't work or do anything and that's why it's off.
Like to get your feedback on this (these) question(s).

setx /M MP_FORCE_USE_SANDBOX 1

Thanks!

Defender Sandbox was actually running by default when I first updated to W11, but it was disabled by a later update. This was verified by members of another forum. MS documentation on this feature is sketchy, as is often the case with Windows documentation overall. MS has probably determined that the feature is not ready for rollout, is still in development, etc. There is some security benefit to having it enabled, and there's no harm in leaving it enabled if you do not experience any performance hit.

neemobeer · Jan 5, 2023

Not surprising, it may also disable if you have another EPP solution in place.

mecanicogolf · Feb 16, 2023

Any more feedback on this. To this date, and with no explanation, it's still off by default.

oldschool · Feb 17, 2023

mecanicogolf said:
Any more feedback on this. To this date, and with no explanation, it's still off by default.

No, except to restate my answer from above:

oldschool said:
MS documentation on this feature is sketchy, as is often the case with Windows documentation overall. MS has probably determined that the feature is not ready for rollout, is still in development, etc.

kelper · Feb 17, 2023

I am running Windows Sandbox now. I followed these instructions.

Windows Sandbox configuration

learn.microsoft.com

Or is this the wrong sandbox?

mecanicogolf · Feb 17, 2023

I'm talking about Windows Defender Sandbox, not Windows Sandbox.

mecanicogolf · Feb 25, 2023

So, you think it does nothing? Should I install a third-party AV that does use sandboxing to protect me?

Sir_George · Feb 25, 2023

mecanicogolf said:
So, you think it does nothing? Should I install a third-party AV that does use sandboxing to protect me?

I use Sandboxie Plus. It's FREE and more powerful than Windows Defender Sandbox. You can download it from...

Sandboxie | Sandboxie-Plus

oldschool · Feb 25, 2023

mecanicogolf said:
So, you think it does nothing?

I wouldn't say that. I know of users who enable it. It's simply the fact that MS's intial documentation was very limited, and there's been no new info released in a number of years.

mecanicogolf said:
Should I install a third-party AV that does use sandboxing to protect me?

That's up to you. It's 6 of 1, 1/2 dozen of the other. However, you should know that Defender's sandbox is an additional self-protection measure so it can't be tampered with. If you're already using Defender you have Tamper Protection ON by default. Just stick with Defender, whether or not you enable Defender's sandbox. I hope this explanation helps your understanding.

mecanicogolf · Feb 25, 2023

I understand. But I don't understand why MS made a big deal about it at the time and then has completely forgotten about it.
It seems pretty important to completely forget.

oldschool · Feb 25, 2023

mecanicogolf said:
I understand. But I don't understand why MS made a big deal about it at the time and then has completely forgotten about it.
It seems pretty important to completely forget.

It's MS. Their documentation is somewhat (?)

fragmented and organized in ways that are not easy to find. And they have many projects that are left hanging in the air. This is well known.

A recent example is Software Restriction Policies. It was deprecated a couple or few years ago, and no longer works on the latest Windows 11 build, at least if clean installed. Try to find info on that one!

mecanicogolf · May 30, 2023

Any updates on this Defender sandbox thingy? I have it enabled and go to task manager and see it moving up and down so it must be doing something.

GunJohn · Jun 2, 2023

Can anybody help here? I have ran the command to turn this on, but I can't actually find a way to run the WINDOWS DEFENDER SANDBOX?? There is obviously the standard Windows sandbox, but this doesn't run with Windows Defender in it, even with this command switched on???

WXC · Jun 2, 2023

mecanicogolf said:
Any updates on this Defender sandbox thingy? I have it enabled and go to task manager and see it moving up and down so it must be doing something.

GunJohn said:
Can anybody help here? I have ran the command to turn this on, but I can't actually find a way to run the WINDOWS DEFENDER SANDBOX?? There is obviously the standard Windows sandbox, but this doesn't run with Windows Defender in it, even with this command switched on???

@Brink

Brink · Jun 2, 2023

GunJohn said:
Can anybody help here? I have ran the command to turn this on, but I can't actually find a way to run the WINDOWS DEFENDER SANDBOX?? There is obviously the standard Windows sandbox, but this doesn't run with Windows Defender in it, even with this command switched on???

Hello, and welcome.

Usually, once you have Windows Sandbox enabled like below, you should be able to open from Start menu > All apps like in the screenshot below.

Enable or Disable Windows Sandbox in Windows 11 Tutorial

This tutorial will show you how to enable or disable the Windows Sandbox feature for all users in Windows 11 Pro, Enterprise, or Education. Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox...

www.elevenforum.com

GunJohn · Jun 2, 2023

Thanks for the quick reply. But isn't that just the standard Sandbox that you enable in optional features? I'm talking about the sandbox with Windows defender enabled in it? Isn't that the subject of this thread? The standard Sandbox doesn't have defender enabled in it. Even after running the setx /M MP_FORCE_USE_SANDBOX. Is it a different sandbox?

Brink · Jun 2, 2023

Once the sandboxing is enabled in Windows Sandbox, you should see a content process MsMpEngCP.exe running alongside with the antimalware service MsMpEng.exe in Windows Sandbox Task Manager to indicate Windows Defender Antivirus is running in the sandbox.

This is from 2018, so not sure if or what may have changed since then.

Windows Defender Antivirus can now run in a sandbox | Microsoft Security Blog

Windows Defender Antivirus has hit a new milestone: the built-in antivirus capabilities on Windows can now run within a sandbox.

www.microsoft.com

mecanicogolf · Jun 2, 2023

Brink said:
Once the sandboxing is enabled in Windows Sandbox, you should see a content process MsMpEngCP.exe running alongside with the antimalware service MsMpEng.exe in Windows Sandbox Task Manager to indicate Windows Defender Antivirus is running in the sandbox.

This is from 2018, so not sure if or what may have changed since then.

Windows Defender Antivirus can now run in a sandbox | Microsoft Security Blog

Windows Defender Antivirus has hit a new milestone: the built-in antivirus capabilities on Windows can now run within a sandbox.

www.microsoft.com

This was 5 years ago and MS has said nothing more about it? After all the fuss about Defender having a sandbox, it's hard to believe it has been dismissed and forgotten. It was on by default at one time, in the beginning, but now it just sits there in the dark. If they have it off by default, it must mean it does nothing or is completely worthless and MS has ignored everything about it. Dead end.