Microsoft unveiled its plans to introduce Win32 app isolation support in Windows 11 at its Build 2023 conference. The company announced yesterday that the feature is now available in public preview for Windows 11 users.
With this release, Windows 11 users can run Win32 apps in an isolated environment to protect other parts of the operating system against potentially malicious software. The new security feature is designed to prevent hackers from gaining access to critical Windows components and subsystems. It’s also a sandbox security capability for Windows 11 users similar to Microsoft Defender Application Guard and Windows Sandbox.
“Win32 app isolation is built on the foundation of AppContainers (and more). AppContainers are specifically designed to encapsulate and restrict the execution of processes, helping to ensure they operate with limited privileges, commonly referred to as low integrity levels,” explained David Weston, Vice President of OS Security and Enterprise at Microsoft.
Microsoft highlighted several benefits of Win32 app isolation support in Windows 11. First, the security feature allows users to run apps with low privileges to minimize the impact of potential cyberattacks. Win32 app isolation also makes it easier for developers to update their applications. They can use the Application Capability Profiler (ACP) to better understand all permission requirements.
Lastly, Win32 app isolation is designed to improve the user experience on Windows 11 PCs. The security feature requires apps to leverage the “isolatedWin32-promptForAccess” functionality. It prompts users to provide consent to access sensitive data like registry keys and .NET libraries.
Microsoft notes that Win32 app isolation is available in public preview for both consumers and enterprise customers. The company recommends customers to use Win32 app isolation with Smart App Control (SAC) on Windows 11 devices. This approach should prevent untrusted applications from abusing zero-day vulnerabilities on Windows 11 machines. If you’re interested, you can learn more about how to isolate Win32 apps on the GitHub page.