Announced at Build 2023, Win32 app isolation is a new sandboxing technique that uses AppContainers to improve application security. It’s available in public preview today.

“Win32 app isolation is an addition to the family of existing Windows sandbox options, such as Windows Sandbox and Microsoft Defender Application Guard,” Microsoft vice president David Weston writes in the announcement post. “While these options are based on virtualization-based security, Win32 app isolation is built on the foundation of AppContainers (and more). AppContainers are specifically designed to encapsulate and restrict the execution of processes, helping to ensure they operate with limited privileges, commonly referred to as low integrity levels.”

Win32 app isolation is a response to the rise of zero-day attacks in recent years, Weston explains, and the fact that many of these attacks now target popular desktop applications. It’s a new security feature that uses AppContainers to create a new default isolation standard in Windows clients. Most important, perhaps, it is something that developers can add to existing apps using tools provided by Microsoft. (You can learn more about that process here.)

The goal here is to force Win32—desktop—apps to not run with the same security privileges as the user. So apps that use Win32 app isolation run at a lower privilege level, limiting the amount of damage they can do if compromised. Practically speaking, it appears that isolated apps will need to prompt the user from time to time to perform certain tasks that could be used maliciously, such as accessing documents or the PC’s camera.  So it will be interesting to see how this impacts usability.

I’m also curious about how or whether Win32 app isolation is related to the container-based Win32 isolation capabilities that Microsoft originally intended to provide in Windows 10X. As you must know, the Windows 11 user interface was created for Windows 10X so perhaps this is the next step in delivering on the promises of that now-canceled system. The problem with the Win32 container in Windows 10X, of course, was compatibility. So hopefully they’ve solved that problem with Win32 app isolation now.

There are some differences, of course: while the Win32 container in Windows 10X would have isolated all desktop applications into a single container, Win32 app isolation will be applied to individual apps. So some apps will be contained—isolated—while others will not. And maybe that’s the right compromise, with a future S mode-type capability that will let users (or organizations) block non-contained apps. Either way, this seems like a step in the right direction.