A recent Windows 10 Insider Feedback Hub quest revealed that Microsoft is developing a new throwaway sandboxed desktop feature called "InPrivate Desktop". This feature will allow administrators to run untrusted executables in a secure sandbox without fear that it can make any changes to the operating system or system's files.
"InPrivate Desktop (Preview) provides admins a way to launch a throwaway sandbox for secure, one-time execution of untrusted software," the Feedback Hub questions explains. "This is basically an in-box, speedy VM that is recycled when you close the app!"
This quest is no longer available in the Feedback Hub, but according to it's description, this feature is being targeted at Windows 10 Enterprise and requires at least 4 GB of RAM, 5 GB of free disk space, 2 CPU cores, and CPU virtualization enabled in the BIOS. It does not indicate if Hyper-V needs to be installed or not, but as the app requires admin privileges to install some features, it could be that Hyper-V will be enabled.
The full description for the InPrivate Desktop (Preview) quest can be seen below.
Microsoft is Developing a Sandboxed "InPrivate Deskop" for Windows 10 Enterprise InPrivate Desktop (Preview) provides admins a way to launch a throwaway sandbox for secure, one-time execution of untrusted software. This is basically an in-box, speedy VM that is recycled when you close the app! Prerequisites: * Windows 10 Enterprise * Builds 17718+ * Branch: Any * Hypervisor capabilities enabled in BIOS * At least 4GB of RAM * At least 5GB free disk space * At least 2 CPU cores Installation Steps: 1. Open Microsoft Store app and go to the Microsoft tab at the top. 2. Search for InPrivate Desktop (Preview) app and install it. 3. First launch of the app requires admin privileges to install some features. This will prompt for a reboot. 4. After reboot, launch InPrivate desktop normally, and start playing! Trying out InPrivate Desktop: Ctrl+C, Ctrl+V stuff into the app! Run you untrusted exes in the app! Note: This is a new, in-development app. Learn more about the current limitations on our wiki: https://osgwiki.com/wiki/Madrid_Self-host Let us know what you think of the feature and what you’d like to do with it by filing feedback at http://aka.ms/InPrivateDesktop-fb.
When the quest was live, I had attempted to install the InPrivate Desktop (Preview) app, but it was not accessible from the Microsoft Store as described. Furthermore, a wiki link in the quest description brought me to a page asking me to login to my Microsoft account. When I logged in with my account, I received a message that indicates that I need to be part of the Azure Active Directory (Azure AD) tenant for "Microsoft".
It is too bad that I was unable to test this feature as it looks to be an interesting way to execute untrusted software without fear of permanent file modification, program installation, or configuration changes. This will also provide a new security boundary that Microsoft will need to protect and that researchers will be hammering for bug bounties.