Relevant area(s)
Windows
Brief description of your issue
MXC does not fall back to Tier 3 AppContainer+DACL on a Windows host where BaseContainer appears to be present but is not usable because required velocity keys are disabled, and where bfscfg.exe is unavailable.
Steps to reproduce
- On Windows 11 Pro 25H2 non-preview, run a simple processcontainer sandbox with schema
0.6.0-alpha
- Observe the BaseContainer failure.
- Change the same config to schema
0.4.0-alpha.
- Run the same command again.
Expected behavior
MXC should select a working fallback tier, ideally AppContainer+DACL Tier 3, when:
- BaseContainer launch fails with
E_NOTIMPL due to disabled velocity keys, and
- AppContainer+BFS is unavailable because
bfscfg.exe is missing.
Alternatively, the probe should detect this host state up front and report that Tier 3 is selected or explain why Tier 3 cannot be used.
Actual behavior
Observed on Windows 11 Pro 25H2, latest non-preview build.
PowerShell: 7.6.2
OsName: Microsoft Windows 11 Pro
OsVersion: 10.0.26200
OsBuildNumber: 26200
DisplayVersion: 25H2
UBR: 8524
With schema 0.6.0-alpha, MXC selects BaseContainer and fails at launch:
Experimental_CreateProcessInSandbox returned E_NOTIMPL. The following velocity keys are not enabled: 61389575, 61155944. Enable them and retry, or use schema version '0.4.0-alpha' to fall back to the AppContainer backend.
{"error":{"code":"backend_error","extended_error":"Experimental_CreateProcessInSandbox failed: WIN32_ERROR(120)","message":"Experimental_CreateProcessInSandbox returned E_NOTIMPL. The following velocity keys are not enabled: 61389575, 61155944. Enable them and retry, or use schema version '0.4.0-alpha' to fall back to the AppContainer backend."}}
With schema 0.4.0-alpha, MXC fails because BFS is unavailable:
Filesystem policy error: bfscfg.exe is not available on this Windows build. Your config uses schema version '0.4.0-alpha', which requires BFS support. Either update your Windows build to one that includes bfscfg.exe, or update your config to schema version '0.6.0-alpha' or later (which uses the BaseContainer backend and does not require bfscfg.exe).
This leaves no working fallback path on this Windows 11 25H2 non-preview host, even though documentation suggests Tier 3 AppContainer+DACL should be available when neither BaseContainer nor BFS can be used.
Relevant area(s)
Windows
Brief description of your issue
MXC does not fall back to Tier 3 AppContainer+DACL on a Windows host where BaseContainer appears to be present but is not usable because required velocity keys are disabled, and where
bfscfg.exeis unavailable.Steps to reproduce
0.6.0-alpha0.4.0-alpha.Expected behavior
MXC should select a working fallback tier, ideally AppContainer+DACL Tier 3, when:
E_NOTIMPLdue to disabled velocity keys, andbfscfg.exeis missing.Alternatively, the probe should detect this host state up front and report that Tier 3 is selected or explain why Tier 3 cannot be used.
Actual behavior
Observed on Windows 11 Pro 25H2, latest non-preview build.
With schema
0.6.0-alpha, MXC selects BaseContainer and fails at launch:With schema
0.4.0-alpha, MXC fails because BFS is unavailable:This leaves no working fallback path on this Windows 11 25H2 non-preview host, even though documentation suggests Tier 3 AppContainer+DACL should be available when neither BaseContainer nor BFS can be used.