Hi all,

Today I wanted to share with you a new practice we have had in place for the last couple of weeks. On top of the current Winget Validation pipelines, we have added an extra level of installation testing through the use of Windows Sandbox. The main purpose of using the Windows Sandbox is to test all application updates before deploying them to Pckgr, this process is mostly focused on the ensuring the Intune detection are successfully detecting the application installation.

In this blog post, we will look at how utilizing Windows Sandbox for testing Winget updates has helped us improve update process, ensuring both reliability and efficiency.

Introduction to Windows Sandbox

If you haven’t heard of Windows Sandbox before, it’s a lightweight desktop environment designed to safely run applications in isolation. It provides a temporary, virtualized desktop environment where untrusted or untested software can be executed without risking the host system’s integrity. Each time Windows Sandbox is closed, the environment is reset to its original state, ensuring no persistent changes or threats can affect the user’s system.

The Workflow: From Detection to Deployment

The process begins when a new update for an application is detected by our automation. Here’s a step-by-step breakdown of the workflow:

1. Launching Windows Sandbox: Upon detecting a new update, the system automatically launches Windows Sandbox. This isolated environment is perfect for safely testing the update without affecting the host system.
2. Bootstrap Installation: Within the sandbox, a bootstrap process initiates the installation of the latest version of Winget. This ensures that the Winget tool itself is up-to-date and capable of fetching and installing the latest application updates. Thanks to Kaleb for creating this wonderful script.
3. Application Installation: After updating Winget, the system proceeds with installing the application update. This process mimics the installation procedure that would occur on a user’s device, providing an accurate test environment.
4. Running the Intune Detection Script: With the application now updated within the sandbox, the next step involves running the Intune detection script specifically created for Pckgr. This script is designed to verify if the application has been installed or updated successfully, ensuring it meets the criteria for deployment.
5. Output and Closure: If the detection script confirms successful installation, the sandbox outputs a text file indicating success. Following this, the sandbox session concludes, and the system resets, erasing all traces of the test.
6. Signing and Deploying: The success output triggers the next phase, where new install scripts are signed, thereby authorizing them for deployment to Pckgr. This ensures that only verified updates are rolled out, maintaining the integrity of the deployment process.
7. Handling Failures: Conversely, if the sandbox test fails — indicating an issue with the update — the process halts. The update is not pushed to Pckgr, and a notification is sent to the Pckgr team to investigate the failure. This fail-safe mechanism ensures that problematic updates are caught and addressed before deployment, safeguarding the user experience.

Benefits of Using Windows Sandbox for Winget Updates

• Isolation: By testing in a sandboxed environment, any potential harm from the update is contained, protecting the host system.
• Automated Testing and Deployment: This process streamlines the detection, testing, and deployment of updates, making it efficient and less prone to human error.
• Fail-Safe Deployment: Ensures only updates that pass the sandbox test are deployed, significantly reducing the risk of deploying faulty updates.
• Efficient Troubleshooting: When updates fail, the isolated environment makes it easier to identify and troubleshoot issues without impacting production systems.

Conclusion

Integrating Windows Sandbox into the workflow for testing Winget application updates before deploying them to Pckgr provides us with another mechanism to ensure packages aren’t deployed with bugs or issues.

This approach not only ensures that updates are thoroughly vetted in a safe and controlled environment but also streamlines the deployment process, making it more robust against potential issues.

Thanks for reading!