App-V packaged Visual Studio Code fails on Windows 11 24H2 and 25H2: the --no-sandbox fix with trade-offs

We are in the process of migrating away from App-V to App Volumes over the next year. However, until the migration from Altiris to Workspace ONE UEM and App Volumes Manager is fully completed, we are keeping a number of App-V packages alive.

In our testing, Visual Studio Code packaged with Microsoft App-V stopped launching on Windows 11 24H2 and 25H2, while the same package continued to work on 23H2. Testing newer Visual Studio Code versions did not solve the problem. However, launching Visual Studio Code with the --no-sandbox switch worked immediately.

The Fix

The practical workaround is simple:

Code.exe --no-sandbox

This strongly suggests that the failure is related to Electron's sandboxed startup path on newer Windows builds, rather than a normal packaging mistake or a problem limited to one specific Visual Studio Code version.

Security Consequences

That said, this workaround has a theoretical security cost.

Visual Studio Code is built on Electron, and Electron normally uses Chromium sandboxing to isolate renderer and helper processes. When --no-sandbox is used, that layer is disabled. In plain terms, the application still runs with the same Windows user rights as before, but some of the internal process isolation is removed.

The sandbox normally ensures that even if malicious code runs inside a renderer process, it cannot escape to the main process or underlying system without exploiting additional vulnerabilities. Chromium's sandbox uses restricted tokens, job objects, and integrity levels to run renderer processes with lower privileges. This means that if a renderer is compromised—for example, through malicious JavaScript or a vulnerable extension—the damage is contained. The compromised process cannot directly access the main process, other tabs, or system resources.

With --no-sandbox, all processes run at the same privilege level as the main application. An exploit in a renderer process gains direct access to the same resources as the entire application, without needing to break through the sandbox boundary first.

It is important not to overstate what this means. Using --no-sandbox does not suddenly give the application administrator rights, and it does not automatically allow writes to protected system locations. Windows permissions still apply. App-V also still virtualizes parts of the application environment.

However, App-V isolation is not the same thing as Electron sandboxing. App-V can redirect or isolate parts of file and registry access, but it does not replace the security boundary that Chromium/Electron sandboxing is designed to provide. So while the workaround makes the application usable again, it also reduces one layer of defense.

Risk Assessment

In a tightly controlled enterprise environment, this may be an acceptable temporary workaround. The risk is lower if Visual Studio Code is used mainly for trusted local files, approved extensions, and internal repositories. The risk is higher if users work with untrusted content, external extensions, embedded webviews, or anything else that increases exposure to Electron's browser-based attack surface.

So the short version is this: the workaround works, but it should be treated as a workaround, not as a clean fix. If you deploy it, document it clearly, restrict exposure where possible, and continue testing for a proper long-term solution.

Comments

Post a Comment

Popular posts from this blog

Workaround for suppressing version updates in Remarkable Windows client software:

Image
Update March 2026: A better solution is now available. The WinSparkle updater can be disabled entirely by replacing WinSparkle.dll with a stub DLL — no scripts, no delays, no update dialogs. The legacy script described in this post is kept for reference only. See the new post: Disabling Auto-Updates in the reMarkable Companion App: WinSparkle DLL Stub Method When deploying the Remarkable desktop application within a Windows enterprise environment, it introduces challenges due to its update mechanism. The application automatically checks for new updates every time it starts from the internet using WinSparkle .dll, which we would like to control but cannot. The first launch gives us this screen if there is a newer version available. But “Skip this version” doesn’t work. Instead this process automatically downloads an .exe setup update file that attempts to execute, requiring administrative privileges typically unavailable to standard enterprise users. This results in users being freque...
Read more

Xmind XMind 8 Update 7 (v3.7.7) APPV 5.x

Image
Documentation for App-V-Sequenced application: XMind 8 Update 7 (v3.7.7) Documentation created: 10.07.2018 13:05     Installation ••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••   Sequenced on Windows Version:10.0.16299.0 system with App-V Sequencer version: 10.0.16299.15 Sequenced created:10.07.2018 08:35:30   •••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••• Appvnavn:Xmind Version:0.0.0.2 PackageID =79d42388-78e3-44bb-81d9-5b31a101bb99 VersionID =c3d80918-7e44-4a5a-88f5-008a98ab3b10 •••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••••• XMind is a mind mapping and brainstorming software. The simple version is free.  It supports fishbone diagrams, tree diagrams, organization charts, spreadsheets for Mind Maps. It’s not a completely straight forward Sequencing for this application so I will add the recipe for hel...
Read more

How to deliver ClickOnce applications silently, with or without AppV

Image
Recently I did a big detective job in the organization I work for. I We wanted to find all the applications used today that utilize the old .NET Clickonce   deployment technology from Microsoft. For those who don’t know, Clickonce is a Windows-based appinstaller format that can be installed and run with minimal user interaction. See more information about them here . Locating all the ClickOnce applications is a pain since they are installed into a user profile when the app is started. So first I had to search through all our computers looking for content under the following folder structure: % localappdata %\Apps\2.0\<random folder>\<random app id>.   <random folder> is constructed from the first 11 characters from the following user registry key: HKCU\Software\Classes\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\ComponentStore_RandomString   More details about ClickOnce: ClickOnce can be delivered ...
Read more