Windows Platform Guide

Zero on Windows provides work profile isolation using Windows Sandbox, Hyper-V containers, and native Windows security features.

Architecture

Windows isolation leverages:

  • Windows Sandbox: Lightweight, ephemeral desktop environments
  • Hyper-V Containers: Hardware-isolated containers
  • Windows Firewall: Network traffic control
  • BitLocker: Data at rest encryption
  • WireGuard: VPN tunnel for work traffic

System Requirements

Component Minimum Recommended
Windows Version Windows 10 (1903+) Windows 11
Edition Pro, Enterprise Enterprise
RAM 8 GB 16+ GB
Virtualization Hyper-V capable Hyper-V enabled
Note: Windows Home edition does not support Hyper-V or Windows Sandbox. A Windows Pro or Enterprise license is required.

Installation

Enable Prerequisites

# Enable Hyper-V (Admin PowerShell)
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All

# Enable Windows Sandbox
Enable-WindowsOptionalFeature -Online -FeatureName "Containers-DisposableClientVM"

# Restart required after enabling

Install Zero

# Using winget
winget install Zero.Zero

# Or download MSI from releases page
msiexec /i zero-setup.msi

PowerShell Commands

# Profile management
zero start          # Start work profile
zero stop           # Stop work profile
zero status         # Check status

# Application launching
zero launch "Microsoft Teams"
zero launch "C:\Program Files\Slack\slack.exe"

# System tray control
zero tray show
zero tray hide

GUI Integration

Taskbar Integration

Work profile applications appear in a separate section of the taskbar with a blue badge indicator. Clicking the Zero icon opens the control panel.

Visual Boundaries

Work profile windows display a customizable border color to distinguish them from personal applications.

Microsoft Intune Integration

Zero integrates with Microsoft Intune for enterprise deployments:

  • Deploy via Intune app catalog
  • Sync device compliance status
  • Apply conditional access policies
  • Remote wipe work profile
# Check Intune enrollment
zero intune status

# Force policy sync
zero intune sync

Windows DLP Features

  • Clipboard Isolation: Block copy/paste between profiles
  • Print Control: Restrict printing from work profile
  • Screenshot Prevention: Block screen capture of work windows
  • USB Blocking: Prevent data exfiltration via removable drives

Troubleshooting

Hyper-V Not Available

# Check Hyper-V status
Get-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V

# Enable virtualization in BIOS/UEFI if needed

Windows Sandbox Error

# Reset sandbox configuration
zero sandbox reset

# Check Windows Sandbox service
Get-Service -Name "vmcompute" | Start-Service

Related Guides