Windows Sandbox – Isolated Windows Desktop
Today Microsoft announced a new feature called Windows Sandbox. Windows Sandbox is built based on Windows Container technology, which allows you to spin up an isolated, temporary, desktop environment where you can run untrusted software. The software you run and install in the Windows Sandbox does not affect the host. If you shut down the Windows Sandbox all changes and all software you installed in the Sandbox are gone again. This sounds very similar to the technology Windows Defender Application Guard already used to build a sandbox environment for Microsoft Edge.
Windows Sandbox Overview
Windows Sandbox has the following properties:
- Part of Windows – everything required for this feature ships with Windows 10 Pro and Enterprise. No need to download a VHD!
- Pristine – every time Windows Sandbox runs, it’s as clean as a brand-new installation of Windows
- Disposable – nothing persists on the device; everything is discarded after you close the application
- Secure – uses hardware-based virtualization for kernel isolation, which relies on the Microsoft’s hypervisor to run a separate kernel which isolates Windows Sandbox from the host
- Efficient – uses integrated kernel scheduler, smart memory management, and virtual GPU
Windows Sandbox brings the advantages of Windows Containers and also adds a desktop. If you compare this to a Windows 10 Virtual Machine, the Windows Sandbox will consume much fewer resources, it starts up match faster and will be much more efficient with hardware resources. You can think of it like a lightweight virtual machine, which can share the same hardware but also the same kernel and memory as the host system (like a container).
Windows Sandbox Prerequisites
Prerequisites for using the feature
- Windows 10 Pro or Enterprise build 18305 or later (Today this is a Windows Insider Preview)
- 64-bit architecture
- Virtualization capabilities enabled in BIOS
- At least 4GB of RAM (8GB recommended)
- 1GB of free disk space (SSD recommended)
- 2 CPU cores (4 cores with hyperthreading recommended)
Enable Windows Sandbox on Windows 10
To enable Windows Sandbox you have to run a Windows 10 Insider Preview build 18305 or later (not yet released). Later this will be released to the public, which could be Windows 1903 (just my speculation). After that you have to follow these steps:
- Open Windows Features, and then select Windows Sandbox. Click OK and this will install the feature, you may need to restart your computer.
- After that you have the Windows Sandbox installed and you can open it from the start menu. You can copy and paste files from your Windows 10 machine to the sandbox. If you close the sandbox, all the files are gone.
Under the hood
Microsoft shared some details on how they are making the Windows Sandbox work under the hood.
- Dynamically generated Image – Less disk space used, by using links to the file on the host.
- Smart memory management – It uses the same physical memory pages as the host for operating system binaries via a technology Microsoft refers to as “direct map”. Similar to Windows Containers do today.
- Integrated kernel scheduler – More responsiveness by better-prioritizing processes on the host and in the sandbox.
- Snapshot and clone – Improves start time of the sandbox
- Graphics virtualization – Benefit from hardware accelerated rendering.
- Battery pass-through – Aware of the host’s battery state, which allows it to optimize power consumption. Similar to the Windows 10 Hyper-V Battery pass-through.
If you want to know more about the technology, I recommend reading Microsofts blog post.
I think it is pretty cool to see Microsoft bringing technologies together like Hyper-V, Windows Containers, Windows Defender Application Guard and many more, to bring Windows Sandbox to live. We will see if this not only can be used on a Windows 10 PC users and developers to test their applications but also for things like Remote Desktop Session Hosts or better Windows Virtual Desktops.