How to configure Windows Sandbox
With the latest release of Windows 10 (1903), Microsoft introduced a new feature called Windows Sandbox. Windows Sandbox is based on Hyper-V technology and allows you to spin up an isolated, temporary, desktop environment where you can run untrusted software. In this blog post, I will show you how you can set up and configure Windows Sandbox in Windows 10. I will also cover how you can do an advanced configuration of your Windows Sandbox using Windows Sandbox config files.
The sandbox is great for demos, troubleshooting or if you are dealing with malware. If you close the sandbox, all the software with all its files and state are permanently deleted. It is a Windows 10 virtual machines, with the advantage that it is built into Windows 10, so it leverages the existing OS, which gives you faster startup, less footprint, better efficiency, and easier handling, without losing security.
Windows Sandbox is a lightweight virtual machine with an operating system. The significant advantage which makes it so small is the usage of existing files from the host, for data which cannot change. For the files which can change, it uses a dynamically generated image, which is only ~100MB in size.
There are much more exciting things happening with the Windows Sandbox like smart memory management, Integrated kernel scheduler, Snapshot and clone, Graphics virtualization and Battery pass-through. If you want to find out more about the Windows Sandbox, check out the official blog post.
Windows Sandbox comes with a couple of requirements. How more powerful your machine is, the better the experience will be.
- Windows 10 (1903) Pro or Enterprise build 18362 or later
- 64-bit architecture
- Virtualization capabilities enabled in BIOS
- At least 4GB of RAM (8GB recommended)
- 1GB of free disk space (SSD recommended)
- 2 CPU cores (4 cores with hyperthreading recommended)
To install Windows Sandbox feature on Windows 10 (1903) or higher, you need to make sure that the virtualization capabilities are enabled in the BIOS/UEFI. Most of the desktop and notebook CPUs today, will support this. If you are running Windows 10 inside a virtual machine, you will need to enable nested virtualization. You can find more information about enabling Nested Virtualization on my blog: Nested Virtualization in Windows Server 2016 and Windows 10
Open Windows Features and select the Windows Sandbox. When you have clicked okay, it might require a reboot of your machine. You can also run the following PowerShell command:
Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -Online
Start and using the Sandbox
After the installation and the reboot, you can start the Windows Sandbox from the Windows 10 start menu, shortcut on the desktop or just run WindowsSandbox.exe
You can now copy and paste a file from the host to the sandbox and run it in a secure environment.
Windows Sandbox Config Files
By default, Windows Sandbox spins up a default image. However, in many cases, you want to spin up a customized environment, with already preinstalled tools or access to local files. For that, you can use config files which allow you to customize the sandbox during startup. The sandbox configuration files are formatted as XML and use the .wsb file extension. Today, you can configure four different settings to configure the Windows Sandbox.
- Enable or Disable the virtualized GPU.
- Enable or Disable network access
- Shared Folders – Share folders from the host with read or write access
- Startup Script – allows you to run different commands at startup
Here is a quick overview of the different settings you can use in the config files.
|Virtual GPU||vGPU||Disable - Disables vGPU|
|Default - vGPU enabled|
|Networking||Networking||Disable - disables Networking|
|Default - Networking enabled|
|Shared Folder||MappedFolder||HostFolder||Path to the host folder|
|Startup Script||LogonCommand||Command||Command which gets executed|
Example Config Files
To give you a better look about how configuration files are helping you to set up a Windows Sandbox, here are a couple of examples.
Here is one which mounts my local download folder read-only from my host, into the sandbox.
<Configuration> <VGpu>Default</VGpu> <Networking>Default</Networking> <MappedFolders> <MappedFolder> <HostFolder>C:\Users\thmaure\Downloads</HostFolder> <ReadOnly>true</ReadOnly> </MappedFolder> </MappedFolders> <LogonCommand> <Command>explorer.exe C:\users\WDAGUtilityAccount\Desktop\Downloads</Command> </LogonCommand> </Configuration>
This means my download folder (C:\Users\ThomasMaurer\Downloads) will be mounted in the desktop folder (C:\Users\WDAGUtilityAccount\Desktop\Downloads) of the sandbox. With the command “explorer.exe C:\users\WDAGUtilityAccount\Desktop\Downloads” it will directly open up the download folder in an explorer window.
The next example is from the official Microsoft blog about the Sandbox configuration files. Uses an additional installation script file to run commands to download and install the latest version of Visual Studio Code. For that, we mount a local folder and run a script file from the folder.
<Configuration> <MappedFolders> <MappedFolder> <HostFolder>C:\Users\thmaure\Code\Repos\Scripts\Windows Sandbox\WindowsSandboxScripts</HostFolder> <ReadOnly>true</ReadOnly> </MappedFolder> </MappedFolders> <LogonCommand> <Command>C:\users\wdagutilityaccount\desktop\WindowsSandboxScripts\InstallVSCode.cmd</Command> </LogonCommand> </Configuration>
This example installs the Microsoft Edge Insider version inside the Windows Sandbox. I stored the MicrosoftEdgeSetup.exe in my download folder. In the config file, I mount the download folder and run the MicrosoftEdgeSetup.exe.
<Configuration> <MappedFolders> <MappedFolder> <HostFolder>C:\Users\thmaure\Downloads</HostFolder> <ReadOnly>true</ReadOnly> </MappedFolder> </MappedFolders> <LogonCommand> <Command>C:\Users\WDAGUtilityAccount\Desktop\Downloads\MicrosoftEdgeSetup.exe</Command> </LogonCommand> </Configuration>
If you want to work with Sysinternals, you can also just easily mount the Sysinternals SMB share using the following config file.
<Configuration> <LogonCommand> <Command>net use S: \\live.sysinternals.com\tools</Command> </LogonCommand> </Configuration>
You can also combine different tasks, depending on what you need. You can also use the mount option or the command option to download files. It depends on your scenario.
I stored all my configuration files in a folder, so if I want to start a specific configuration of my Windows Sandbox, I can double click the configuration file.
If you want to have more details on the sandbox configuration files, check out the blog post by Hari Pulapaka from the Windows Sandbox team.
It is excellent to see Hyper-V used in different features inside Windows 10, like Windows Defender Application Guard and others. I hope this helps you to set up and configure the Windows Sandbox and if you have any questions, please let me know in the comments.