Windows Sandbox is a Windows 10/11 feature that allows users to create an isolated virtual environment that is safe for them to test their apps and other tasks because it is secluded from their host machine. However, each new instance of Sandbox is like a fresh installation of the OS, with no access to files and folders to the host computer.
You can change that by scripting a custom configuration file and configure Sandbox to start with custom settings and configurations.
This article defines in detail what Sandbox is and how you can configure it on your Windows computer to your advantage.
What is Windows Sandbox
Windows Sandbox creates a virtual desktop environment replicating your host operating system and is entirely separate from it. Any tasks executed in Sandbox will not affect the host computer, which makes it ideal to run doubtful applications and perform tasks that put your host computer at risk.
The Sandbox instance is like a freshly installed OS. Each time you run a new Windows Sandbox instance, it will be as if the OS has been booted up for the first time. Similarly, closing the instance will negate all changes made within the Sandbox window.
Sandbox environment is dependent upon the virtual hypervisor: Hyper-V. Since it is a duplicate of the host OS and remains temporary on your device, it takes up no more space than 100 MB.
Let us now learn how you can enable this feature on your Windows device.
How to install Windows Sandbox on Windows 10/11
Sandbox is a built-in feature for both Windows 10 and 11. However, it is disabled by default and needs to be enabled manually. Before you enable it, check to see if your system meets the minimum hardware requirements:
Note: Windows Sandbox comes preinstalled in Professional and Enterprise editions only. Learn how to enable Windows Sandbox in Windows 10 Home edition.
- At least Windows 10 Version 1903.
- Hardware Virtualization is enabled (from BIOS settings).
- Have at least 4 GB of RAM and 1 GB of free space on the hard drive.
- At least 2 processor cores.
If it does, follow the guide below to enable Windows Sandbox (Reboot required):
- Type in optionalfeatures in Run to turn Windows features on or off. This will open Windows optional features window.
- Now, check the box next to Windows Sandbox and press Ok. Windows will then enable the package. However, a reboot will be required.
Once the feature has been enabled, you can search for “Windows Sandbox” in the Start Menu and launch the app.
Alternatively, you can also run the following command in PowerShell with administrative privileges to enable Windows Sandbox:
Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online
Customize Windows Sandbox using configuration file
Since a Sandbox instance is like a clean slate of the host OS, it does not allow its users to be able to access anything on the host computer, unless pasted manually.
With this customization, you will be able to run Windows Sandbox with preinstalled applications and data. This is especially useful for test environments where you require basic apps and tools to perform the task(s).
The process is pretty simple. All you need to do is create a configuration file in any text editor and then save it with a .wsb extension. But before we tell you what to put inside the configuration file, allow us to shed some light on what aspects can be controlled using this configuration file.
Component | Description | Commands |
vGPU | Enable or disable the virtualized GPU. If vGPU is disabled, the sandbox will use Windows Advanced Rasterization Platform (WARP). | Enable Disable Default |
Networking | Enable or disable network access within the sandbox. | Disable Default |
Mapped folders | Share folders from the host with read or write permissions. Note that exposing host directories may allow malicious software to affect the system or steal data. | Host folder Sandbox folder ReadOnly |
Logon command | A command that’s executed when Windows Sandbox starts. | – |
Audio input | Shares the host’s microphone input into the sandbox. | Enable Disable Default |
Video input | Shares the host’s webcam input into the sandbox. | Enable Disable Default |
Print redirection | Shares printers from the host into the sandbox. | Enable Disable Default |
Protected Client | Places increased security settings on the RDP session to the sandbox. | Enable Disable Default |
Clipboard redirection | Shares the host clipboard with the sandbox so that text and files can be pasted back and forth. | Disable Default |
Memory in MB | The amount of memory, in megabytes, to assign to the sandbox. | – |
Now that you understand what the configuration file can do, let us show you how you can create one with a few examples.
First, launch Notepad (or any text editor of your choice) and paste the following syntax in it. Note that this is just an excerpt of what can be added to the configuration file:
<Configuration> <VGpu></VGpu> <Networking></Networking> <MappedFolders> <MappedFolder> <HostFolder></HostFolder> <SandboxFolder>C:\Users\WDAGUtilityAccount\Downloads</SandboxFolder> <ReadOnly></ReadOnly> </MappedFolder> <MappedFolder> <HostFolder></HostFolder> <SandboxFolder>C:\Users\WDAGUtilityAccount\Desktop</SandboxFolder> <ReadOnly>true</ReadOnly> </MappedFolder> </MappedFolders> <LogonCommand> <Command></Command> </LogonCommand> </Configuration>
Then, save the file at any location on your host computer with a name of your choice. However, while saving the file, select All files in front of Save as type and then concatenate .wsb file extension with the name of the file, as in the example below:
Now, make changes to the script according to your requirements. You can choose Enable, Disable, or Default between the starting and ending components within the file (where applicable) while using the table provided above.
Here is an example of a configuration file:
In this example, we are doing the following:
- Disable vGPU
- Disable networking
- Mapping the Downloads folder for user account “Subhan Zafar” to the default Downloads folder of Sandbox’s instance with read-only rights
- Mapping the Desktop folder for user account “Subhan Zafar” to the default Desktop folder of Sandbox’s instance with read-only rights
- Automatically run the command to open the Downloads folder in File Explorer as soon as Sandbox starts.
The example above opens a new Windows Sandbox instance as can be seen in the image below:
As you can see, the Sandbox instance opened File Explorer with the Downloads folder open, while the Desktop has been populated with the contents of the Desktop folder of the host computer.
You can make the necessary changes to the file’s syntax and then save it again using the Ctrl + S shortcut keys. Once done, run the configuration file by double-clicking it to run a Sandbox instance with your customizations.
Verdict
The main purpose of Windows Sandbox is to provide the user with an isolated environment, similar to that of the host machine, without having to go through the entire process of creating a Virtual Machine (VM). However, with these customizations, the host machine is exposed to malicious content running within the Sandbox and can affect the host computer’s integrity.
Therefore, we suggest that you customize your configuration file very carefully and not map any sensitive folders to the Windows Sandbox.