In this blog post, I will show you how you can set up, configure and customize Windows Sandbox in Windows 10 using advanced Windows Sandbox config files. Windows Sandbox is based on Hyper-V technology and allows you to spin up an isolated, temporary desktop environment where you can run untrusted software.
What is Windows Sandbox
Windows Sandbox provides a lightweight desktop environment to run applications in isolation safely. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine.
A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application.
Software and applications installed on the host aren't directly available in the sandbox. If you need specific applications available inside the Windows Sandbox environment, they must be explicitly installed within the environment.
Windows Sandbox has the following properties:
- Part of Windows: Everything required for this feature is included in Windows 10 Pro and Enterprise. There's no need to download a VHD.
- Pristine: Every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows.
- Disposable: Nothing persists on the device. Everything is discarded when the user closes the application.
- Secure: Uses hardware-based virtualization for kernel isolation. It relies on the Microsoft hypervisor to run a separate kernel that isolates Windows Sandbox from the host.
- Efficient: Uses the integrated kernel scheduler, smart memory management, and virtual GPU.
You can learn more about Windows Sandbox on Microsoft Docs and if you are interested in how Windows Sandbox works, check out the Windows architecture here.
How to install Windows Sandbox
To get started with Windows Sandbox, you will need to have the following prerequisites:
- Windows 10 Pro, Enterprise or Education build 18305 or later (Windows Sandbox is currently not supported on Home SKUs)
- 64-bit architecture
- Virtualization capabilities enabled in BIOS
- At least 4 GB of RAM (8 GB recommended)
- At least 1 GB of free disk space (SSD recommended)
- At least two CPU cores (four cores with hyperthreading recommended)
You can install Windows Sandbox as an additional feature in the Control Panel or by simply running the following PowerShell command as administrator:
Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online
After running that command, you will need to restart your computer, and after the reboot, you can start using the Windows Sandbox directly from the Start menu.
Customize Windows Sandbox with Configuration Files
By default, Windows Sandbox spins up a default image. However, in many cases, you want to spin up a customized environment with already preinstalled tools or access to local files. For that, you can use config files that allow you to customize the sandbox during startup. The sandbox configuration files are formatted as XML and use the .wsb file extension.
Today, you can configure four different settings to configure the Windows Sandbox.
- vGPU (virtualized GPU): Enable or disable the virtualized GPU. If vGPU is disabled, the sandbox will use Windows Advanced Rasterization Platform (WARP).
- Networking: Enable or disable network access within the sandbox.
- Mapped folders: Share folders from the host with read or write permissions. Note that exposing host directories may allow malicious software to affect the system or steal data.
- Logon command: A command that's executed when Windows Sandbox starts.
- Audio input: Shares the host's microphone input into the sandbox.
- Video input: Shares the host's webcam input into the sandbox.
- Protected client: Places increased security settings on the RDP session to the sandbox.
- Printer redirection: Shares printers from the host into the sandbox.
- Clipboard redirection: Shares the host clipboard with the sandbox so that text and files can be pasted back and forth.
- Memory in MB: The amount of memory, in megabytes, to assign to the sandbox.
To create a configuration file, open your editor of choice and create a file with the file extension ".wsb". Now you can start building the config using XML.
Let's start with a simple configuration file, which mounts the Downloads folder of the local machine into the Windows Sandbox as read-only. This allows you to use the files from your Downloads folder in your Sandbox. However, the Sandbox cannot write back to that folder.
In addition, we also use the Command part to open up the explorer.exe with the mounted Downloads folder when the Windows Sandbox starts.
<Configuration>
<VGpu>Default</VGpu>
<Networking>Default</Networking>
<MappedFolders>
<MappedFolder>
<HostFolder>C:\Users\thoma\Downloads</HostFolder>
<ReadOnly>true</ReadOnly>
</MappedFolder>
</MappedFolders>
<LogonCommand>
<Command>explorer.exe C:\users\WDAGUtilityAccount\Desktop\Downloads</Command>
</LogonCommand>
</Configuration>
I saved this as "Sandbox Map Download Folder.wsb". To start Windows Sandbox with the configuration file, double click the configuration file or open it up in the console.
After that, Windows Sandbox will open with the mounted Downloads folder.
Another example I want to share here is how you can run a script to modify or installed software. In this case, I want to have a Windows Sandbox with Visual Studio Code installed. For that, I use the folder option to mount a folder with a script, and within that script, I have the installation commands. After the Windows Sandbox has started, it will run the script from the mounted folder using the command option.
<Configuration>
<MappedFolders>
<MappedFolder>
<HostFolder>C:\Users\thoma\Code\Repos\Scripts\Windows Sandbox\WindowsSandboxScripts</HostFolder>
<ReadOnly>true</ReadOnly>
</MappedFolder>
</MappedFolders>
<LogonCommand>
<Command>C:\users\wdagutilityaccount\desktop\WindowsSandboxScripts\InstallVSCode.cmd</Command>
</LogonCommand>
</Configuration>
The InstallVSCode.cmd looks like the following:
REM Download VSCode
curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\users\WDAGUtilityAccount\Desktop\vscode.exe
REM Install and run VSCode
C:\users\WDAGUtilityAccount\Desktop\vscode.exe /verysilent /suppressmsgboxes
These are just some of the examples of how you can customize your Windows Sandbox environments. If you want to learn more, check out Microsoft Docs.
Make Visual Studio Code handle .wsb file with XML
By default, editors don't necessarily know about the wsb file extension and that this includes XML syntax. In Visual Studio Code, you can open up the Settings (JSON) and add the following to the files.associations.
In the JSON settings, search for files.associations. Note: The searched section might be there or not.
If it is not there, add the following:
"files.associations": {
"*.wsb": "xml"
}
Conclusion
I hope this provides you with a short overview of how you can customize the Windows Sandbox. I am interested in what customization you are running. If you have any questions, feel free to leave a comment or share your customization.