Blog Post

ITOps Talk Blog
5 MIN READ

Customize Windows Sandbox

thomasmaurer's avatar
thomasmaurer
Icon for Microsoft rankMicrosoft
Apr 28, 2021

In this blog post, I will show you how you can set up, configure and customize Windows Sandbox in Windows 10 using advanced Windows Sandbox config files. Windows Sandbox is based on Hyper-V technology and allows you to spin up an isolated, temporary desktop environment where you can run untrusted software.

 

What is Windows Sandbox

 

Windows Sandbox provides a lightweight desktop environment to run applications in isolation safely. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine.

A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application.

Software and applications installed on the host aren't directly available in the sandbox. If you need specific applications available inside the Windows Sandbox environment, they must be explicitly installed within the environment.

 

Windows Sandbox has the following properties:

 

  • Part of Windows: Everything required for this feature is included in Windows 10 Pro and Enterprise. There's no need to download a VHD.
  • Pristine: Every time Windows Sandbox runs, it's as clean as a brand-new installation of Windows.
  • Disposable: Nothing persists on the device. Everything is discarded when the user closes the application.
  • Secure: Uses hardware-based virtualization for kernel isolation. It relies on the Microsoft hypervisor to run a separate kernel that isolates Windows Sandbox from the host.
  • Efficient: Uses the integrated kernel scheduler, smart memory management, and virtual GPU.

You can learn more about Windows Sandbox on Microsoft Docs and if you are interested in how Windows Sandbox works, check out the Windows architecture here.

 

How to install Windows Sandbox

 

To get started with Windows Sandbox, you will need to have the following prerequisites:

 

  • Windows 10 Pro, Enterprise or Education build 18305 or later (Windows Sandbox is currently not supported on Home SKUs)
  • 64-bit architecture
  • Virtualization capabilities enabled in BIOS
  • At least 4 GB of RAM (8 GB recommended)
  • At least 1 GB of free disk space (SSD recommended)
  • At least two CPU cores (four cores with hyperthreading recommended)

You can install Windows Sandbox as an additional feature in the Control Panel or by simply running the following PowerShell command as administrator:

 

 

Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online

 

 

After running that command, you will need to restart your computer, and after the reboot, you can start using the Windows Sandbox directly from the Start menu.

 

 

Customize Windows Sandbox with Configuration Files

 

By default, Windows Sandbox spins up a default image. However, in many cases, you want to spin up a customized environment with already preinstalled tools or access to local files. For that, you can use config files that allow you to customize the sandbox during startup. The sandbox configuration files are formatted as XML and use the .wsb file extension.

 

Customize Windows Sandbox with Configuration Files

 

Today, you can configure four different settings to configure the Windows Sandbox.

 

  • vGPU (virtualized GPU): Enable or disable the virtualized GPU. If vGPU is disabled, the sandbox will use Windows Advanced Rasterization Platform (WARP).
  • Networking: Enable or disable network access within the sandbox.
  • Mapped folders: Share folders from the host with read or write permissions. Note that exposing host directories may allow malicious software to affect the system or steal data.
  • Logon command: A command that's executed when Windows Sandbox starts.
  • Audio input: Shares the host's microphone input into the sandbox.
  • Video input: Shares the host's webcam input into the sandbox.
  • Protected client: Places increased security settings on the RDP session to the sandbox.
  • Printer redirection: Shares printers from the host into the sandbox.
  • Clipboard redirection: Shares the host clipboard with the sandbox so that text and files can be pasted back and forth.
  • Memory in MB: The amount of memory, in megabytes, to assign to the sandbox.

To create a configuration file, open your editor of choice and create a file with the file extension ".wsb".  Now you can start building the config using XML.

Windows Sandbox Configuration Files WSB Files

Let's start with a simple configuration file, which mounts the Downloads folder of the local machine into the Windows Sandbox as read-only. This allows you to use the files from your Downloads folder in your Sandbox. However, the Sandbox cannot write back to that folder.

 

In addition, we also use the Command part to open up the explorer.exe with the mounted Downloads folder when the Windows Sandbox starts. 

 

 

 

 

<Configuration>
<VGpu>Default</VGpu>
<Networking>Default</Networking>
<MappedFolders>
   <MappedFolder>
     <HostFolder>C:\Users\thoma\Downloads</HostFolder>
     <ReadOnly>true</ReadOnly>
   </MappedFolder>
</MappedFolders>
<LogonCommand>
   <Command>explorer.exe C:\users\WDAGUtilityAccount\Desktop\Downloads</Command>
</LogonCommand>
</Configuration>

 

 

 

 

I saved this as "Sandbox Map Download Folder.wsb". To start Windows Sandbox with the configuration file, double click the configuration file or open it up in the console.

 

Windows Sandbox Configuration Files start from Windows Terminal

After that, Windows Sandbox will open with the mounted Downloads folder.

 

Windows Sandbox Mounted Folder

Another example I want to share here is how you can run a script to modify or installed software. In this case, I want to have a Windows Sandbox with Visual Studio Code installed. For that, I use the folder option to mount a folder with a script, and within that script, I have the installation commands. After the Windows Sandbox has started, it will run the script from the mounted folder using the command option.

 

 

 

 

 

<Configuration>
<MappedFolders>
   <MappedFolder>
     <HostFolder>C:\Users\thoma\Code\Repos\Scripts\Windows Sandbox\WindowsSandboxScripts</HostFolder>
     <ReadOnly>true</ReadOnly>
   </MappedFolder>
</MappedFolders>
<LogonCommand>
   <Command>C:\users\wdagutilityaccount\desktop\WindowsSandboxScripts\InstallVSCode.cmd</Command>
</LogonCommand>
</Configuration>

 

 

 

 

The InstallVSCode.cmd looks like the following:

 

 

 

 

REM Download VSCode
curl -L "https://update.code.visualstudio.com/latest/win32-x64-user/stable" --output C:\users\WDAGUtilityAccount\Desktop\vscode.exe
 
REM Install and run VSCode
C:\users\WDAGUtilityAccount\Desktop\vscode.exe /verysilent /suppressmsgboxes

 

 

 

 

These are just some of the examples of how you can customize your Windows Sandbox environments. If you want to learn more, check out Microsoft Docs.

Make Visual Studio Code handle .wsb file with XML

By default, editors don't necessarily know about the wsb file extension and that this includes XML syntax. In Visual Studio Code, you can open up the Settings (JSON) and add the following to the files.associations. 

 

Visual Studio Code

In the JSON settings, search for files.associations. Note: The searched section might be there or not.

If it is not there, add the following:

 

 

 

 

 

"files.associations": {
      "*.wsb": "xml"
}

 

 

 

 

Conclusion

I hope this provides you with a short overview of how you can customize the Windows Sandbox. I am interested in what customization you are running. If you have any questions, feel free to leave a comment or share your customization.

Updated May 16, 2021
Version 3.0
  • James_Mauch it turns out that the Sandbox will always be launching an updated version with the latest binaries from Windows Update. This is because the Sandbox shares many of the host files, so when the host is updated the Sandbox automatically benefits from the update. There is a bug where Sandbox may not show the correct build number (so it may look like the update was not applied) but functionally it was.

  • lgreif's avatar
    lgreif
    Copper Contributor

    This configuration feature looks great!  Would it be possible to add the ability to set the C drive size in this configuration as well?  I would like to utilize the sandbox to test creating Chocolatey and WinGet packages, and some application installers / setup files will fill the entire 40GB drive.  One example is our AutoDesk bundle with AutoCAD, Inventor and a few other apps.  Would be great to have an option in the config to change this default value 🙂

  • vaghelabhavesh's avatar
    vaghelabhavesh
    Copper Contributor

    Very exciting. Now we don't have to make dirty our primary machine when we have to try something temporarily.  

     

    Great  Work!

  • James_Mauch's avatar
    James_Mauch
    Copper Contributor

    This is great!  The one thing that I'd really like to figure out how to do is to keep the Sandbox OS version upgraded with the latest from Windows update.  Or maybe the same as what is on the host machine.  It would be ideal if it didn't have to update every time I started it up, though.

  • AkosBakos's avatar
    AkosBakos
    Copper Contributor

    Hi Tom, what about your experience or simply kind of possibilitis to mount an ISO file into Windows Sanbox? Is it somehow a limitation?

    Cheers, Ákos

Share