Microsoft

Windows Sandbox is a new lightweight desktop environment tailored for safely running applications in isolation.

 

How many times have you downloaded an executable file, but were afraid to run it? Have you ever been in a situation which required a clean installation of Windows, but didn’t want to set up a virtual machine?

 

At Microsoft we regularly encounter these situations, so we developed Windows Sandbox: an isolated, temporary, desktop environment where you can run untrusted software without the fear of lasting impact to your PC. Any software installed in Windows Sandbox stays only in the sandbox and cannot affect your host. Once Windows Sandbox is closed, all the software with all its files and state are permanently deleted.

 

Windows Sandbox has the following properties:

  • Part of Windows – everything required for this feature ships with Windows 10 Pro and Enterprise. No need to download a VHD!
  • Pristine – every time Windows Sandbox runs, it’s as clean as a brand-new installation of Windows
  • Disposable – nothing persists on the device; everything is discarded after you close the application
  • Secure – uses hardware-based virtualization for kernel isolation, which relies on the Microsoft’s hypervisor to run a separate kernel which isolates Windows Sandbox from the host
  • Efficient – uses integrated kernel scheduler, smart memory management, and virtual GPU

 

Prerequisites for using the feature

  • Windows 10 Pro or Enterprise Insider build 18305 or later
  • AMD64 architecture
  • Virtualization capabilities enabled in BIOS
  • At least 4GB of RAM (8GB recommended)
  • At least 1 GB of free disk space (SSD recommended)
  • At least 2 CPU cores (4 cores with hyperthreading recommended)

 

Quick start

  1. Install Windows 10 Pro or Enterprise, Insider build 18305 or newer
  2. Enable virtualization:
    • If you are using a physical machine, ensure virtualization capabilities are enabled in the BIOS.
    • If you are using a virtual machine, enable nested virtualization with this PowerShell cmdlet:
    • Set-VMProcessor -VMName <VMName> -ExposeVirtualizationExtensions $true
  3. Open Windows Features, and then select Windows Sandbox. Select OK to install Windows Sandbox. You might be asked to restart the computer.
  4. Optional Windows Features dlg.png
  5. Using the Start menu, find Windows Sandbox, run it and allow the elevation
  6. Copy an executable file from the host
  7. Paste the executable file in the window of Windows Sandbox (on the Windows desktop)
  8. Run the executable in the Windows Sandbox; if it is an installer go ahead and install it
  9. Run the application and use it as you normally do
  10. When you’re done experimenting, you can simply close the Windows Sandbox application. All sandbox content will be discarded and permanently deleted
  11. Confirm that the host does not have any of the modifications that you made in Windows Sandbox.

 Windows Sandbox Screenshot - open.jpg

 

Windows Sandbox respects the host diagnostic data settings. All other privacy settings are set to their default values.

 

Windows Sandbox internals

Since this is the Windows Kernel Internals blog, let’s go under the hood. Windows Sandbox builds on the technologies used within Windows Containers. Windows containers were designed to run in the cloud. We took that technology, added integration with Windows 10, and built features that make it more suitable to run on devices and laptops without requiring the full power of Windows Server.

 

Some of the key enhancements we have made include:

 

Dynamically generated Image

At its core Windows Sandbox is a lightweight virtual machine, so it needs an operating system image to boot from. One of the key enhancements we have made for Windows Sandbox is the ability to use a copy of the Windows 10 installed on your computer, instead of downloading a new VHD image as you would have to do with an ordinary virtual machine.

 

We want to always present a clean environment, but the challenge is that some operating system files can change. Our solution is to construct what we refer to as “dynamic base image”: an operating system image that has clean copies of files that can change, but links to files that cannot change that are in the Windows image that already exists on the host. The majority of the files are links (immutable files) and that's why the small size (~100MB) for a full operating system. We call this instance the “base image” for Windows Sandbox, using Windows Container parlance.

 

When Windows Sandbox is not installed, we keep the dynamic base image in a compressed package which is only 25MB. When installed the dynamic base package it occupies about 100MB disk space.

 Dynamic Image.PNG

Smart memory management

Memory management is another area where we have integrated with the Windows Kernel. Microsoft’s hypervisor allows a single physical machine to be carved up into multiple virtual machines which share the same physical hardware. While that approach works well for traditional server workloads, it isn't as well suited to running devices with more limited resources. We designed Windows Sandbox in such a way that the host can reclaim memory from the Sandbox if needed.

 

Additionally, since Windows Sandbox is basically running the same operating system image as the host we also allow Windows sandbox to use the same physical memory pages as the host for operating system binaries via a technology we refer to as “direct map”. In other words, the same executable pages of ntdll, are mapped into the sandbox as that on the host. We take care to ensure this done in a secure manner and no secrets are shared. 

 Direct Map.PNG

Integrated kernel scheduler

With ordinary virtual machines, Microsoft’s hypervisor controls the scheduling of the virtual processors running in the VMs. However, for Windows Sandbox we use a new technology called “integrated scheduler” which allows the host to decide when the sandbox runs. 

 

For Windows Sandbox we employ a unique scheduling policy that allows the virtual processors of the sandbox to be scheduled in the same way as threads would be scheduled for a process. High-priority tasks on the host can preempt less important work in the sandbox. The benefit of using the integrated scheduler is that the host manages Windows Sandbox as a process rather than a virtual machine which results in a much more responsive host, similar to Linux KVM.

 

The whole goal here is to treat the Sandbox like an app but with the security guarantees of a Virtual Machine. 

 

Snapshot and clone

As stated above, Windows Sandbox uses Microsoft’s hypervisor. We're essentially running another copy of Windows which needs to be booted and this can take some time. So rather than paying the full cost of booting the sandbox operating system every time we start Windows Sandbox, we use two other technologies; “snapshot” and “clone.”

 

Snapshot allows us to boot the sandbox environment once and preserve the memory, CPU, and device state to disk. Then we can restore the sandbox environment from disk and put it in the memory rather than booting it, when we need a new instance of Windows Sandbox. This significantly improves the start time of Windows Sandbox. 

 

Graphics virtualization

Hardware accelerated rendering is key to a smooth and responsive user experience, especially for graphics-intense or media-heavy use cases. However, virtual machines are isolated from their hosts and unable to access advanced devices like GPUs. The role of graphics virtualization technologies, therefore, is to bridge this gap and provide hardware acceleration in virtualized environments; e.g. Microsoft RemoteFX.

 

More recently, Microsoft has worked with our graphics ecosystem partners to integrate modern graphics virtualization capabilities directly into DirectX and WDDM, the driver model used by display drivers on Windows.

 

At a high level, this form of graphics virtualization works as follows:

  • Apps running in a Hyper-V VM use graphics APIs as normal.
  • Graphics components in the VM, which have been enlightened to support virtualization, coordinate across the VM boundary with the host to execute graphics workloads.
  • The host allocates and schedules graphics resources among apps in the VM alongside the apps running natively. Conceptually they behave as one pool of graphics clients.

This process is illustrated below:

 

GPU virtualization for Sandbox - diagram.png 

 

This enables the Windows Sandbox VM to benefit from hardware accelerated rendering, with Windows dynamically allocating graphics resources where they are needed across the host and guest. The result is improved performance and responsiveness for apps running in Windows Sandbox, as well as improved battery life for graphics-heavy use cases.

 

To take advantage of these benefits, you’ll need a system with a compatible GPU and graphics drivers (WDDM 2.5 or newer). Incompatible systems will render apps in Windows Sandbox with Microsoft’s CPU-based rendering technology.

 

Battery pass-through

Windows Sandbox is also aware of the host’s battery state, which allows it to optimize power consumption. This is critical for a technology that will be used on laptops, where not wasting battery is important to the user.

 

Filing bugs and suggestions

As with any new technology, there may be bugs. Please file them so that we can continually improve this feature. 

 

File bugs and suggestions at Windows Sandbox's Feedback Hub (select Add new feedback), or follows these steps:

  1. Open the Feedback Hub
  2. Select Report a problem or Suggest a feature.
  3. Fill in the Summarize your feedback and Explain in more details boxes with a detailed description of the issue or suggestion.
  4. Select an appropriate category and subcategory by using the dropdown menus. There is a dedicated option in Feedback Hub to file "Windows Sandbox" bugs and feedback. It is located under "Security and Privacy" subcategory "Windows Sandbox".
  5. Feedback Hub.png
  6. Select Next 
  7. If necessary, you can collect traces for the issue as follows: Select the Recreate my problem tile, then select Start capture, reproduce the issue, and then select Stop capture.
  8. Attach any relevant screenshots or files for the problem.
  9. Submit

Conclusion

We look forward to you using this feature and receiving your feedback!

 

Cheers, 

Hari Pulapaka, Margarit Chenchev, Erick Smith, & Paul Bozzay

(Windows Sandbox team)

281 Comments

@tb110188  @Bartek16194  Thanks for trying Windows Sandbox! Please, follow the instructions in the "Filing bugs and suggestions" section above to submit a bug report.

Occasional Visitor

I'm getting the splashcreen for about a minute and then nothing, and i'm sure my computer is more than capable of running this...

 

edit: I do run Hyper-V on my computer flawlessly so i'm sure it can run Windows Sandbox too...

@user239  These are all great questions! Here are some answers:

  1. Currently Windows Sandbox does not provide a command line interface.
  2. We've discussed various ways to configure and launch the sandbox including mapping folders.
  3.  Programs in the sandbox run as a local sandbox user.

@pmarker  Thanks for trying Windows Sandbox! As you noted Windows Sandbox has a dependency on Hyper-V Host Compute Service. The fact that Hyper-V Host Compute Service does not start explains why you cannot run Windows Sandbox. Please, follow the instructions in the "Filing bugs and suggestions" section above to submit a bug report.

Microsoft

@Brok3n Cogniti0n wrote:

Do you mind sharing what "compatible GPUs" are? Will hardware acceleration work on a typical consumer PC for example, assuming a somewhat recent architecture like Pascal or Vega and WDDM 2.5? Unsure about AMD, but recent Nvidia drivers do support WDDM 2.5 at least.

Thanks.

Thanks for your questions. In general, yes, we expect most recent consumer PCs with a discrete or integrated GPU (including Pascal and Vega) to support virtualized hardware acceleration for DirectX, assuming WDDM 2.5 or newer graphics drivers are installed. We'll share more detailed information about GPU and graphics API compatibility soon.

Occasional Contributor
BFD! So they came up with "Hyper-V 4 Dummies". It is restricted to the expensive versions. If anyone needs Hyper-V lite, it is Home users.
Occasional Visitor

 

it's always Fixed at this screen and not open 

 Untitled.png

Deleted
Not applicable

It would be handy and appreciated for an iso to be posted. I prefer not to wait.

Visitor

It would be nice to try the sandbox with an unconfigured windows.  My understanding is that it takes your existing windows setup.  I'd like to try the app in a vanilla windows environment without the need to download a .vhd

 

thanks,

John

Regular Visitor

I really would like to test this new feature. Unfortunately, it is not working on my PC. It simply won't open! Any thoughts anyone?

Occasional Visitor

Not working. I run the Windows Sandbox app, allow elevation, and nothing happens. No messages in the event log either.

My system meets all the requirements, including AMD64 architecture and Visualization turned on in BIOS.

Occasional Visitor

Weird.  Up until a few minutes ago, WindowsSandbox.exe would launch flawlessly.  I believe there were some updates today that needed my system to restart.  Now, I still have the executable, but it doesn't do anything.  The elevated request open on the desktop, I select "yes" and nothing.

 

I did add a bug report. 


@Mahmoud_Kamal wrote:

it's always Fixed at this screen and not open



@crcastilho wrote:

I really would like to test this new feature. Unfortunately, it is not working on my PC. It simply won't open! Any thoughts anyone?



@Lawina wrote:

Not working. I run the Windows Sandbox app, allow elevation, and nothing happens. No messages in the event log either.
My system meets all the requirements, including AMD64 architecture and Visualization turned on in BIOS.


Thanks for showing interest in Windows Sandbox!

We received a few other similar complaints and we are currently trying to diagnose them. Since there are no guarantees that you are hitting exactly the same issues please report bugs following the instructions in the "Filing bugs and suggestions" section above.

New Contributor
Can´t start it at all here to.. :unamused_face: Same bug as writed above.
Frequent Visitor

So everyone asking about logs, check out the Microsoft-Windows-Hyper-V-Compute/Operational event log in Event Viewer.  That's where you'll see the container being created and things like memory and GPU settings being set.  

 

I was experiencing the same problem as others.  I'd get the splash screen for a few seconds and then it would die with no error message of any kind.  After checking out the events in the log, I saw that the virtual environment was failing when setting the GPU settings ("Modify compute system, settings '{"ResourcePath":"VirtualMachine/ComputeTopology/Gpu","RequestType":"Update","Settings":{"AssignmentMode":"Mirror"}}', result 0x80070032")  You can see the "result" code in that message is not 0x00000000, which would be a success code.  So I knew my failures were related to my GPU.  

 

I have an older Lenovo W540 laptop and it comes with two display adapters, Intel HD Graphics 4600 and Nvidia Quadro K1100M.  On a whim, I disabled the Nvidia display adapter in Device Manager so that only the Intel adapter would be active.  Then I launched Sandbox again and it worked perfectly.  In fact, I'm typing this entire comment from within my sandbox.  

 

I don't know exactly why this is happening.  I can only guess that either the sandbox gets confused by the presence of two adapters, or my Nvidia card/driver combo doesn't support this setup.  I'm going to file a bug for this, but figured I'd leave this info here in case anyone else had a similar setup.

 

Matt


@msisaacs wrote:

I have an older Lenovo W540 laptop and it comes with two display adapters, Intel HD Graphics 4600 and Nvidia Quadro K1100M. On a whim, I disabled the Nvidia display adapter in Device Manager so that only the Intel adapter would be active. Then I launched Sandbox again and it worked perfectly. In fact, I'm typing this entire comment from within my sandbox.


@msisaacs  Hi Matt, thanks for sharing your experience with Windows Sandbox and your workaround! This is really useful information.

Occasional Contributor

While I absolutely hate to bother you Microsoft guys with more ominous predictions, I think the status quo calls for it, lest you don't face another fiasco like Windows 8 and Windows Vista.

It seems to me that Windows Sandbox goes right into the domain of paravirtualization and hardware-assisted virtualization. That's overkill. Let's assume you get the performance concern out of the way. Tangling yourself with the intricacies of virtualizing the graphic subsystem is something about which you must think twice. You might end up having to play catch-up with graphic hardware vendors. Storage virtualization would probably suffice for the purpose of sandboxing. Maybe just go all the way up to OS-level virtualization (AKA containerization).

The fact is, running untrusted code will eventually have a cost. Electricity and user's time are always wasted. But what else are you trying to protect by going into paravirtualization, especially if Windows Sandbox is not going to hide the fact that its apps are running inside a sandbox.

Occasional Visitor

How does this relate to Application Guard (https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-gua...)? To solutions such as Bromium Virtualization-based Security (VBS) (https://www.bromium.com/our-tech/virtualization-based-security/)?

 

Bromium's technology is effective, but very expensive.

 

Application Guard does what Bromium's VBS does, but for Microsoft Edge only.

 

Is Windows Sandbox a minimum viable product (MVP) in an early sprint to extend Application Guard beyond Microsoft Edge?  If so, I would love to know - and I am 100% certain you cannot and will not tell me - when this begins to offer an alternative to Bromium's VBS.

 

Microsoft offers Advanced Threat Protection (ATP) products, for example for Exchange Online and Windows Defender.  Has Microsoft taken the detonation sandbox it created for Exchange Online Advanced Threat Protection and packaged it down into a Windows feature called Windows Sandbox?  Will future versions of Windows Defender ATP install and control this sandbox, so they can detonate untrusted .EXE files to determine if they are safe, then report back to Microsoft Security cloud that the unknown .EXE is safe, and share with Office 365 ATP and Windows Defender ATP subscribers?

 

Is this also a way to "deprecate" WIN32 API?  ISTR WIN32 is great, but is now huge and created for more innocent times.  A modern Windows without WIN32 would be smaller, faster and more secure.  However, if you did still need WIN32 apps, you could run them within the Windows Sandbox.

 

(forgive the somewhat wild speculation - this looks like a very significant technology, but you haven't explained it fully; I don't buy the "How many times have you downloaded an executable file, but were afraid to run it?" line - I don't accept that's Microsoft's only motives and the full picture).

 

PS I am simplifying somewhat; eg Bromium is expensive - if you get hacked, it's dirt cheap!  But as a preventative measure, it's expensive).

Regular Visitor
Doesn't work :(. it won't open

@Andrew3000 wrote:

Doesn't work :(. it won't open


@Andrew3000  Does your system have multiple GPUs? If so take a look at msisaacs's comment above.

Regular Visitor

@Margarit_Chenchev nope, i've a single GPU (GTX 960)

Occasional Visitor

I'm trying to understand the benefits of this in the real world, for security, since this is the use-case presented. How does the sandbox interract with user storage to any security advantage compared with normal?  In other words, it's great to isolate an app from your documents and online storage, but how does it do anything useful? If it can't leave the sandbox, is the user supposed to draw a conclusion from the sandbox that the app is safe, and then allow it to install normally? Because that doesn't seem like much of a security win ... any smart malware would remain dormant while running in the sandbox.

Frequent Visitor

@Andrew3000- You may want to double check.  I think most Intel desktop processors made in the past several years have included integrated graphics.  Not sure about AMD APUs, but I'm assuming they've been around for awhile as well.  So you may have both an integrated graphics processor on your CPU and a discrete graphics processor, the GTX 960.  Check Device Manager to see if two Display Adapters are listed.  If so, you can try plugging your monitor into an onboard DVI/HDMI/DisplayPort and disabling the Nvidia adapter in Device Manager.  

 

If that doesn't work for you, you can check the Hyper-V-Compute/Operational event log in Event Viewer to see if you can narrow down what is happening on your system. 

Occasional Visitor

Not working on AMD Ryzen Threadripper 1900x.

Clean install. Does nothing when I confirm UAC prompt to launch it. No black window, no error, no CPU usage.

 

Anyone got it working on AMD ?


@Hotrc wrote:

Not working on AMD Ryzen Threadripper 1900x. Clean install. Does nothing when I confirm UAC prompt to launch it. No black window, no error, no CPU usage. Anyone got it working on AMD ?


@Hotrc  Thanks for giving Windows Sandbox a try! I have a Ryzen system and will confirm as soon as I have a chance. In the meantime, I'd encourage you to file a bug so that we have more information to look at when we diagnose the issue.

 

@Hotrc  I tried Windows Sandbox on a Ryzen system and it worked well for me:

Capture.PNG

Regular Visitor

@Margarit_ChenchevI checked and there is only one display adapter on (GTX 960). I also checked in the event log and only shows that the Hyper-V service has started.

Occasional Contributor

@anwarmahmoodHi.

Bromium is far more advanced than Windows Sandbox. It does not try to provide you a sandbox for test; it puts every single app into its own isolated partition. Another solution similar to Bromium is Turbo.net, whose base tier (command-line app and virtualization engine) is free, but its services are all commercial. Turbo.net for Windows is very similar to what Docker is on Linux.

 

Windows Sandbox is more like Comodo Containment (a component of Comodo Firewall/Antivirus/Internet Security), Acronis Try & Decide (a component of Acronis True Image), Sandboxie, or DeepFreeze. However, they all employ storage virtualization. Windows Sandbox is, for some reason, trying to employ full hardware virtualization. (The result hasn't exactly been heart-warming so far. See above. Lots of people are complaining.)

 

So, no, Windows Sandbox is not trying to extend Application Guard to all apps. Bromium does it. Docker does a similar thing too. But not Turbo.net.

Occasional Contributor

Regarding these GPU virtualization options, did NVidia play ball and enable consumers card, too, or is this still restricted to the Quadro series, which isn't really found outside specific applications? What consumer or generic developer runs a Quadro?

Visitor

i'm on insider build 18305, i was trying to try windows sandbox, when i try to launch, it just nothing happens, the uac does come up asking permission but there's nothing else after that. i also can't find the process on task manager. help please

Regular Visitor

I've uninstalled KB4483214 cumulative update and sandbox work!

So the problem is the new cumulative update

Occasional Visitor

Andrew3000 is correct. KB4483214 cumulative update breaks windows sandox in Windows 10.

We belive preview builds should not receive cumulative updates since they are preview builds designed to show

new features, etc and cumulative updates for windows 10 in general should not be applied to preview builds.

 

 

New Contributor

I'm too interested in more information about GPUs which support WDDM 2.5 and hardware acceleration for VMs, not only in context of Sandbox feature, but also because I use a Hyper-V VM on a client version of windows for development environment. I noticed, that even though I have plenty of RAM, fast SSDs, 10-cores 7900X processor, and connect to the VM locally from the host machine, rendering some UI parts of different apps becomes very slow over time after starting the VM. That's especially noticeable when I have 3-4 VS2017 instances launched simultaneously, as well as other dev tools and browsers. Among lots, lots of possible reasons for UI performance to degrade in VM over RDP I suspect graphics subsystem/drivers. I tried to profile several apps, including Windows Explorer, and the hot paths were ending in different GDI functions. Interesting, at the same time the CPU was underutilized, only about 15%. So I'm really interested in information which graphics hardware can solve my problem, and whether that hardware includes consumer models, or server only.

Visitor

thanks Andrew3000 for the solution, i finally got my sandbox working, it's really useful to just forget this feature. btw do you know any way to block/prevent the windows to install this update? not by disabling windows update

Regular Visitor
Regular Visitor

Thanks to @Andrew3000 insight Windows Sandbox worked. But in order for it to work I had to disable my NVIDIA display card and run it only with the Intel onboard card.

Senior Member

This is a very interesting feature.
But I still have a question: what if the host OS is someway compromised? Would the sandbox still be reliable to run an application?

Occasional Visitor

Can't open sandbox, thanks Andrew3000 for the solution, now, could see sandbox window.

Regular Visitor

Uninstall CU KB4483214 didn't fixed the sandbox issue ;(

Occasional Visitor

For me the same as Bartek16194 - Sandbox starts and nothing happens.

New Contributor
How do we get Sandboxie for free? Did not see it on their website. Thanks.
Frequent Visitor

Can I force Windows Sandbox to keep my files after closing the sandbox?


@Synoptic wrote:

Can I force Windows Sandbox to keep my files after closing the sandbox?


@Synoptic  Thanks for showing interest in Windows Sandbox! Windows Sandbox does not persist anything. This is by design.

 

Occasional Contributor

A very promising feature.

I want to try it out in a VM in Azure, but after installing the Windows Sandbox feature in a Windows 10 Education N Insider Preview 18305 and allowing the UAC dialog, nothing happens.

I have double checked by installing Docker Desktop 2.0.0.0, Containers feature and Hyper-V feature that my Azure VM is able to run Hyper-V VM's and Windows containers.

What is missing to run Windows Sandbox?

 

 

Senior Member
Updated to 18309, yet no luck but splash screen for a half of second. I've reported the issue, will be waiting for happy ending. Maybe sandbox wants more free space on system drive (I got 40 GB) or it has something to do with NVidia Optimus, who knows...
New Contributor

I am having problems with Windows Sandbox today.
If I open Sandbox, open Outlook, it asks me to sign in.
I add my MSA username and password and it is accepted.
Then it asks me to sign in one more time to the Sandbox and I am told that I can use a pin next time if I wish.
When I type in my password I am told my password is incorrect.
I know it is correct as I have just typed it in. It also allows me to see what I have typed if I click on the "eye."
But always password is incorrect is shown.
Edit I am reliably informed that:-
Sandbox uses its own Windows Local Account password, which I do not know. Without knowing the password, I don't know how to change it.
You can sign-in with a Microsoft Account in some places, but not in others. Places that require you to confirm using the Local Account password of course do not work.

Is this correct? If it is why have we not been informed when the app was flighted? If it is not correct what do we do?

Regular Visitor

As a security feature, I think this should be available in Windows 10 Home.  Home users are probably even more likely to want to run exe files from random places.  Helping them not turn their machines into viral laden messes seems like the right thing to do.  Pro should be about professional use- networking features, server virtualization, etc., not about security.

Super Contributor

Pro not about security? C'mon.. Even if it is provided to Home users, 99% of REAL home users wouldn't care anyway.

At my last job i had to check suspicious sites and files our users stumbled upon based on antivirus/firewall alerts, so i could see if it is a real threat, report it to authorities, warn users, etc. A few times per week. And i had to use Sandboxie, which messes up systems or risk with my browser, or use VM or some dedicated laptop, etc. And i was just a regular sysadmin/helpdesk guy (not a dedicated security officer). Obviously only Pro versions of Windows were in use.

Regular Visitor

Maybe you're right, maybe I'm just dreaming that a significant percentage of Home users are afraid to run random exe files they downloaded from the internet.  But maybe they are and just have no other option they can understand so they do it anyway?  Shouldn't the ones who do understand the risks have easy access to a simple solution?  This is my point about security, you don't have to be using Windows at work to understand that this is a good thing to be doing.  Pro should be an upgrade you buy to do work things, not to run exe files you're concerned about.

Super Contributor

I don't mind this feature to be included in Home edition. I would even just got rid of all editions and have just Windows :) Although i still believe most home users won't find this useful (i know that my parents are not afraid of anything because they just don't get that something can be harmful on the internet, even if i tell them this repeatedly, and they surely wouldn't or know how to use Sandbox), what i meant that this feature for sure should be in Pro and Enterprise versions, because that's the only version usually used at orgs/companies and i provided an example what you can use it for. Pro is used for work and checking suspicious files can be part of your work. Again, dedicated or freelancing security researchers probably would also prefer to use Pro edition to have all other advanced features along with Sandbox.

Occasional Contributor

@jpangburnYou must have forgotten that this feature is based on Windows Containers. If the system requirements is the same, it is safe to say home users won't be able to use it. Of course, it is too soon to say. As I said twice in this thread, Microsoft is taking a heavy-handed approach to implementing a mere sandbox. It's SharePoint all over again.