Introduction
This document shows how to set up a sandbox environment in a Windows 10 or 11 client OS and is aimed at system administrators who have some knowledge of the Windows operating systems.
The Windows sandbox, available since the Windows 10 1903 build, is based upon the Hyper-V virtualization components in the Pro or Enterprise or Education versions of the operating system.
The idea of the Windows sandbox is to run a virtual environment, mainly to test untrusted software and applications, in a lightweight, isolated and secure setting that will not affect your host OS. Any changes made in the sandbox will be lost when it is closed down, so that the next time the sandbox is started it will be a new environment again.
Although it uses the same requirements and settings as Hyper-V, there are some differences, in that you do not need to create or acquire a virtual image to install as the environment it creates is based upon your host system, and the settings are not kept between sessions.
Requirements
You need to run either the Windows 10/11 Pro or Enterprise or the Education version. If you have the Home version of Windows 10/11 then you will need to upgrade to a higher version of the host OS. It is a client function, so will not run on the equivalent platform server.
The computer hardware must be capable of providing the same resources as for normal Hyper-V requirements:
Run the SystemInfo command from a CLI and look at the last block of entries in the resulting readout. All of the entries will need to say Yes next to them in order for the sandbox to function:
– VM Monitor Mode Extensions: This means the CPU has the required VT-x (Intel) or AMD-V (AMD) extensions for more efficient virtualization.
– Virtualization Enabled In Firmware: If this says No then go to the BIOS or UEFI settings and turn on virtualization support.
– Second Level Address Translation: This is a CPU feature to use system resources better in virtualization.
– Data Execution Prevention Available: Prevents bad code from getting into reserved memory. It can be turned off in the host (but don’t do it!).
If your output doesn’t list the entries above, but instead says,
“A hypervisor has been detected. Features required for Hyper-V will not be displayed”
then you have already set up this computer previously to be a Hyper-V host, so you’re good to go. You can get an indication of this by checking if there are any Hyper-V services already running.
Enable the sandbox
Assuming that you have met all of the requirements above, and you have reasonable resources available, such as at least 4 GB of RAM and over 1 GB of disk space and a 2-core or more CPU, then the sandbox function can be enabled in the host settings.
Either go to the Control Panel > Programs and Features > Turn Windows features on or off or just run the command OptionalFeatures and in the settings check the entry Windows Sandbox, then OK. It will install what it requires (takes a few minutes) then will prompt you to restart your system afterwards.
If for some reason you are not able to get this to work, despite having met all of the requirements above, and you are working in a Windows AD domain, then there may be group policies in place that impede its use. Check with your system administrator.
Using the sandbox
After the system has installed and a reboot done, then find the entry Windows Sandbox in your Start menu and run it. The sandbox desktop will appear in a window on your host computer.
If you want to test a program in the sandbox, then find the source file(s) on your host system, right-click and select Copy, then right-click on the sandbox desktop and select Paste. This will copy the file(s) to the virtual sandbox, where you can begin testing. Note that there is no drag-and-drop function provided to transfer files.
There is also an Edge browser incorporated into the sandbox that will connect to the Internet so that you can download applications directly.
When you have finished your testing, then any of the normal options to shut down, log off, disconnect, etc. will result in the sandbox closing completely. Note that any configuration or programs you added will be wiped clean.
Also note that if you try to change any of the personalization or display settings that it will not let you because this sandbox version of Windows is not activated, nor do you have the option to activate. This is by design as any changes will be discarded when the session ends anyway.
Load settings at start
There is a way that you can apply some settings to the sandbox when you start it up by using a configuration file.
Create a text file on your host computer, using Notepad or similar, and save it to any location. The desktop is as good as anywhere, and a convenient place. The text file is an .xml file that is renamed to have a .wsb extension (wsb = Windows sandbox).
The core of the file consists of these two lines:
<Configuration>
</Configuration>
One or more commands are then placed between these two lines. The commands that can be used are still being developed and are somewhat limited at present, but there will be constantly updated documentation at Microsoft.
To get an idea of how this works, let us make a startup script that allows the sandbox to map to a folder on the host computer. Note that doing this goes against the idea of an isolated environment and could be considered a security risk.
Create a text file to set a folder mapping to the C:\test folder on your host system, as follows:
<Configuration>
<MappedFolders>
<MappedFolder>
<HostFolder>C:\test</HostFolder>
<ReadOnly>true</ReadOnly>
</MappedFolder>
</MappedFolders>
</Configuration>
In this setup, line 4 shows where the host folder is and line 5 shows true for read only. Change this to false if you want to write to the folder.
Now save the file to the desktop, naming it anything you like, but make sure the extension is changed to .wsb
To use it, simply double-click the .wsb file and it will start the sandbox purely by that action and then use the settings in the configuration file. In this case, you will see a folder icon on your sandbox desktop representing the mapped folder on the host.