How to easily configure Windows Sandbox on Windows 10?

By ivan.diskin | July 5, 2019 |

greater than 11 minutes

With the Sandbox feature in Windows 10, users can safely open files and test programs – especially those obtained from the internet – by running them in a secure container or isolated environment. The functionality is relatively easy to use or access, but Microsoft buried its settings in a text-based configuration file, which means you have to perform specified tasks and make certain changes on your computer to control it.

Now, you must understand that the Sandbox feature in Windows operates similarly to a traditional virtual machine, but the virtual environment projected by the functionality has been optimized for security, speed, and efficiency. For one, once you finish your work on any Windows Sandbox session, your machine will act to delete everything. Similarly, your computer is programmed to create a new desktop on demand every time you start the feature.

The Sandbox feature introduced in the Windows 10 May 2019 Update is the major subject of this guide. Here, we have to assume you are running a Pro, Enterprise or Education edition of Windows 10 because the relevant functionality is available only on those Windows 10 builds. If your device is running Windows 10 Home, then you will be unable to access or use the Sandbox feature in view.

How to use Windows Sandbox effectively on Windows 10

Typically, when people launch Windows Sandbox, it makes a copy of their current operating system, disables access to their personal folders or directories, and then works to create a fresh Windows desktop with internet access provided. Before Microsoft introduced the configuration file, users had no way of customizing Sandbox no matter how much they wanted to.

For example, if you did want not internet access to be provided, you would have had to disable it immediately after the environment launch. If you wanted the ability to host files on your host system, you would have had to copy and paste them into Sandbox. If you wanted to use specific third-party applications on the environment, you would have had to install them immediately right after you launch Sandbox.

The inconveniences we outlined are more or less the result of the code that forces Windows Sandbox to delete its instance whenever you close it, which means you have to do a lot of work to customize the virtual environment every time you launch it. From a security point of view, it made absolute sense. The regular instance deletion makes for a secure system – if something goes wrong, all you have to do is close the Sandbox and everything gets obliterated. From a different perspective, however, if you need to launch Sandbox and do some work there quickly, you are likely to get frustrated from having to go through the customization process every time.

Perhaps, Microsoft got wind of the complaints from users and decided to introduce the configuration functionality. While the configuration files for the Windows Sandbox environment are in XML formatting, Windows is programmed to read them as a .wsb file. These are the four configurations that are currently supported by Windows Sandbox:

  • vGPU or Virtualized GPU
  • Networking
  • Shared folders
  • Startup script

With the XML files, users are now able to launch Windows Sandbox with specified or defined parameters. For example, you can tighten or moderate the restrictions imposed on the virtual environment; you can disable internet access; you can configure shared folders to function with your host copy of Windows 10; you can even run a script to install applications.

Well, the options currently available are a bit limited – given that the release of this Sandbox feature constitutes the first edition – but we believe Microsoft will make new additions in future versions through Windows updates. Through the existing functionalities, users can now exert a considerable amount of control over the isolated environment in Windows Sandbox through simple operations.

How to create a custom configuration environment for Windows Sandbox

First, we have to assume you have already activated or configured Windows Sandbox for general use. We have omitted the instructions or steps on setting up Sandbox afresh for a good reason – this guide is focused on the customization process.

To begin your work, you have to choose a program editor. You can employ Notepad since it is a utility built into Windows and it is easy to access and use. You can also use Visual Studio Code or any other advanced editor. Nevertheless, you must know that Notepad is our choice program in the description of the processes or operations outlined in the guide. Perhaps, this knowledge might influence your decision.

We will show you how to create an XML file for configuration purposes. Knowledge of the XML coding language might help a bit, but it is hardly a requirement in the grand scheme of things. Go through these steps to create a Windows Sandbox configuration file to define your environment:

  • First, you have to open the Notepad application.

Click on the Windows icon on your device’s screen (or tap the Windows logo button on your machine’s keyboard). Type Notepad into the text field (that appears once you begin to type) to search for the application.

Once Notepad (App) emerges as the main entry on the returned results list, you must click on it. The Notepad application window will be displayed now.

  • Now, you must place this text there:

<Configuration>

</Configuration>

  • Click on the File menu (situated in the top-left corner of the Notepad window) and then select the Save as option.
  • Navigate through the directories on your system disk to choose the folder where you want Windows to store the configuration file.
  • Fill the field for File name with a descriptive name and then add .wsb to it.

For example, you could use this name: MyConFileSandbox.wsb

  • Click on the drop-down beside the Save as type parameter to see the formats available and then choose the All files option.
  • Assuming you are done inputting the name for the file and choosing the right parameter, you must now click on the Save button to continue.

Well, if you did everything correctly, you will end up with a file which you can edit in XML to control the relevant Sandbox features. If there is an option you want to add, it must be placed between the two parameters you started with. You are free to add one option. You could also decide to use all the options available. If you do not specify an option for a feature, the default configuration will be used.

How to disable or manage virtual network adapter on Windows Sandbox; how to control networking on Windows Sandbox

To manage the virtual network adapter on Windows Sandbox, you have to go through these steps:

  • First, you have to open the File Explorer program (use the Windows logo + letter E key shortcut) and then head to the directory where you stored the configuration file earlier.
  • Right-click on the .wsb file to see some options, choose Open with, and then select Choose another app.

You have to select the Notepad option and then click on the OK button.

  • To disable the virtual network adapter – assuming you are now on the required field on the Notepad application – you have to add <Networking>Disable</Networking> in between the configuration parameters.

The text there should end up like this:

<Configuration>

<Networking>Disable</Networking>

</Configuration>

  • On the other hand, if you want to enable networking on Windows Sandbox, <Networking>Default</Networking> is the syntax you must add between the configuration parameters.

We mean the text there should end up like this:

<Configuration>

<Networking>Default</Networking>

</Configuration>

  • Finally, to ensure Windows takes note of the changes you made, you have to click on the File menu (visible in the top-right corner of the Notepad window) and then select the Save option.
  • Once you are done with the tasks above, if you want to launch Windows Sandbox with the configuration changes you made, you can double-click on the .wsb file.

How to map a host folder on Windows Sandbox

If the need arises for you to share a folder from the host device (physical computer) to the desktop on Windows Sandbox, you have to map a host folder. In that case, you must go through these steps:

  • First, you have to open the File Explorer program (use the Windows logo + letter E key shortcut) and then head to the directory where you stored the configuration file earlier.
  • Right-click on the .wsb file to see some options, choose Open with, and then select Choose another app.

You have to select the Notepad option and then click on the OK button.

  • Assuming your configuration file is now open in Notepad, you have to input this code:

<MappedFolders>

<MappedFolder>

<HostFolder>C:\Users\Public\Documents</HostFolder>

<ReadOnly>true</ReadOnly>

</MappedFolder>

</MappedFolders>

In the script, you have to specify the path for the host folder that you want to appear in Windows Sandbox. To do this, you have to place the folder path within the HostFolder block like this: <HostFolder>insert file path here</HostFolder>

In the code example we gave above, the Public Documents folder residing on the Windows system disk is the directory being shared. The ReadOnly part of the code is used to set whether Sandbox is allowed to write to the folder or not. With it being set to true, it means Sandbox can only read stuff from the folder and not write anything to it. If you want Sandbox to be able to write stuff to the folder as well, you must replace the true part of the code with false.

  • Of course, you still have to save the changes you made to the text. Click on the File menu to see some options and then choose Save.

With the changes you made this time, when you run the altered .wsd file, Windows Sandbox will map the folder, which means you will be able to access it from Desktop. Furthermore, the commands you run will now be executed under the WDAUtility account – this implies that the shared folders will now always appear in Desktop.

We have just shown you how to map a single folder through a basic operation, but you can go through the same steps to create multiple MappedFolder blocks inside a mapped folder, which means you get to mount as many folders as you need from the host device.

Here, we have to warn you of the risks to your system associated with linking a folder between your host and Windows Sandbox. You have given Sandbox write access, after all, and this means a lot. If you intend to test any file or program you suspect to be malicious, then you must not use the map a host folder option.

How to run startup commands on Windows Sandbox

If you want the ability that enables you to run a command or script during login on Windows Sandbox quickly, you must go through these steps to get it:

  • First, you have to open the File Explorer program (use the Windows logo + letter E key shortcut) and then head to the directory where you stored the configuration file earlier.
  • Right-click on the .wsb file to see some options, click on Open with, and then select Choose another app.

You have to select the Notepad option and then click on the OK button.

  • This time, here is the code you must include to run a command during startup on Windows Sandbox:

<LogonCommand>

<Command>cmd.exe</Command>

</LogonCommand>

Here, you must remember to replace the cmd.exe part of the code (between the Command blocks) with the command you want to run. If you intend to run a complex command, you will do well to create a script first and then run it with a single command inside Windows Sandbox.

For example, you could create a script that forces Windows Sandbox to open a mapped folder upon launch. The text should be something like this:

<MappedFolders>

<MappedFolder>

<HostFolder>C:\Users\Public\Downloads</HostFolder>

<ReadOnly>true</ReadOnly>

</MappedFolder>

</MappedFolders>

<LogonCommand>

<Command>explorer.exe C:\users\WDAGUtilityAccount\Desktop\Downloads</Command>

</LogonCommand>

  • Anyway, you still have to save the changes you made to the configuration file for Windows Sandbox. You must click on the File menu (visible in the top-right corner of the Notepad window) and then select the Save option.

The feature will run the command you specified in the code after the session gets initiated.

How to control multiple options on Windows Sandbox; how to customize Windows 10 Sandbox quickly

If you do not want to bother yourself with the configuration processes or steps for various functionalities in Windows Sandbox, you can use a standard configuration file. Follow these instructions:

  • First, you have to open the File Explorer program (use the Windows logo + letter E key shortcut) and then head to the directory where you stored the configuration file earlier.
  • Right-click on the .wsb file to see some options, click on Open with, and then select Choose another app.

You have to select the Notepad option and then click on the OK button.

  • Now, to customize Windows Sandbox with all the available options, you must fill the field on the Notepad application window with this text:

<Configuration>

<Networking>Disable</Networking>

<VGpu>Disable</VGpu>

<MappedFolders>

<MappedFolder>

<HostFolder> C:\Users\Public\Downloads</HostFolder>

<ReadOnly>True</ReadOnly>

</MappedFolder>

</MappedFolders>

<LogonCommand>

<Command>cmd.exe</Command>

</LogonCommand>

</Configuration>

  • At this point, you must save the changes you made to the Windows Sandbox configuration file. You must click on the File menu (visible in the top-right corner of the Notepad window) and then select the Save option.

The projected Windows Sandbox environment (realized from the code we provided above) corresponds to the example Microsoft once gave. If you use it, then your Windows Sandbox will start without a connection to any network and its vGPU property will be disabled (it will use software rendering instead of a virtual GPU).

Furthermore, the script will be written to map the Public Downloads folder on your system’s disk. It will also move on to launch a Command Prompt session on your behalf.

Anyway, after you are done working on your configuration file, you can save it and place it on your desktop. You can even create a shortcut to it and put it on the Start menu. You are free to do whatever you want with the .wsb file to make it accessible.

TIPS:

  • Windows Sandbox can help you by providing an isolated environment where you get to test potentially harmful files or dangerous applications, but you must understand certain malicious items can still find their way into your device – if you run a Windows Sandbox session with vGPU, virtual networking, or folder mapping enabled. If absolute security is your priority – and if you can do without those features – you must not use them.
  • We recommend you improve your computer’s defense capabilities against all forms of threats. You can do this by downloading and running Auslogics Anti-Malware. With this program active on your PC, your system gets furnished with more protective stacks for detecting malicious items and defensive layers to keep them out. Our recommendation here still applies even if you have an antivirus operating on your computer as your main protection utility.
  • Your configuration file might not work if you use incorrect or invalid syntax. Some of the terms or words are case-sensitive. You will do well to copy and use the codes exactly the way they appear here. For example, using disable instead of Disable in certain places will not cut it. The same thing goes for the usage of True in place of true in some parts of the syntax.
Share it:
Do you like this post?
1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)
Loading...