The Sandbox feature, launched with Windows 10 1903, is a lightweight virtual machine that allows running applications in an isolated environment. Only limited configuration is available, via an XML file. In order to simplify this task, there is the free Sandbox editor.

Wolfgang Sommergut

Wolfgang Sommergut has over 20 years of experience in IT journalism. He has also worked as a system administrator and as a tech consultant. Today he runs the German publication WindowsPro.de.

Windows Sandbox is based on Hyper-V, but does not require users to activate the hypervisor themselves. It is not necessary to install a guest operating system in the VM either; rather, it is generated automatically from the binaries of the host OS (see this article on the Windows Sandbox).

Configuration via four parameters ^

In addition to its simple management, Sandbox also has the advantage that no additional license is required (unlike for Windows in a regular VM). However, its limited customization options are a real disadvantage.

Since the first preview of the Sandbox did not provide any configuration at all, Windows 10 1903 now supports a few settings. These include the activation of the vGPU, the network, folders for data exchange with the host, and the execution of programs and scripts at startup.

Multiple configurations per sandbox ^

You can start Windows Sandbox immediately by double-clicking on the XML files with the extension .wsb. Users can store several configurations for different requirements in separate .wsb-files. However, you can only execute one instance of Windows Sandbox at a time.

The sandbox can be customized via configuration files in XML format

The sandbox can be customized via configuration files in XML format

Windows 10 does not provide tools for editing the sandbox configuration, so users must create and edit the XML structure themselves. The PowerShell-based Sandbox Editor, which can be downloaded from Microsoft's TechNet Gallery, addresses this issue.

Isolation in the network ^

The relatively simple tool reflects the four parameters with which the sandbox can be configured. Its use is self-explanatory. However, the individual settings require further explanation.

Network and vGPU configuration for the Windows Sandbox

Network and vGPU configuration for the Windows Sandbox

For example, setting the sandbox's networking status to "Enabled" does not allow the sandbox to have full access to the network or be accessed via the network. However, it provides a connection to the internet, but the computers in the local network are still not visible. Setting the sandbox to

Data exchange via folders ^

If the network is switched off, the only connection with the outside world is the exchange of data with the host. For this purpose, you can define directories on the host OS, which are  then displayed on the desktop of the sandbox. You can choose to allow Read-only or Write access.

The host folders are displayed on the sandbox desktop

The host folders are displayed on the sandbox desktop

Some tutorials warn that Write access to transfer directories will allow malware to spread to the host. This cannot be denied, but the restriction to Read-only is of limited help as long as unhindered data exchange via Copy/Paste over RDP is possible. This cannot be deactivated via sandbox configuration.

Folders for data exchange between guest and host can be shared with Read or Write access

Folders for data exchange between guest and host can be shared with Read or Write access

The effects are relatively clear when the vGPU is switched off. This eliminates the hardware support for Direct3D graphics operations and the sandbox uses the Advanced Rasterization Platform (WARP) instead.

Running startup scripts ^

The last of the four settings allows you to specify programs or scripts to run when the sandbox starts. Since the sandbox discards all changes on exit and starts up with a fresh copy of Windows every time, this option allows you to customize the isolated environment to some extent.

In many cases, this will result in inserting or updating registry keys, for example to change the most common settings for File Explorer. By default, it hides file extensions, which you usually do not want. For this purpose, you could run a script like the one from the TechNet Gallery.

Please keep in mind that the PowerShell execution policy in the sandbox does not allow the execution of scripts. The Sandbox Editor solves this problem by compiling a call to PowerShell.exe with the appropriate value for the ExecutionPolicy parameter.

The Sandbox Editor automatically creates the command line for PowerShell scripts

The Sandbox Editor automatically creates the command line for PowerShell scripts

The script itself must be stored in a directory on the host and shared for data exchange. You must enable sharing on the exchange folder yourself, since the Sandbox Editor only generates the command line, regardless of whether the script is accessible from the sandbox or not.

Programs and scripts can be started from a mapped folder

Programs and scripts can be started from a mapped folder

Whether the script really works seems a matter of luck, and the reasons for failure are hard to find due to the limited resources in this environment. To make the overall process more transparent, it is recommended to compile the PowerShell script into an .exe. If necessary, you can run a compiled script manually after starting the sandbox without much effort.

In addition, the sandbox refuses to run PowerShell on some machines and offers a misleading error message about a missing .NET Framework. However, KB4495620, which is cited in Microsoft forums as the reason for this error, is not the cause.

PowerShell often fails to run and shows a misleading error message

PowerShell often fails to run and shows a misleading error message

Conclusion ^

The Windows Sandbox is based on an interesting concept. However, in its current state, it is immature and does not even have a tool to edit the configuration. The Sandbox Editor bridges this gap, even if it is only a rudimentary program.

The customization of the sandbox based on just four settings is very limited. One major drawback is that RDP access to the guest console cannot be configured at all.

Theoretically you can change the appearance of Windows in the VM via a startup script if you want to make the effort. But the sandbox by itself should allow you to specify folder settings, font sizes, or other preferences. Hopefully, Microsoft will improve this in a future version.

Win the monthly 4sysops member prize for IT pros

2+

Users who have LIKED this post:

  • avatar
Share
1 Comment
  1. van robaeys 7 days ago

    Woow, thanks a lot for sharing the tool Wolfgang, really appreciate 🙂

    If you have suggestions don't hesitate to contact me.

    damien.vanrobaeys@gmail.com

    0

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account