- Move Windows recovery partition using GParted - Wed, Dec 1 2021
- Configure Secured Core in Windows Server 2022: HVCI, DMA protection, System Guard, and VBS - Mon, Nov 22 2021
- ADMX templates for Office 2021: compatible with 2016 GPOs and 10 new settings - Mon, Nov 15 2021
Windows Sandbox is based on Hyper-V, but does not require users to activate the hypervisor themselves. It is not necessary to install a guest operating system in the VM either; rather, it is generated automatically from the binaries of the host OS (see this article on the Windows Sandbox).
Configuration via four parameters ^
In addition to its simple management, Sandbox also has the advantage that no additional license is required (unlike for Windows in a regular VM). However, its limited customization options are a real disadvantage.
Since the first preview of the Sandbox did not provide any configuration at all, Windows 10 1903 now supports a few settings. These include the activation of the vGPU, the network, folders for data exchange with the host, and the execution of programs and scripts at startup.
Multiple configurations per sandbox ^
You can start Windows Sandbox immediately by double-clicking on the XML files with the extension .wsb. Users can store several configurations for different requirements in separate .wsb-files. However, you can only execute one instance of Windows Sandbox at a time.
Windows 10 does not provide tools for editing the sandbox configuration, so users must create and edit the XML structure themselves. The PowerShell-based Sandbox Editor, which can be downloaded from Microsoft's TechNet Gallery, addresses this issue.
Isolation in the network ^
The relatively simple tool reflects the four parameters with which the sandbox can be configured. Its use is self-explanatory. However, the individual settings require further explanation.
For example, setting the sandbox's networking status to "Enabled" does not allow the sandbox to have full access to the network or be accessed via the network. However, it provides a connection to the internet, but the computers in the local network are still not visible. Setting the sandbox to
Data exchange via folders ^
If the network is switched off, the only connection with the outside world is the exchange of data with the host. For this purpose, you can define directories on the host OS, which are then displayed on the desktop of the sandbox. You can choose to allow Read-only or Write access.
Some tutorials warn that Write access to transfer directories will allow malware to spread to the host. This cannot be denied, but the restriction to Read-only is of limited help as long as unhindered data exchange via Copy/Paste over RDP is possible. This cannot be deactivated via sandbox configuration.
The effects are relatively clear when the vGPU is switched off. This eliminates the hardware support for Direct3D graphics operations and the sandbox uses the Advanced Rasterization Platform (WARP) instead.
Running startup scripts ^
The last of the four settings allows you to specify programs or scripts to run when the sandbox starts. Since the sandbox discards all changes on exit and starts up with a fresh copy of Windows every time, this option allows you to customize the isolated environment to some extent.
In many cases, this will result in inserting or updating registry keys, for example to change the most common settings for File Explorer. By default, it hides file extensions, which you usually do not want. For this purpose, you could run a script like the one from the TechNet Gallery.
Please keep in mind that the PowerShell execution policy in the sandbox does not allow the execution of scripts. The Sandbox Editor solves this problem by compiling a call to PowerShell.exe with the appropriate value for the ExecutionPolicy parameter.
The script itself must be stored in a directory on the host and shared for data exchange. You must enable sharing on the exchange folder yourself, since the Sandbox Editor only generates the command line, regardless of whether the script is accessible from the sandbox or not.
Whether the script really works seems a matter of luck, and the reasons for failure are hard to find due to the limited resources in this environment. To make the overall process more transparent, it is recommended to compile the PowerShell script into an .exe. If necessary, you can run a compiled script manually after starting the sandbox without much effort.
In addition, the sandbox refuses to run PowerShell on some machines and offers a misleading error message about a missing .NET Framework. However, KB4495620, which is cited in Microsoft forums as the reason for this error, is not the cause.
The Windows Sandbox is based on an interesting concept. However, in its current state, it is immature and does not even have a tool to edit the configuration. The Sandbox Editor bridges this gap, even if it is only a rudimentary program.
The customization of the sandbox based on just four settings is very limited. One major drawback is that RDP access to the guest console cannot be configured at all.
Subscribe to 4sysops newsletter!
Theoretically you can change the appearance of Windows in the VM via a startup script if you want to make the effort. But the sandbox by itself should allow you to specify folder settings, font sizes, or other preferences. Hopefully, Microsoft will improve this in a future version.