After Application Guard, Credential Guard, and Device Guard, Windows Sandbox is the latest virtualization-based security (VBS) feature in Windows 10 (starting from build 18305). This lightweight and user-transparent virtual machine (VM) discards all changes upon closing the Sandbox.

Wolfgang Sommergut

Wolfgang Sommergut has over 20 years of experience in IT journalism. He has also worked as a system administrator and as a tech consultant. Today he runs the German publication WindowsPro.de.

Microsoft has already implemented the concept of an isolated application environment with Application Guard, but it only works for the web browser. Sandbox is a generic form of Application Guard without its specific browser-related functions such as the persistent saving of bookmarks and downloads.

No Hyper-V installation required ^

A VM runs under the hood of the Sandbox. As with the other VBS features, users do not have to install Hyper-V or provide their own images for the guest operating system. All of this happens automatically in the background and is thus transparent to the user.

The Sandbox starts each time with a clean install of Windows 10

The Sandbox starts each time with a clean install of Windows 10

For this purpose, the Sandbox does not bring a virtual disk with a full Windows 10, but it simply shares the binaries of the host OS (therefore, its VM mostly contains links to the required files of the host).

It shares DLLs with the host not only on disk but also in memory. In this respect, the Sandbox more closely resembles a container and is less isolated from the host OS than a conventional VM.

No access to the local network ^

While normal VMs under a client Hyper-V have relatively tight integration with the host by allowing users to copy files or access network drives, the Sandbox largely isolates its content from the environment. Each time you launch a new copy, you'll get a clean install of Windows 10, and it discards any changes to the OS upon shutdown.

The virtual network based on the Hyper V adapter does not allow access to resources in the LAN

The virtual network based on the Hyper V adapter does not allow access to resources in the LAN

This prevents access to file shares and sharing directories in the Sandbox. The data exchange between guest and host is only possible via copy and paste. As with all remote desktop connections, you can also copy files via Remote Desktop Protocol (RDP) in this way.

Copy and paste files between host and guest

Copy and paste files between host and guest

Update: Starting with build 18342 of Windows 10 the sandbox can be configured using an XML file with the extension .wsb. This way you cannot only de/activate vGPUs, but it also lets you loosen some of the default restrictions.

For example you can allow or deny access to the network. In addition, directories on the host may be shared for exchanging data (even with write permission). The new option to automatically run a startup script comes in handy if you want to install or copy applications from a file share.

The settings and the syntax of the configuration file is documented in this post on Microsoft TechCommunity.

IT pros as a target group ^

This characteristic raises the question for which scenarios and users the Sandbox is suitable. Launching Sandbox in the current preview requires administrative rights. Hence it is not possible for standard users not allowed to install software on their PCs to run it in this isolated environment either.

From a usability point of view, working in a desktop on a desktop is likely to be very confusing for technically less experienced users.

Since the most important application for a closed environment for non-technical users is the web browser, Application Guard is the better option. This allows Microsoft Edge to run seamlessly on the Windows desktop.

Unlike the Sandbox, Application Guard integrates the browser seamlessly into the desktop

Unlike the Sandbox, Application Guard integrates the browser seamlessly into the desktop

An obvious application for Sandbox would be an admin workstation. Based on the privileged administrative workstation (PAW) concept, Microsoft strongly recommends separating environments where management tools run with elevated privileges from those used for everyday work (such as web browsing).

Using the Sandbox, the system administrator could easily implement this best practice by executing administrative tasks in the host system and transferring other activities to the isolated environment.

Advantages of the Sandbox ^

Compared to a normal VM, the Sandbox has several advantages on a PAW:

  • There's no need to set up a VM or install an OS in it.
  • Code sharing with the host means its resource consumption is moderate.
  • No patch management is required because it shares the binaries with the host OS.
  • It discards all user data including malware after exiting. In a normal VM with a longer lifespan, malware could survive.
  • The Sandbox does not grant access to resources in the local network and thus prevents the spread of malware.

It is obvious the Sandbox is primarily suitable for activities for which onboard tools such as the Edge browser are sufficient. You can also quickly deploy portable applications by transferring them to the Sandbox via copy and paste. However, installing large software packages is a waste of time because you'll lose them upon closing the Sandbox.

If you close the Sandbox, it warns you of the loss of data

If you close the Sandbox, it warns you of the loss of data

Therefore this behavior makes it viable for testing unknown software. Programs run in the context of a local Sandbox user (WDAGUtilityAccount). There's no support for installations that require a system reboot or store apps.

Installation and system requirements ^

Windows Sandbox is on board as an optional feature you can add to the system using the Control Panel. It is currently missing from the Settings app generally used to manage such additional modules.

Install Windows Sandbox as an optional feature using the control panel

Install Windows Sandbox as an optional feature using the control panel

Since the feature is based on Hyper-V, it has similar hardware requirements as the hypervisor. These include the virtualization extensions of the processor (with at least two cores) and 8 GB RAM for it to work smoothly.

If you want to run the Sandbox in a VM, you have to configure it for nested virtualization

If you want to run the Sandbox in a VM, you have to configure it for nested virtualization

If you want to try out the Windows Sandbox in a VM, you have to activate nested virtualization (in the VMware Workstation, you virtualize Intel-VT or AMD-V as well as the Performance Counters).

This feature is only available for Windows 10 Pro and Windows 10 Enterprise starting with build 18305.

Are you an IT pro? Apply for membership!

Your question was not answered? Ask in the forum!

4+

Users who have LIKED this post:

  • avatar
  • avatar
Share
0 Comments

Leave a reply

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account