Windows what? Windows Sandbox, a feature that I completely missed. Then I tried it once and loved it immediately. It takes you literally 5 minutes to set up and is really useful in your daily sysadmin tasks.
Prerequisites for using the feature (source: docs.microsoft.com)
- Windows 10 Pro or Enterprise Insider build 18305 or later
- AMD64 architecture
- Virtualization capabilities enabled in BIOS
- At least 4GB of RAM (8GB recommended)
- At least 1 GB of free disk space (SSD recommended)
- At least 2 CPU cores (4 cores with hyperthreading recommended)
Table of contents
What is Windows Sandbox?
Windows Sandbox allows you to start a lightweight “virtual” desktop environment to run applications in an isolated environment. Every time you reopen the sandbox, it will revert all the changes and you will start with a clean slate.

Installing Windows Sandbox
- Enable virtualization in your BIOS.
- Hit Windows Key + R and type “appwiz.cpl” hit enter or search “Turn Windows Features on and off”.
- Select Windows Sandbox hit Ok and restart your computer.
- Search for Windows Sandbox and start it, it takes a while the first time.
Cool things you can do with your Sandbox.
Basically your Sandbox can be started by a simple double click on the icon or by creating a config file. These are just basic XML files that get the ending .wsb to start a configuration simply click it and Windows Sandbox will start.
Mount a directory to Windows Sandbox
This one is pretty straight forward, I use it to open suspicous files I just downloaded. This will map your Downloads folder, or whatever folder you choose to the desktop of the sandbox.
<Configuration> <MappedFolders> <MappedFolder> <HostFolder>C:\Users\FistofTech\Downloads</HostFolder> <ReadOnly>false</ReadOnly> </MappedFolder> </MappedFolders> </Configuration>
Download a script and execute it
This configuration I use to do bigger configurations and to run it on every system I got without copying the code across different machines. You could also combine the mapping of the folders with a logon command to run a local script. But this is just way cooler 😉
<Configuration> <LogonCommand> <Command>powershell.exe -ExecutionPolicy Bypass -c "Invoke-WebRequest -Uri https://pastebin.com/raw/x4ZR39G3 -UseBasicParsing | Select-Object -ExpandProperty content | Out-File ./downloadedscript.ps1 ; ./downloadedscript.ps1" </Command> </LogonCommand> </Configuration>
Explanation of the one liner:
Invoke-WebRequest -Uri https://pastebin.com/raw/x4ZR39G3 -UseBasicParsing | Select-Object -ExpandProperty content | Out-File ./downloadedscript.ps1 ; ./downloadedscript.ps1
Starts PowerShell at boot and bypasses the execution policy (it is set to “signed” at boot). After that Invoke-Webrequest downloads the script and Select-Object removes everything except the instructions from the script. In the end it saves the text to a script file and executes it. The “;” sign is used to separate the commands.
Further reading:
If you have found other uses for Windows Sandbox let me know in the comments. If you want to know more about it check this site there is a list of every possible command.
Hi! Would you mind if I share your blog with my twitter group? There’s a lot of people that I think would really enjoy your content. Please let me know. Thank you
Hi
Sorry for my late response.
Yes of course you can share it! 🙂
Cheers
Xiakit