Windows Sandbox - How to configure in Windows 10  

    Windows Sandbox - How to configure in Windows 10

    Windows Sandbox - How to configure in Windows 10

    How to configure Windows Sandbox with custom theme and preinstalled software in Windows 10
    Published by Category: Virtualization
    02 Jul 2020
    Designer Media Ltd


    information   Information
    A quote from Ten Forums tutorial Enable Windows Sandbox Feature in Windows 10 Home Edition

    Starting with Windows 10 build 18305, Microsoft introduced Windows Sandbox.

    Windows Sandbox is a new lightweight desktop environment tailored for safely running applications in isolation.

    How many times have you downloaded an executable file, but were afraid to run it? Have you ever been in a situation which required a clean installation of Windows, but didn’t want to set up a virtual machine?

    At Microsoft, they regularly encounter these situations, so they developed Windows Sandbox: an isolated desktop environment where you can run untrusted software without the fear of lasting impact to your device. Any software installed in Windows Sandbox stays only in the sandbox and cannot affect your host. Once Windows Sandbox is closed, all the software with all of its files and state are permanently deleted.
    Windows Sandbox does not contain any third party software, and uses a default theme. It looks quite plain by default:
    Windows Sandbox - How to configure in Windows 10-sandbox-default.jpg

    By creating a configuration file, users can change the theme, switch to Dark Mode, add software and so on. This tutorial will show how to do that.




    Contents

     Click links to jump to any part

    Part One: Sample Windows Sandbox Configuration File
    Part Two: Virtual GPU
    Part Three: Networking
    Part Four: Shared Folders
    Part Five: Startup script



    Part One

     Sample Windows Sandbox Configuration File

    1.1 A Windows Sandbox configuration file contains information about vGPU (virtualized GPU), networking, folders on host shared with Sandbox, and can run a startup script to execute commands:
    Windows Sandbox - How to configure in Windows 10-sandbox-wsb-file.jpg
    (Image from Thomas Maurer's blog on Microsoft Tech Community.)

    1.2 All four modules are optional. If user wants to run Sandbox with default settings, only adding a shared folder, only that module is required.

    1.3 Here's the configuration file I use to enable vGPU and networking, map a host folder %userprofile%\OneDrive\Sandbox, and run a batch file SBConfig.bat (see step 1.5) to apply a custom Windows theme, install Chrome, Firefox and Opera browsers, and set Windows to use dark mode:

    Code:
    <Configuration>
    <vGPU>Enable</vGPU>
    <Networking>Default</Networking>
    <MappedFolders>
       <MappedFolder>
         <HostFolder>E:\Users\Kari\OneDrive\Sandbox</HostFolder>
         <ReadOnly>true</ReadOnly>
       </MappedFolder>
    </MappedFolders>
    <LogonCommand>
       <Command>C:\users\WDAGUtilityAccount\Desktop\Sandbox\SBConfig.bat</Command>
    </LogonCommand>
    </Configuration>

    1.4 A Sandbox configuration file must have extension .wsb (Windows SandBox). I have saved the above file as Browsers and theme.wbs in folder %userprofile%\OneDrive\Sandbox, and can start Windows Sandbox with a custom theme and dark mode, vGPU and networking enabled, three third party browsers installed, and host folder Sandbox shared with Sandbox simply by double clicking the .wsb file on host:
    Windows Sandbox - How to configure in Windows 10-sandbox-customized.jpg
    (Click screenshots to enlarge.)

    1.5 The batch file SBConfig.bat run from <LogonCommand> tags in configuration file, which I have also saved in %userprofile%\OneDrive\Sandbox folder:

    Code:
    REM Apply a custom theme
    REM As Windows Sandbox is not activated, this is the only way to personalize it
    C:\Users\WDAGUtilityAccount\Desktop\Sandbox\W10G-TF.deskthemepack
    
    REM Install Chrome
    start /wait C:\Users\WDAGUtilityAccount\Desktop\Sandbox\ChromeStandaloneSetup64.exe /silent /install
    
    REM Install Firefox
    start /wait C:\Users\WDAGUtilityAccount\Desktop\Sandbox\FirefoxSetup.exe -ms 
    
    REM Install Opera
    start /wait C:\Users\WDAGUtilityAccount\Desktop\Sandbox\Opera_64.0.3417.73_Setup.exe /silent /allusers=yes /launchopera=no /setdefaultbrowser=no
    
    REM Switch to Dark Mode
    reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize /v AppsUseLightTheme /t REG_DWORD /d 00000000 /f
    
    REM Close Settings app left open when theme was applied
    start /wait taskkill /F /IM SystemSettings.exe

    The first command in batch file applies my custom Windows Theme Pack file. When a theme is applied, Settings app will automatically open in Personalization page.

    The last command in batch then closes the Settings app. Because Settings App opens with a slight delay, if the TASKKILL command to close it would have been executed just after applying the theme, Settings would have not been completely opened, therefore causing TASKKILL command to fail.


    Let's break the configuration file in parts and look into each module.



    Part Two

     Virtual GPU

    2.1 By default, vGPU (virtualized GPU) is enabled in Sandbox. The vGPU tags in configuration file can be used to disable vGPU and make Sandbox use software rendering instead. Especially when testing possible malware, this reduces the risk for host to get infected, at the same time making rendering somewhat slower.

    2.2 Allowed values for vGPU tags are Enable (default) and Disable.

    2.3 If you want to accept all other defaults, just disable vGPU, a simple three line configuration file is enough:

    Code:
    <Configuration>
    <vGPU>Disable</vGPU>
    </Configuration>

    2.4 I save this as %userprofile%\OneDrive\Sandbox\VGPUDisabled, and can run Sandbox with vGPU sisabled by double clicking it.



    Part Three

     Networking

    3.1 By default, Networking is enabled in Sandbox. The Networking tags in configuration file can be used to disable networking. Disabling networking, together with disabled vGPU is recommended when testing possible malware. These two settings make Sandbox completely isolated from host and network.

    3.2 Allowed values for Networking tags are Default (network enabled) and Disable.

    3.3 If you want to accept all other defaults, just disable networking, use the following configuration file. I save it as %userprofile%\OneDrive\Sandbox\NoNetwork.wsb:

    Code:
    <Configuration>
    <Networking>Disable</Networking>
    </Configuration>

    3.4 To completely isolate Sandbox from host and network, use the following configuration file. I save it as %userprofile%\OneDrive\Sandbox\Isolated.wsb:
    Code:
    <Configuration>
    <vGPU>Disable</vGPU>
    <Networking>Disable</Networking>
    </Configuration>



    Part Four

     Shared Folders

    4.1 All host folders can be shared with Sandbox. When shared, each folder will be added to desktop of Sandbox default user profile WDAGUtilityAccount.

    4.2 To share a host folder is done in <MappedFolders> tags. Inside the <MappedFolders> tags (notice the plural s at the end of the tag name), each shared folder is then given in <MappedFolder> (singular).

    Having user profiles stored on E: drive, to share my host folder E:\Users\Kari\Downloads with Sandbox, I use the following configuration file, saving it as %userprofile%\OneDrive\Sandbox\Downloads.wsb:

    Code:
    <Configuration>
    <MappedFolders>
       <MappedFolder>
         <HostFolder>E:\Users\Kari\Downloads</HostFolder>
         <ReadOnly>true</ReadOnly>
       </MappedFolder>
    </MappedFolders>
    </Configuration>

    4.3 In addition, I want to share my custom Sandbox folder, located in my OneDrive. With following configuration script I can share both:

    Code:
    <Configuration>
    <vGPU>Enable</vGPU>
    <Networking>Default</Networking>
    <MappedFolders>
       <MappedFolder>
         <HostFolder>E:\Users\Kari\OneDrive\Sandbox</HostFolder>
         <ReadOnly>true</ReadOnly>
       </MappedFolder>
       <MappedFolder>
         <HostFolder>E:\Users\Kari\Downloads</HostFolder>
         <ReadOnly>true</ReadOnly>
       </MappedFolder>
    </MappedFolders>
    <LogonCommand>
       <Command>C:\users\WDAGUtilityAccount\Desktop\Sandbox\SBConfig.bat</Command>
    </LogonCommand>
    </Configuration>

    4.4 The <ReadOnly> tags with value true used for both shared folders tell Sandbox that I want it not to have right to write to these folders, not to save anything on them nor edit their content. Changing the <ReadOnly> value to false gives Sandbox full access.



    Part Five

     Startup Script

    5.1 The <LogonCommand> tags can contain any Windows command, or run an executable file, batch file or script.

    5.2 If the command is not an internal, native Windows command, Sandbox must find its target in a shared folder. For instance, if I want to accept all other defaults, just run my SBConfig.bat batch file when Sandbox is started (see Step 1.5), I would first save the batch in folder shared in configuration script, then run it from <LogonCommand> tags:

    Code:
    <Configuration>
    <MappedFolders>
       <MappedFolder>
         <HostFolder>E:\Users\Kari\OneDrive\Sandbox</HostFolder>
         <ReadOnly>true</ReadOnly>
       </MappedFolder>
    </MappedFolders>
    <LogonCommand>
       <Command>C:\Users\WDAGUtilityAccount\Desktop\Sandbox\SBConfig.bat</Command>
    </LogonCommand>
    </Configuration>

    5.3 In above code sample, I first share host folder E:\Users\Kari\OneDrive\Sandbox with Windows Sandbox, which will be added to its default user profile's desktop. The folder contains the batch file SBConfig.bat, which Windows Sandbox runs from this mapped network share.

    Important to remember: if the command given is not an internal, native Windows command, Sandbox must be able to find it in a shared folder. If you run an application installer, a PowerShell script, a batch file, a Java script and so on from <LogonCommand> tags, the target, executable or script itself must be accessible to Sandbox.


    5.4 To automatically install software in Windows Sandbox, download its offline installer, and find out which switches need to be used for a silent unattended install. For instance, if you want Google Chrome to be available every time Sandbox starts. download its offline installer from here: Google Chrome - The New Chrome & Most Secure Web Browser

    5.5 In my case, I saved the Chrome installer in my custom Sandbox folder, shared that folder, and run the silent installer from mapped drive in Windows Sandbox with following configuration file. It starts Windows Sandbox with default settings, and installs Chrome silently in the background:

    Code:
    <Configuration>
    <MappedFolders>
       <MappedFolder>
         <HostFolder>E:\Users\Kari\OneDrive\Sandbox</HostFolder>
         <ReadOnly>true</ReadOnly>
       </MappedFolder>
    </MappedFolders>
    <LogonCommand>
       <Command>C:\Users\WDAGUtilityAccount\Desktop\Sandbox\ChromeStandaloneSetup64.exe /silent /install</Command>
    </LogonCommand>
    </Configuration>


    That's about it. Looking at my OneDrive\Sandbox folder, it contains all my .wsb scripts to start Windows Sandbox in a different way. I can run any of them to start Windows Sandbox in a way I want to. It also contains the offline software installers, a batch file to install software and apply theme, the theme file itself naturally saved in same folder:
    Windows Sandbox - How to configure in Windows 10-sandbox-folder.jpg

    Please post your possible issues and questions about configuring Windows Sandbox in this thread.

    Kari



  1. Kari's Avatar
    Posts : 17,611
    Windows 10 Pro
       #1

    Anyone else having this issue when upgraded to Insider Preview build 19013:

    Kari
      My Computer

  2. Kari's Avatar
    Posts : 17,611
    Windows 10 Pro
    Thread Starter
       #2

    OK, seems that Sandbox team is taking my feedback seriously.


      My Computer

  3. Kari's Avatar
    Posts : 17,611
    Windows 10 Pro
    Thread Starter
       #3

      My Computer

  4. slicendice's Avatar
    Posts : 4,666
    Windows 10 Pro x64 21H1 Build 19043.1151 (Branch: Release Preview)
       #4

    My current custom sandbox:
    Windows Sandbox - How to configure in Windows 10-image.png

    What I changed:
    1. Exported my current theme from host system
    2. Added my %USERPROFILE%\Downloads and %USERPROFILE%\Documents\Sandbox host folders
    3. Enabled Dark Theme for Apps
    4. Runs a .reg-file with all locale data exported from host system (changes clock display format and others, because my system locale is EN-US but regional settings are Finnish)


    Thanks for this. Now I have a decent Sandbox. Next I will add some development software to my configuration and start hacking some code without having to be afraid to break my host.
      My Computers


  5. Posts : 129
    10 Pro
       #5

    Can't make the commands work.
    Wanted it to install Edge. Downloaded the offline installer, used the quiet switch, didn't do anything.
      My Computer

  6. Kari's Avatar
    Posts : 17,611
    Windows 10 Pro
    Thread Starter
       #6

    mkr10001 said:
    Can't make the commands work.
    Wanted it to install Edge. Downloaded the offline installer, used the quiet switch, didn't do anything.
    Just to be sure, I just downloaded the latest stable version of new Edge, then created new batch file to install it, and finally a new WBS configuration file to launch Sandbox and install Edge.

    Works perfectly, exactly as told in tutorial.

    With the little information you give, it's impossible to tell why can't get it working.

    Kari
      My Computer


 

Tutorial Categories

Windows Sandbox - How to configure in Windows 10 Tutorial Index Network & Sharing Instalation and Upgrade Browsers and Email General Tips Gaming Customization Apps and Features Virtualization BSOD System Security User Accounts Hardware and Drivers Updates and Activation Backup and Restore Performance and Maintenance Mixed Reality Phone


  Related Discussions
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 16:38.
Find Us




Windows 10 Forums