Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET Coming Soon: GET:IT Endpoint Management 1-Day Conference on September 28th at 9:30 AM ET
Windows 10

How to Enable Windows Sandbox

Back in August, I wrote on Petri about a new feature that Microsoft was reportedly introducing in Windows 10 Enterprise called InPrivate Desktop. Exposed during a bug-bash quest in the Feedback Hub, the text of the quest said that InPrivate Desktop would provide admins a way to launch a throwaway sandbox for secure, one-time execution of untrusted software. As Brad reported, this feature is now being officially previewed in the latest Windows Insiders update for Windows 10, build 18305.

InPrivate Desktop Renamed Windows Sandbox

Windows Sandbox provides an isolated, temporary desktop where users can run software that might make unwanted changes to Windows. Every time Windows Sandbox is started, users are presented with a clean installation of Windows, meaning no files are preserved from the previous session. And unlike Hyper-V virtual machines, you won’t need to download load a Windows image file to work with Windows Sandbox.

Enable Windows Sandbox

There are a few prerequisites before you can use Windows Sandbox. You must be running Windows 10 (18305 or later) 64-bit Pro or Enterprise SKUs, with at least 4GB of RAM, virtualization capabilities enabled in the BIOS, 1GB of free disk space, and at least 2 CPU cores.

Sponsored Content

Say Goodbye to Traditional PC Lifecycle Management

Traditional IT tools, including Microsoft SCCM, Ghost Solution Suite, and KACE, often require considerable custom configurations by T3 technicians (an expensive and often elusive IT resource) to enable management of a hybrid onsite + remote workforce. In many cases, even with the best resources, organizations are finding that these on-premise tools simply cannot support remote endpoints consistently and reliably due to infrastructure limitations.

Windows Sandbox is a built-in Windows feature which you can enable from the Control Panel.

  • Open the Control Panel.
  • Click Programs.
  • Under Programs and Features, click Turn Windows features on or off.
  • Give consent or provide an administrator password in the UAC prompt.
Enable Windows Sandbox in Windows 10 build 18305 (Image Credit: Microsoft)
Enable Windows Sandbox in Windows 10 build 18305 (Image Credit: Microsoft)
  • Scroll down the list in the Windows Features dialog and check the box next to Windows Sandbox.
  • Click OK to install the feature.

You might be prompted to restart your device.

Using Windows Sandbox

Once the installation is complete, you can start the sandbox from the Start menu. You’ll need to provide UAC consent to run the sandbox. Once Windows has booted in the sandbox, you can copy any files you want to run on the desktop from the host device. As soon as the sandbox window is closed, all the files and changes made are discarded.

Windows Sandbox vs Virtual Machine

Windows Sandbox uses a dynamically generated image based on the host’s Windows 10 installation, meaning you won’t have to manually download a VHD file or install Windows from an ISO file in the sandbox. The base image is around 100MB in size and only 25MB in compressed form when Windows Sandbox is not installed.

Memory management is also slightly different, allowing the host to reclaim memory from the sandbox if required. And ‘Direct Map’ allows the sandbox to securely use the same physical memory pages as the host OS. The integrated kernel scheduler lets the host OS decide when Windows Sandbox runs, much like the threads for any normal process, making sure that the host stays responsive under load. Microsoft says that these technical differences from Hyper-V virtual machines aim to treat Windows Sandbox like an app but at the same time provide the security guarantees of virtual machines.

From a performance perspective, Windows Sandbox uses snapshots and cloning to save the memory, CPU, and device state to disk so that you don’t need to boot Windows from scratch every time the sandbox is started. Additionally, hardware accelerated graphics rendering is supported by allowing apps in the sandbox or Hyper-V to directly use graphics APIs, providing that you have a compatible graphics card and WDDM 2.5 or newer drivers.

Don’t forget that Windows Sandbox is in preview and is likely to have bugs and performance issues. I’ll be updating Petri with more information on Windows Sandbox when the next feature update for Windows 10 reaches general availability.

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
Live Webinar: Active Directory Security: What Needs Immediate Priority!Live on Tuesday, October 12th at 1 PM ET

Attacks on Active Directory are at an all-time high. Companies that are not taking heed are being punished, both monetarily and with loss of production.

In this webinar, you will learn:

  • How to prioritize vulnerability management
  • What attackers are leveraging to breach organizations
  • Where Active Directory security needs immediate attention
  • Overall strategy to secure your environment and keep it secured

Sponsored by: