How to configure Windows Sandbox on Windows 10

On Windows 10, starting with the May 2019 Update, you can use Windows Sandbox, a feature that offers a lightweight environment isolated from your main installation, to run untrusted applications.

It works similarly to a traditional virtual machine, but this is a virtual environment optimized for security, efficiency, and speed, and you don't need to perform any extra steps. Also, once you're done using a Windows Sandbox session, everything gets deleted from your machine. Every time you start the feature, an entirely new desktop will be created on demand.

Although it's a great feature for system administrators and developers, Windows Sandbox doesn't include an interface to customize the experience. However, you can create a simple configuration file to control various aspects of the feature. For instance, using a configuration file, you can map folders from the host machine to Windows Sandbox, run commands and scripts at startup, and you can even disable the vGPU or the network adapter to increase the security of the environment.

In this Windows 10 guide, we walk you through the steps to create a configuration file to control the functionalities of Windows Sandbox on the May 2019 Update.

How to create a configuration file for Windows Sandbox

To create a Windows Sandbox configuration file, use these steps:

  1. Open Notepad.
  2. Click the File menu.
  3. Select the Save as option.
  4. Type a descriptive name and use the .wsb extension.

  1. Use the Save as type drop-down menu and select the All Files option.
  2. Click the Save button.

Once you complete these steps, you can edit the file using an XML format to control features, such as graphics, networking, folder sharing, and startup scripting.

How to manage virtual network adapter on Windows Sandbox

To disable or enable the virtual network adapter on Windows Sandbox, use these steps:

  1. Open File Explorer.
  2. Navigate to the configuration file.
  3. Right-click the .wsb configuration file that you created earlier, select the Open with option, and click the Choose another app option.
  4. Select the Notepad option.
  5. Click the OK button.
  6. Type the following to disable the virtual network adapter on Windows Sandbox:<Configuration><Networking>Disable</Networking></Configuration>

  1. Type the following to enable networking on Windows Sandbox:<Configuration><Networking>Default</Networking></Configuration>Quick note: Although you can disable networking, Windows Sandbox will enable this feature by default whether or not you use a configuration file.
  2. Click the File menu.
  3. Click the Save option.

After completing these steps, you can double-click the .wsb file to launch Windows Sandbox with the configuration changes that you specified.

How to manage virtual graphics on Windows Sandbox

To disable or enable graphics virtualization on Windows Sandbox after installing the May 2019 Update, use these steps:

  1. Open File Explorer.
  2. Navigate to the configuration file.
  3. Right-click the .wsb configuration file that you created earlier, select the Open with option, and click the Choose another app option.
  4. Select the Notepad option.
  5. Click the OK button.
  6. Type the following to disable the vGPU adapter on Windows Sandbox:<Configuration><VGpu>Disable</VGpu> </Configuration>

  1. Type the following to enable the vGPU on Windows Sandbox:<Configuration><VGpu>Default</VGpu> </Configuration>Quick note: Although you can specify to disable the vGPU, Windows Sandbox will enable this feature by default whether or not you use a configuration file.
  2. Click the File menu.
  3. Click the Save option.

Once you complete the steps, Windows Sandbox will use software rendering for graphics in the virtual machine, but it'll result in slower performance.

How to map a host folder on Windows Sandbox

To share a folder from the host (physical) device to the Windows Sandbox desktop, use these steps:

  1. Open File Explorer.
  2. Navigate to the configuration file.
  3. Right-click the .wsb configuration file that you created earlier, select the Open with option, and click the Choose another app option.
  4. Select the Notepad option.
  5. Click the OK button.
  6. Type the following to map a folder on Windows Sandbox:<Configuration><MappedFolders><MappedFolder><HostFolder>C:\temp</HostFolder><ReadOnly>true</ReadOnly></MappedFolder></MappedFolders></Configuration>In the script, make sure to specify the path for the host folder that you want to appear inside Windows Sandbox within the HostFolder block. Also, inside the ReadOnly block use the "true" value (recommended) to enforce accessing the folder as read-only mode, or use the "false" value to allow read-and-write access to the folder.

  1. Click the File menu.
  2. Click the Save option.

After you complete the steps, when you run the .wsd file, Windows Sandbox will map the folder, which you can then easily access from the Desktop. Every command you run with Windows Sandbox will be executed under the "WDAGUtilityAccount" account, which means that shared folders will always appear in the Desktop.

While the above instructions outline the steps to map a single folder, you can create multiple MappedFolder blocks inside the MappedFolders block to mount as many folders from the host device as you need.

How to run startup commands on Windows Sandbox

To run a command or script during login on Windows Sandbox, use these steps:

  1. Open File Explorer.
  2. Navigate to the configuration file.
  3. Right-click the .wsb configuration file that you created earlier, select the Open with option, and click the Choose another app option.
  4. Select the Notepad option.
  5. Click the OK button.
  6. Type the following to run a command during startup on Windows Sandbox:<LogonCommand><Command>cmd.exe</Command></LogonCommand>Inside the Command block, make sure to replace cmd.exe for the command that you want to run. If you need to run a complex command, we recommend creating a script and then running it with a single command inside Sandbox.

Once you complete these steps, Windows Sandbox will run the command that you specified after the session has been created.

How to control multiple options on Windows Sandbox

To run Windows Sandbox with multiple custom options, use these steps:

  1. Open File Explorer.
  2. Navigate to the configuration file.
  3. Right-click the .wsb configuration file that you created earlier, select the Open with option, and click the Choose another app option.
  4. Select the Notepad option.
  5. Click the OK button.
  6. Type the following to customize Windows Sandbox with all the available options:<Configuration><Networking>Disable</Networking><VGpu>Disable</VGpu><MappedFolders><MappedFolder><HostFolder>C:\Temp</HostFolder><ReadOnly>True</ReadOnly></MappedFolder></MappedFolders><LogonCommand><Command>cmd.exe</Command></LogonCommand></Configuration>

After you complete the steps, using the above example, Windows Sandbox will start without a connection to the network, and it'll use software rendering, instead of a virtual GPU. Also, the script will map the Temp folder located in the root of the "C:\" from the host machine, and it'll launch a Command Prompt session.

While the purpose of Windows Sandbox is to provide isolation for potentially harmful applications, it's still possible for malicious code to gain access to your device or network if you're running a session with vGPU, virtual networking, and mapped folder enabled.

If the configuration file doesn't work, make sure you're using the same case for the options as shown in this guide. During my time testing these settings, I have found that some of the settings are case sensitive. For instance, the network adapter didn't disable until I changed "disable" for "Disable," and the folder didn't map correctly until I changed "True" to "true."

Mauro recommends all these affordable accessories

Hi, I'm Mauro Huculak, Windows Central's help and how-to guru. I wrote the post you're reading now, and I know the Windows OS inside and out. But I'm also a bit of a hardware geek. These are some of the affordable gadgets on my desk today.

Logitech MX Master Wireless Mouse ($72 at Amazon)

I know mice, and this is the one I use every day. The MX Master is a wireless high-precision mouse that's very comfortable to use and has many great features, including the ability to connect with multiple devices, an infinite scroll wheel, back and forward buttons, all of which you can customize.

Ktrio Extended Gaming Mouse Pad ($12 at Amazon)

If you spend a lot of time typing, your palms and mouse will leave tracks on your desk. My solution was to start using gaming mouse pads, which are big enough for you to use the keyboard and the mouse comfortably. This is the one I use and recommend.

Supernight LED light strip ($20 at Amazon)

You could just use a regular light bulb in your office, but if you want to add some ambient lighting with different colors, an RGB LED strip is the way to go. This one is Mauro-approved.

Mauro Huculak

Mauro Huculak is technical writer for WindowsCentral.com. His primary focus is to write comprehensive how-tos to help users get the most out of Windows 10 and its many related technologies. He has an IT background with professional certifications from Microsoft, Cisco, and CompTIA, and he's a recognized member of the Microsoft MVP community.