Skip to content

Windows Sandbox automation scripts

What is Windows Sandbox?

Windows Sandbox is a secure, isolated environment (VM) on Windows Pro and Enterprise. It creates a temporary, disposable instance of Windows, ensuring any changes made do not affect the host system.

Key Points

  • Isolation: Each session is a fresh, clean slate.
  • Efficiency: Uses the host's OS image, minimizing overhead.
  • Disposable: All data is deleted when closed.

Windows Sandbox is perfect for testing software and exploring suspicious files without risk.

Install Windows Sandbox

INFO

An elevated Powershell instance is needed.

powershell
# Checks if the Windows Sandbox is alreaddy installed and if not, install it. 
If (!(Get-WindowsOptionalFeature -Online -FeatureName Containers-DisposableClientVM)){
    Enable-WindowsOptionalFeature -Online -FeatureName Containers-DisposableClientVM
}

Winget Configuration with Windows Sandbox

To use Windows Sandbox with Winget, you first need a configuration file in .yaml format. To do this, you can simply create a text file and change the file extension to .yaml afterwards.

yaml
# yaml-language-server: $schema=https://aka.ms/configuration-dsc-schema/0.2

###############################################################################
# Create Windows Sandbox instance with WinGet installed.                      #
# Run as Administrator                                                        #
# Mount C:\Sandbox on the local filesystem into the Sandbox filesystem.       #
# The Logon command performs the following steps in Windows PowerShell:       #
# 1. Set the execution policy to RemoteSigned                                 #
# 2. Download and install App Installer (WinGet) and it's dependencies        #
############################################################################### 

properties:
  resources:
    - resource: Microsoft.WindowsSandbox.DSC/WindowsSandbox
      directives:
        description: Create Windows Sandbox with Winget installed
        allowPrerelease: true
      settings:
        Ensure: Present
        # You could also provide a custom .wsb file to open (look at the next point further down) with the Windows Sandbox,
        # but the following parameters will override the values from it.
        # WsbFile: <Provide a custom .wsb file to open.>
        
        # The Logon command is in essence a powershell  script that will be executed when the sandbox is started. First it installs the Windows package manager.
        LogonCommand: >
          cmd /c start powershell -NoExit -Command "$progressPreference = 'silentlyContinue';
          Write-Host 'Setting execution policy to remote signed...' `n;
          Set-ExecutionPolicy RemoteSigned -Force;
          Write-Host 'Downloading WinGet and its dependencies...' `n;
          Invoke-WebRequest -Uri https://aka.ms/getwinget -OutFile Microsoft.DesktopAppInstaller_8wekyb3d8bbwe.msixbundle;
          Invoke-WebRequest -Uri https://aka.ms/Microsoft.VCLibs.x64.14.00.Desktop.appx -OutFile Microsoft.VCLibs.x64.14.00.Desktop.appx;
          Invoke-WebRequest -Uri https://github.com/microsoft/microsoft-ui-xaml/releases/download/v2.8.6/Microsoft.UI.Xaml.2.8.x64.appx -OutFile Microsoft.UI.Xaml.2.8.x64.appx;
          Add-AppxPackage Microsoft.VCLibs.x64.14.00.Desktop.appx;
          Add-AppxPackage Microsoft.UI.Xaml.2.8.x64.appx;
          Add-AppxPackage Microsoft.DesktopAppInstaller_8wekyb3d8bbwe.msixbundle;
        # From here on out you can use winget to install apps in the sandbox.
          winget install notepad++.notepad++ --accept-package-agreements --accept-source-agreements;
        # HostFolder: <Absolute path to folder on host machine that will be shared into the Windows Sandbox>
        # SandboxFolder: <Absolute path to destination in the sandbox to map the Host Folder to>
        # ReadOnly: false
        MemoryInMB: 4096
        vGPU: true
        # AudioInput: true
        # ClipboardRedirection: true
        Networking: true
        # PrinterRedirection: false
        # ProtectedClient: false
        # VideoInput: true
  configurationVersion: 0.2.0

After you safted the .yaml file on your computer, you can start the Windows Sandbox with the following command:

powershell
# Use Winget to start and configure the Windows sandbox.
winget configure C:\[FileName].yaml --accept-configuration-agreements

TIP

Microsoft hosts a link to a configuration file that can be used to configure the Windows Sandbox with Winget installed. winget configure. https://aka.ms/sandbox.dsc.yaml

Powershell window when starting the sandbox like shown above:

INFO

When you remove the '--accept-configuration-agreements' part from the command, you get the question at the end that you need to answer, like shown in the screenshot.

drawing

Windows Sandbox configuration with a .wsb file

You can also configure the Windows Sandbox with a .wsb file. The advantage is, that you can just double click the .wsb file to start the Windows Sandbox. This means you don`t need to use powershell in any way and can deploy the file to other users.

To create such a file, you can again simply write your configuration into a text editor and change the file extention afterwards to .wsb.

This example

  • disables the vGPU
  • enables Networking
  • Maps a local folder 'C:\TestReadFolder' as read only to the Windows Sandbox folder 'TestReadFolder' under Documents.
  • Maps a local folder 'C:\TestReadWriteFolder' to the Windows Sandbox folder 'TestReadWriteFolder' under Documents.
  • Downloads vsCode to Downloads and installs it.
xml
<Configuration>
  <vGpu>Disable</vGpu>
  <Networking>enable</Networking>
  <MappedFolders>
    <MappedFolder>
      <HostFolder>C:\TestReadFolder</HostFolder>
      <SandboxFolder>C:\Users\WDAGUtilityAccount\Documents\TestReadFolder</SandboxFolder>
      <ReadOnly>true</ReadOnly>
    </MappedFolder>
    <MappedFolder>
      <HostFolder>C:\TestReadWriteFolder</HostFolder>
      <SandboxFolder>C:\Users\WDAGUtilityAccount\Documents\TestWriteFolder</SandboxFolder>
      <ReadOnly>false</ReadOnly>
    </MappedFolder>
  </MappedFolders>
  <LogonCommand>
    <Command>powershell.exe "invoke-webrequest https://update.code.visualstudio.com/latest/win32-x64-user/stable" -outfile C:\users\WDAGUtilityAccount\Downloads\vscode.exe
    C:\users\WDAGUtilityAccount\Downloads\vscode.exe /verysilent /suppressmsgboxes</Command>
  </LogonCommand>
</Configuration>