How to customise the Windows Sandbox

Introduction

Learn how to customise the Windows Sandbox by creating configuration files. In this example, I show you how to create simple configuration files which are used to customise parts of the Windows Sandbox, such as disabling networking, mapping folders from the host machine within the Windows Sandbox, and creating logon command scripts which are executed when the Windows Sandbox is launched so that tasks can be automated.

How to customise the Windows Sandbox video

Enabling the Windows Sandbox

I have a full guide on how to enable the Windows Sandbox, or you can run the following PowerShell command:

Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -All -Online

Creating a custom launcher

To customise the Windows Sandbox, you need to create a configuration file with a .wsb file extension. Within this file, you can provide configuration parameters in an XML format.

Once you have your custom configuration file, save the file such as sandbox-custom.wsb and then double-click the file to launch your customised Windows Sandbox environment.

Sandbox Configuration Options

Networking

By default, the Windows Sandbox creates a virtual network card which enables access to the network.

<Configuration>
    <Networking>Disable</Networking>
</Configuration>

Available values:

• Enable - This is the default value if this option is not specified and enables access to the network from within the Windows Sandbox.
• Disable - This disables network access within the Windows Sandbox.

Clipboard Redirection

By default, the Windows Sandbox enables clipboard redirection so that text, files, and folders can be easily copied from the host workstation to the sandbox, or from the sandbox to the host workstation.

<Configuration>
    <ClipboardRedirection>Disable</ClipboardRedirection>
</Configuration>

Available values:

• Enable - This is the default value if this option is not specified and enables clipboard redirection between the Windows Sandbox and the host workstation.
• Disable - This disables enables clipboard redirection between the Windows Sandbox and the host workstation.

Protected Client

<Configuration>
    <ProtectedClient>Enable</ProtectedClient>
</Configuration>

Available values:

• Disable - This is the default value if this option is not specified and doesn’t enable enhanced protection of the host workstation from things running from inside the Windows Sandbox.
• Enable - This enables enhanced host workstation protection from things running from inside of the Windows Sandbox.

Folder Mapping

Folders from the host workstation can be mapped to folders within the Sandbox. In the below example, the Desktop folder and the Downloads folder are being mapped from the host workstation to inside the Windows Sandbox. The read only setting is set to true, so that the contents of the folder can only be read and no files can be written to the folder from within the Windows Sandbox environment.

<Configuration>
    <MappedFolders>
        <MappedFolder>
            <HostFolder>C:\Users\Danny\Desktop</HostFolder>
            <SandboxFolder>C:\Users\WDAGUtilityAccount\Desktop</SandboxFolder>
            <ReadOnly>true</ReadOnly>
        </MappedFolder>
        <MappedFolder>
            <HostFolder>C:\Users\Danny\Downloads</HostFolder>
            <SandboxFolder>C:\Users\WDAGUtilityAccount\Downloads</SandboxFolder>
            <ReadOnly>true</ReadOnly>
        </MappedFolder>
    </MappedFolders>
</Configuration>

Required values:

1. HostFolder - This is the absolute path to the folder on the host workstation that you want to redirect into the Windows Sandbox.

2. SandboxFolder - This is the absolute path to the folder within the Windows Sandbox where you want the HostFolder to be redirected to.

Additional values:

1. ReadOnly

   • False - This is the default value if this option is not specified and enables the Windows Sandbox to be able to write back to the folder on the host workstation.
   • True - This disables the Windows Sandbox to be able to write contents back to the redirected folder on the host workstation.

Logon Command

You can run a single simple command prompt command using the below parameters, however, I don’t particularly like running commands this way. I prefer to use the below advanced method of creating a PowerShell script.

<Configuration>
    <LogonCommand>
        <Command>notepad.exe</Command>
    </LogonCommand>
</Configuration>

Logon Command with PowerShell Script

First, we need to create a script on our local machine to run and store it in C:\windows-sandbox\script.ps1 with the below contents:

Start-Process "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
notepad.exe
explorer.exe
C:\windows-sandbox\googlechromestandaloneenterprise64.msi

Once the script has been created, we can now create our Windows Sandbox config file and include the following:

<Configuration>
    <MappedFolders>
        <MappedFolder>
            <HostFolder>C:\windows-sandbox</HostFolder>
            <SandboxFolder>C:\windows-sandbox</SandboxFolder>
            <ReadOnly>true</ReadOnly>
        </MappedFolder>
    </MappedFolders>
    <LogonCommand>
        <Command>powershell -executionpolicy unrestricted -command "start powershell {-noexit -file C:\windows-sandbox\script.ps1}"</Command>
    </LogonCommand>
</Configuration>

Memory Limits

The amount of memory (RAM) that is available to the Windows Sandbox can be limited using the below command. If more memory is required for the Windows Sandbox to boot, this value will be automatically increased to the required minimum amount. In the below example, we are limiting the Windows Sandbox to 4GB of memory.

<Configuration>
    <MemoryInMB>4096</MemoryInMB>
</Configuration>

Virtual GPU

<Configuration>
    <vGPU>enable</vGPU>
</Configuration>

Available values:

• Disable - This is the default value if this option is not specified and disables vGPU suppport inside the Windows Sandbox.
• Enable - This enables vGPU suppport inside the Windows Sandbox.

Printer Redirection

<Configuration>
    <PrinterRedirection>enable</PrinterRedirection>
</Configuration>

Available values:

• Disable - This is the default value if this option is not specified and disables printer redirection inside the Windows Sandbox.
• Enable - This enables printer redirection inside the Windows Sandbox.

Audio Input

<Configuration>
    <AudioInput>disable</AudioInput>
</Configuration>

Available values:

• Enable - This is the default value if this option is not specified and enables audio from the host computer, such as a microphone, inside the Windows Sandbox.
• Disable - This disables audio from the host computer, such as a microphone, inside the Windows Sandbox.

Video Input

<Configuration>
    <VideoInput>enable</VideoInput>
</Configuration>

Available values:

• Disable - This is the default value if this option is not specified and disables video from the host computer, such as a webcam, inside the Windows Sandbox.
• Enable - This enables video from the host computer, such as a webcam, inside the Windows Sandbox.

Microsoft Docs with All Commands

https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file