Microsoft may be positioning its easy-peasy Windows Sandbox within the Windows 10 May 2019 Update as a safe zone for testing untrusted applications, but it’s much more than that. Windows Sandbox, and sandboxing PC apps in general, give you a solution for trying a “utility” that may be malware, or a website that you’re not sure about. You could leave those potentially dangerous elements alone, but with Sandbox, you can be a little more adventurous.
Windows Sandbox creates a secure “Windows within Windows” virtual machine environment entirely from scratch, and walls it off from your “real” PC. You can open a browser and surf securely, download apps, even visit websites that you probably shouldn’t. Sandbox also includes a unique convenience: you can copy files in and out of the virtual PC, bringing them out of quarantine if you’re absolutely sure they’re safe.
At any time, you can close Windows Sandbox, and when you do, anything left there is totally obliterated. If that dodgy website rains malware down on your Sandbox, all it takes is one click to shut it down, without harm to your actual Windows installation. Next time you launch a new version of Sandbox, it will launch a pristine version of Windows 10 to start anew.
You won’t need to buy a second copy of Windows to use the feature either—though you will need Windows 10 Pro or Enterprise. The Home version doesn’t support it.
Here’s everything you need to know to start using Windows Sandbox.
Get started with Windows Sandbox
Technically, Windows Sandbox is a lightweight virtual machine, a tool often used by developers and researchers to test new software within a controlled environment. Virtualization creates an entire virtual computer, complete with operating system, storage, and memory, within your existing Windows PC.
Granted, Windows already offers Hyper-V to achieve similar tasks. What makes Sandbox so appealing is that Sandbox is to Hyper-V as Windows 10’s Mail app is to Outlook: a simplified, user-friendly version of a much more complex application.
Beyond the Windows 10 Pro requirement, Windows Sandbox’s performance impact demands a modern, fairly powerful machine with virtualization capabilities. Here are the minimum specifications for the feature:
- A 64-bit processor capable of virtualization, with at least two CPU cores; Microsoft recommends a quad-core chip. (Virtually all Intel processors sold since 2016 support virtualization, though this Intel guide explains how to check. Otherwise, the Performance tab within the Task Manager will tell you whether virtualization is enabled—credit to Shailesh Jha for the reminder.)
- Virtualization enabled in your motherboard BIOS, if it’s not already
- Windows Pro, Enterprise, or Server
- At least 4GB of RAM (8GB recommended)
- At least 1GB of free disk space (SSD recommended)
Windows Sandbox is an alternate feature of Windows, and it won’t be installed by default even if it’s available to you. To enable it, you’ll need to go to the Windows Features control panel, which you can find by searching for Turn Windows features on and off. To enable Sandbox, you’ll need to scroll down and check the proper box. Windows will install the necessary files and may need to reboot your PC.
When the installation process is completed, there won’t be any bells or whistles. To enable Sandbox, you can simply type Windows Sandbox into the Windows search box. It may take a minute or two to load, if only because Windows needs to establish the virtual machine. Microsoft has said previously that it will “freeze” the state of the virtual machine, archive it, and bring it up when you launch Windows Sandbox again—basically, everything should launch faster next time around.
How to use Windows Sandbox
Sandbox appears as a small window on your desktop. Within it, there’s another Windows desktop, like what you might see if you installed Windows 10 and decided to use a local account.
The Sandbox virtual PC isn’t quite like your own. For one thing, none of the personalization options you’ve installed will carry over, such as favorites and themes. And that’s good! One of the ideas behind Sandbox is not to put your personal information out into the wild, so don’t be tempted to log in with your personal account. None of your third-party software will appear either. You still have access to File Explorer, but it’s restricted to the Sandbox, with a subset of your PC’s resources available. Note, too, that only one instance of Windows Sandbox is allowed at a time.
You’ll probably be immediately tempted to open Windows Sandbox as a full-screen app. That’s fine, especially as Microsoft has helpfully placed a large, Windows XP-style header at the top of the window, reminding you that you’re working within Sandbox. Pay attention to it—the last thing you want to do is carelessly switch back to your “real” PC and open that dodgy website that you meant to launch in Sandbox. Edge browser and File Explorer windows opened within Sandbox won’t identify themselves as the Sandbox versions. Feel free to play around with the Windows Settings within Sandbox, if you’d like, and see how it differs from your main Windows installation.
Because Windows Sandbox isn’t run as a virtual machine, but as an app, there’s not as much of a performance hit on your PC as a true virtual machine. (If you’d like to know more about the technical underpinnings of Sandbox, check out Microsoft’s support page.) But be aware that Sandbox is going to take a chunk of your PC’s resources for its own use, including a portion of the CPU, memory, and disk space. If your PC is already pokey, both it and the Sandbox virtual PC will run even more slowly.
Sandbox’s app status also benefits you if you ever want to interact with any files you may have downloaded. A Hyper-V virtual machine isolates the file system so that malware can’t escape. Any files you want to copy out of a Hyper-V VM requires a Remote Desktop connection or Enhanced Session Mode. Normal people don’t want to deal with any of that! Sandbox simply allows you to cut and paste (or copy) any file on it right to your “real” desktop. That’s very handy if the utility you were testing turns out to be useful after all.
I didn’t notice any bugs or crashes associated with Sandbox, with one exception. If you’re having trouble accessing the Internet from within Windows Sandbox, as I did, you may want to tweak your firewall settings to allow access to the Sandbox apps, or simply adjust your global protection settings.
Windows Sandbox won’t tell you if a dodgy program is secretly sending information back to a third-party server, or whether some other pernicious activity is taking place without your knowledge. (Advanced users could monitor network traffic if they desired, however.) But if that file a “friend” sent you turns out to be ransomware, it won’t do any harm in Sandbox.
Remember, you can close down Windows Sandbox at any time. When you do, you’ll receive a message that whatever is stored within it is gone for good. The protections Sandbox offers go away if you copy a hazardous file from within the virtual machine out to your main Windows installation, of course.
Adapting Windows Sandbox for everyday use
What you may quickly realize, however, is that Sandbox is more than just a testbed for apps you’re not sure about. It’s also a bonus layer of security when you’re poking about the web. We liked Windows 10’s hidden secure browser, Windows Device Application Guard, but it allowed you to download files only to its own secure environment. With Sandbox, you can copy files between Sandbox to your PC.
Both Microsoft Edge and Google Chrome include their own sandboxing elements to protect your PC. But if you really don’t trust a particular site, you can always open Edge within your Sandbox (creating a sort of “sandbox within a Sandbox”) and open that untrusted site. Are you a bit skeptical that Chrome’s Incognito mode doesn’t track your browsing? Download Chrome within Sandbox, surf away without logging into your Google account, then destroy your whole session by closing Sandbox.
Windows Sandbox doesn’t anonymize your viewing—your Internet provider will still theoretically have a record of what sites you’ve visited, unless you also use a VPN—but when you destroy the Sandbox, that browsing record totally disappears. And if you download something you’re not sure about, you can always test it within Sandbox to help determine whether it’s actually malicious.
Oddly, Windows Defender doesn’t seem to work within Sandbox, but I downloaded a free third-party antivirus from BitDefender and was able to check individual files for malware.
As we noted above, Sandbox demands a price in terms of performance. Running on a first-gen Surface Laptop (with a Core i5-7200U Kaby Lake chip powering it), just three media-rich Edge tabs within Sandbox gobbled up enough resources to keep the total CPU utilization well above 90 percent. I occasionally saw a bit of stuttering when moving down a webpage. With a more robust Surface Pro (2017) and a few code revisions later, Windows Sandbox ran much more smoothly.
Don’t think that you’ll be playing games within Sandbox. But opening an email via Outlook.com? Sure. Downloading what I thought was a Linux distribution over uTorrent? That worked just fine. (Trying to mount the ISO file within Sandbox, though, did not.)
How far you incorporate Sandbox into your everyday life is up to you. We’ve already seen Sandbox videos demonstrating the effects of computer viruses—because when they’ve finished wreaking havoc on the Sandbox virtual machine, the Sandbox can be shut down. (We still wouldn’t recommend this with known dangers, as we can’t say for certain that malware won’t be able to break out of the Sandbox virtual machine.) Nevertheless, Sandbox offers the potential for much more than app trials.
Note that there are other third-party sandbox applications that you can still try: Sandboxie (both free and paid versions); BitBox, designed specifically for browsing; ShadeSandbox, and more. All of them have their own pros and cons. What Windows Sandbox offers, though, is the convenience of a free, secure sandboxing solution built right into Windows.
Editor’s note: This article was originally published before the Windows 10 May 2019 Update launched. It has been revised to remove reference to Windows Insider builds and future-tense language.