Windows Sandbox on Windows 10 & 11: How to Enable, Configure and Use It

Section 01

What Is Windows Sandbox? The Built-In Disposable Desktop

Windows Sandbox is a lightweight, temporary virtual machine built directly into Windows 10 and Windows 11. It provides an isolated desktop environment where you can run applications, visit websites, or open files that you don't fully trust — without any risk to your main operating system.

Introduced in Windows 10 version 1903 (May 2019 Update), the Sandbox is essentially a clean, fresh copy of Windows that spins up in seconds. Once you close the Sandbox window, everything inside it — files downloaded, registry changes, installed programs — is permanently and irreversibly deleted. Your host system remains completely untouched.

💡

Key Insight Unlike traditional virtual machines, Windows Sandbox requires no separate Windows license, no ISO image, and no lengthy setup. It uses the copy of Windows already installed on your machine.

What Makes It Different from a Virtual Machine?

Traditional virtualization solutions like VMware or Hyper-V require you to obtain a full OS image, allocate dedicated disk space, and manage persistent snapshots. Windows Sandbox is fundamentally different: it uses dynamic base image technology, sharing immutable OS files directly with the host using copy-on-write semantics. This means the Sandbox consumes almost no extra disk space for the operating system itself.

The result is a startup time measured in seconds (typically 2–5 seconds), a minimal memory footprint (around 100 MB of dedicated RAM overhead), and zero persistent storage for the OS layer. For quick, disposable testing sessions, nothing in the Windows ecosystem comes close.

Section 02

How Windows Sandbox Works Under the Hood: Architecture Explained

Understanding the internals of Windows Sandbox helps you appreciate its security model and performance characteristics. Microsoft engineered it with three core technologies working in concert.

Dynamic Base Image

The Sandbox does not keep a full copy of the OS on disk. Instead, it uses a dynamically generated base image that maps directly to clean system files on your host drive. Only files that differ between the host and the Sandbox (user-created content, downloaded files, installed applications) are stored separately, using a sparse disk format. The typical footprint for the OS layer is around 100 MB, compared to gigabytes for traditional VMs.

Kernel Isolation via Hardware Virtualization

Windows Sandbox runs as a Hyper-V container under the hood, giving it hardware-level isolation. The Sandbox kernel is completely separate from the host kernel: a vulnerability exploited inside the Sandbox cannot directly affect the host OS. The VM Bus and VSP/VSC architecture handles all communication between host and guest with strict boundaries.

Integrated Kernel Scheduler

To prevent performance degradation on the host, Microsoft built a custom scheduler that ensures Sandbox virtual processors are treated as low-priority from the host CPU perspective. When your main workload needs resources, the Sandbox yields automatically. This means you can run the Sandbox in parallel with your normal workflow without significant slowdown.

✅

Security Guarantee Every Sandbox session starts from a pristine Windows snapshot. No matter what malware or unwanted software runs inside, when you close the window, all traces are gone. The isolation is hardware-enforced via Hyper-V.

Section 03

Windows Sandbox System Requirements: Is Your PC Compatible?

Before attempting to enable Windows Sandbox, verify your system meets all of the following requirements. Missing even one will prevent the feature from working correctly.

Requirement	Minimum Specification	Notes
Windows Edition	Windows 10/11 Pro, Enterprise, or Education	Home edition is not supported
Windows Version	Windows 10 version 1903 (build 18305) or later	All Windows 11 versions are supported
Architecture	AMD64 (x86-64) only	ARM64 is supported on Windows 11 only
CPU Virtualization	Intel VT-x or AMD-V enabled in BIOS/UEFI	Must be enabled manually on many systems
CPU Cores	At least 2 cores (4 recommended)	Hyperthreading counts toward core count
RAM	Minimum 4 GB (8 GB strongly recommended)	Sandbox itself uses ~100–500 MB overhead
Free Disk Space	At least 1 GB free on system drive	Dynamic image; not full OS size
Hyper-V	Enabled in BIOS (SLAT required)	Second Level Address Translation mandatory

⚠️

Important Windows Home is not supported. If you are on Windows 10 or 11 Home, you must upgrade to Pro or Enterprise to use Windows Sandbox. There is no workaround for this restriction.

How to Check Your Windows Edition and Version

Press Win + R, type winver, and press Enter. The dialog will show your current Windows edition and build number. Alternatively, go to Settings → System → About and look for "Edition" and "OS build".

How to Check if Virtualization Is Enabled

Open Task Manager (Ctrl + Shift + Esc), click the Performance tab, select CPU, and look for the "Virtualization" label at the bottom. It should read Enabled. If it shows "Disabled", you need to enter your BIOS/UEFI settings and enable Intel VT-x (Intel systems) or AMD-V / SVM Mode (AMD systems).

Section 04

How to Enable Windows Sandbox on Windows 10: Step-by-Step

There are three methods to enable Windows Sandbox on Windows 10. All three achieve the same result — choose the one you're most comfortable with. A restart is required after enabling the feature.

Method 1: Windows Features (GUI) — Recommended

Press Win + S and search for "Turn Windows features on or off", then open it.
Scroll down the list and locate Windows Sandbox.
Check the checkbox next to Windows Sandbox and click OK.
Windows will download and install the required components. This may take a few minutes depending on your internet speed.
When prompted, click Restart Now to reboot your computer.
After restart, search for "Windows Sandbox" in the Start menu — it will appear as a regular application.

ℹ️

Note If Windows Sandbox does not appear in the features list, your edition does not support it (likely Windows Home), or your CPU/BIOS does not meet the virtualization requirements.

Method 2: PowerShell (Recommended for Administrators)

Open PowerShell as Administrator and run the following command:

PowerShell — Run as Administrator
Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -Online -All

PowerShell will prompt you to restart. Type Y and press Enter to reboot immediately, or N to reboot manually later.

Method 3: DISM Command Prompt

Open Command Prompt as Administrator and run:

Command Prompt — Run as Administrator
dism /online /Enable-Feature /FeatureName:"Containers-DisposableClientVM" /All /NoRestart

The /NoRestart flag suppresses the automatic restart. Reboot manually when ready.

Section 05

How to Enable Windows Sandbox on Windows 11: Step-by-Step

The process on Windows 11 is nearly identical to Windows 10 but the UI has been updated. Here are the three methods for Windows 11.

Method 1: Optional Features in Settings (Windows 11 Native)

Open Settings with Win + I, then navigate to System → Optional features.
Scroll down and click "More Windows features" at the bottom of the page.
This opens the classic Windows Features dialog. Locate and check Windows Sandbox.
Click OK and wait for installation to complete.
Restart when prompted.

Method 2: PowerShell on Windows 11

The command is identical to Windows 10:

PowerShell — Run as Administrator
Enable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -Online -All

Verifying the Installation

After restarting, open the Start menu and search for Windows Sandbox. You should see the application icon. Right-click it to pin it to your taskbar or Start menu for quick access.

✅

Quick Verification via PowerShell Run this command to confirm the feature is active: Get-WindowsOptionalFeature -Online -FeatureName "Containers-DisposableClientVM". The State field should show Enabled.

Section 06

Launching and Using Windows Sandbox for the First Time

Once enabled, Windows Sandbox is straightforward to use. Here is a walkthrough of your first session.

Launching the Sandbox

Search for Windows Sandbox in the Start menu and launch it. Because it runs with elevated Hyper-V privileges, Windows will ask for UAC confirmation — click Yes. The Sandbox window will open within 2–5 seconds, showing a clean Windows desktop inside a resizable window.

The Sandbox Desktop Environment

Inside the Sandbox you get a fully functional, temporary Windows session: a Start menu, File Explorer, Microsoft Edge, and a basic set of Windows applications. Notably, it runs the same Windows version as your host, so there's no compatibility guesswork. The desktop resolution adjusts dynamically as you resize the Sandbox window.

Transferring Files: Copy-Paste and Drag-and-Drop

The simplest way to get files into the Sandbox is to copy them from your host (Ctrl+C) and paste them inside the Sandbox (Ctrl+V). You can paste directly onto the Sandbox desktop or into an open File Explorer window inside it. Drag-and-drop between the host and Sandbox window also works. Clipboard text is shared bidirectionally by default.

⚠️

Remember: Everything Is Deleted on Close When you close the Sandbox window, all data inside is permanently destroyed — files, browser history, installed programs, settings. If you need to preserve any output (scan results, logs, screenshots), copy it to the host before closing.

Ending a Session

Simply click the X button on the Sandbox window title bar, or shut it down from inside via Start → Power → Shut down. You'll be prompted to confirm since all data will be lost. The session terminates cleanly and all virtualization resources are immediately freed.

Section 07

Advanced Windows Sandbox Configuration with .wsb Files

Windows Sandbox supports a powerful configuration format via .wsb files (Windows Sandbox Configuration files). These are simple XML documents that let you customize the Sandbox environment: mount shared host folders, run startup scripts, control networking, and more.

Creating a .wsb Configuration File

A .wsb file is a UTF-8 encoded XML file with the extension .wsb. Double-clicking it launches a Sandbox session with that specific configuration applied. Create one in Notepad or any text editor.

Basic .wsb Template
<Configuration>
  <Networking>Disable</Networking>
  <VGpu>Enable</VGpu>
  <MappedFolders>
    <MappedFolder>
      <HostFolder>C:\Users\YourName\Desktop\TestFiles</HostFolder>
      <SandboxFolder>C:\Users\WDAGUtilityAccount\Desktop\TestFiles</SandboxFolder>
      <ReadOnly>true</ReadOnly>
    </MappedFolder>
  </MappedFolders>
  <LogonCommand>
    <Command>C:\Users\WDAGUtilityAccount\Desktop\TestFiles\setup.bat</Command>
  </LogonCommand>
</Configuration>

All Available Configuration Options

Parameter	Values	Description
`<Networking>`	`Enable` / `Disable`	Toggle internet access inside Sandbox. Default: Enable.
`<VGpu>`	`Enable` / `Disable`	Enable virtualized GPU for hardware-accelerated rendering. Default: Enable.
`<MemoryInMB>`	Integer (MB)	Set maximum RAM for the Sandbox (e.g., `4096`). Host enforces the limit.
`<MappedFolders>`	XML block	Share one or more host folders with the Sandbox. Optionally read-only.
`<ReadOnly>`	`true` / `false`	Inside MappedFolder: prevent writes from Sandbox back to host folder.
`<LogonCommand>`	XML block	Run a script or executable automatically when the Sandbox starts.
`<AudioInput>`	`Enable` / `Disable`	Share host microphone with Sandbox. Default: Disable.
`<VideoInput>`	`Enable` / `Disable`	Share host webcam with Sandbox. Default: Disable.
`<ClipboardRedirection>`	`Enable` / `Disable`	Allow clipboard sharing between host and Sandbox. Default: Enable.
`<PrinterRedirection>`	`Enable` / `Disable`	Allow Sandbox to use host printers. Default: Disable.

Example: Offline Security Analysis Config

A real-world configuration for analyzing a suspicious installer safely — no internet access, read-only access to a shared folder containing the file:

offline-security-scan.wsb
<Configuration>
  <Networking>Disable</Networking>
  <VGpu>Disable</VGpu>
  <MemoryInMB>2048</MemoryInMB>
  <ClipboardRedirection>Disable</ClipboardRedirection>
  <MappedFolders>
    <MappedFolder>
      <HostFolder>C:\Quarantine\SuspiciousFiles</HostFolder>
      <SandboxFolder>C:\Users\WDAGUtilityAccount\Desktop\Quarantine</SandboxFolder>
      <ReadOnly>true</ReadOnly>
    </MappedFolder>
  </MappedFolders>
</Configuration>

🔒

Security Best Practice When analyzing potentially malicious files, always set <Networking>Disable</Networking> and <ReadOnly>true</ReadOnly> on mapped folders. This prevents malware from phoning home or writing back to the host.

Section 08

Practical Use Cases: What You Can Do with Windows Sandbox

Windows Sandbox is a versatile tool that goes well beyond just running suspicious executables. Here are the most valuable real-world scenarios.

1. Testing Suspicious Software Before Installing

This is the most common use case. Before running an installer from an unfamiliar website, drop it into the Sandbox and install it there first. Check what it does: does it spawn extra processes? Does it install browser extensions? Does it call home to unusual IP addresses? All of this can be observed safely, and when you close the Sandbox, no trace remains on your host.

2. Safe Web Browsing of Untrusted Sites

Need to visit a URL that looks suspicious, or click a link from a phishing email to analyze it? Open the Sandbox, launch Edge, and browse from there. Drive-by downloads, malicious scripts, and exploit kits are all contained. Your host browser history, cookies, and credentials remain pristine.

3. Software Development and Testing

Developers can use the Sandbox to test installers, deployment scripts, or clean-room software behavior. Verify that your application runs correctly on a fresh Windows installation with no additional dependencies. This is particularly valuable for testing setup wizards and uninstallers without needing a dedicated test VM.

4. Evaluating Freeware and Shareware

Many free applications bundle adware, browser hijackers, or PUPs (Potentially Unwanted Programs) in their installers. Install them in the Sandbox first to evaluate behavior. If the software is legitimate and useful, you can then install it on your host with confidence.

5. Reproducing and Investigating Bugs

IT professionals and support engineers can use the Sandbox to reproduce issues on a clean Windows state, eliminating "works on my machine" variables. Pair it with a .wsb LogonCommand script that automatically installs relevant software for a repeatable test environment every time.

6. Secure File Opening and Document Analysis

Received a Word or Excel file from an unknown sender? Open it in the Sandbox first. Even if it contains malicious macros or exploits, they cannot escape the Hyper-V boundary and affect your host system.

Section 09

Windows Sandbox Pros, Cons, and Alternatives

✓ Advantages

Built into Windows — no extra software or licenses required
Starts in 2–5 seconds, far faster than any full VM
Minimal disk footprint thanks to dynamic base image technology
Hardware-enforced isolation via Hyper-V ensures genuine security
Fully disposable — 100% clean state guaranteed after each close
Configurable via simple XML (.wsb) files with no scripting expertise needed
Matches host OS version for accurate compatibility testing
Shared clipboard and folder mapping make it practical for daily use

✗ Limitations

Only available on Pro, Enterprise, and Education editions
No persistent state — cannot save progress between sessions
Requires hardware virtualization; incompatible with some older CPUs
Cannot run on ARM-based systems (Windows 10 only; Win 11 ARM is supported)
Limited to a single Sandbox instance at a time
No snapshot or checkpoint functionality
GPU passthrough is virtualized, not full-performance
Not suitable for long-running or stateful test environments

Alternatives to Windows Sandbox

Tool	Best For	Cost	Persistent State
Windows Sandbox	Quick, disposable testing; built into Windows Pro	Free (included)	No
Hyper-V	Full persistent VMs; developer environments	Free (included)	Yes
VMware Workstation Pro	Advanced VM features; snapshots; cross-platform	Paid (free for personal use since 2024)	Yes
VirtualBox	Open-source VM; cross-platform; flexible	Free	Yes
Any.run / Joe Sandbox	Cloud-based malware analysis with full reporting	Freemium / Paid	N/A (cloud)

Section 10

Frequently Asked Questions About Windows Sandbox

Q Can I use Windows Sandbox on Windows 10 Home or Windows 11 Home? ▼

No. Windows Sandbox is only available on Windows 10 and 11 Pro, Enterprise, and Education editions. There is no official workaround for the Home edition. To use Sandbox, you would need to upgrade your Windows edition via Settings → System → About → "Change product key" or perform a clean install of a supported edition.

Q Does Windows Sandbox affect my computer's performance while running? ▼

The impact is generally minimal on modern hardware (8 GB+ RAM, quad-core CPU). Windows Sandbox uses Microsoft's Integrated Kernel Scheduler to yield CPU resources to the host automatically. You may notice slightly increased RAM consumption (typically 500 MB–1.5 GB depending on what you run inside it) and moderately higher CPU usage. On older or resource-constrained machines, running the Sandbox alongside heavy workloads may cause noticeable slowdown.

Q Is Windows Sandbox truly secure? Can malware escape from it? ▼

Windows Sandbox provides strong, hardware-enforced isolation via Hyper-V, which is the same technology used in enterprise server virtualization. Escaping a well-maintained Hyper-V boundary requires a hypervisor vulnerability — a rare and highly sophisticated class of exploit. For the vast majority of malware (including ransomware, spyware, adware, and typical Trojans), the Sandbox is fully effective. That said, no security technology is 100% infallible. For analyzing nation-state-level malware or zero-day exploits, professional isolated lab environments with network monitoring are more appropriate.

Q Why is Windows Sandbox not showing up in the Windows Features list? ▼

There are several reasons this can happen: (1) You are running Windows Home, which does not include Sandbox. (2) Your CPU does not support hardware virtualization or SLAT (Second Level Address Translation). (3) Virtualization is disabled in your BIOS/UEFI — check and enable Intel VT-x or AMD-V. (4) Your Windows installation may be missing optional components — try running Windows Update and installing all pending updates. (5) Your system runs Windows 10 version older than 1903 (build 18305) — update to a newer version.

Q Can I save files from inside the Sandbox to my host computer? ▼

Yes, in two ways. First, you can copy and paste files from the Sandbox window to a host Explorer window (clipboard file transfer). Second, you can configure a mapped folder in a .wsb file — if the mapped folder is not set to read-only, files written to it from inside the Sandbox will persist on the host after the Sandbox session ends. This is the recommended approach when you need to extract results (logs, reports, screenshots) from a Sandbox session.

Q Can I run multiple Windows Sandbox instances simultaneously? ▼

No. Windows Sandbox only supports one active instance at a time. If you try to launch a second Sandbox (or open a second .wsb file) while one is already running, you will receive an error stating that only one instance can run simultaneously. If you need multiple concurrent isolated environments, you will need a full virtualization solution like Hyper-V or VMware Workstation.

Q How do I disable or uninstall Windows Sandbox after enabling it? ▼

To disable it, go back to Turn Windows features on or off, uncheck Windows Sandbox, click OK, and restart. Via PowerShell: Disable-WindowsOptionalFeature -FeatureName "Containers-DisposableClientVM" -Online. Disabling it frees the approximately 100–200 MB of system disk space used by the feature components. The Hyper-V hypervisor itself remains enabled (if it was enabled before).

🧩 Summary & Key Takeaways

Windows Sandbox is one of the most underutilized security tools built into Windows 10 and 11 Pro. It gives you a hardware-isolated, fully disposable desktop environment that spins up in seconds, requires no extra licenses, and leaves your host machine completely untouched after each session. Whether you're a security researcher, developer, IT professional, or a cautious everyday user, it's an invaluable addition to your workflow.

To get started: verify your edition is Pro or higher, enable virtualization in BIOS, activate the feature via Windows Features or PowerShell, then launch it from the Start menu. For power users, .wsb configuration files unlock folder sharing, startup scripts, network isolation, and memory limits — transforming the Sandbox into a fully customizable test harness.