Microsoft announces Windows Sandbox, a virtualized safe space for testing untrusted apps

Windows Sandbox isn't public, but it should be arriving soon for Windows Insiders.
  • Mark Hachman (PC World (US online))
  • 19 December, 2018 23:00

Windows Sandbox is here to protect your PC. A simple, virtualized Windows within Windows, it’s a place where an app can be safely run if you’re worried it might be malware. 

Microsoft announced Windows Sandbox Tuesday evening in a blog post, unearthed by ZDNet. Microsoft pre-announced that Windows Sandbox would first be tested within a future Windows 10 Insider build, beginning with build 18305 or newer. (At press time, Windows Insider build 18298 was the latest public release.) You’ll need a 64-bit processor with virtualization enabled in the BIOS and within Windows, and either Windows 10 Server or Windows 10 Pro. Windows 10 Home users won’t be able to use Windows Sandbox.

Sandbox is a “isolated, temporary, desktop environment where you can run untrusted software without the fear of lasting impact to your PC,” Hari Pulapaka, the group kernel manager for the Windows kernel, desribed. “Any software installed in Windows Sandbox stays only in the sandbox and cannot affect your host. Once Windows Sandbox is closed, all the software with all its files and state are permanently deleted.”

Windows 10 Pro and Server can already create a virtual machine on your PC, which creates an copy of Windows that’s isolated from the host. Each time Windows Sandbox runs, Pulapaka said, it creates a “pristine” copy of Windows for testing. Unless the malware can somehow break out of that virtualized environment, Windows 10 Hyper-V (and Sandbox) should be able to create secure environments for testing. 

optional windows features dlg Microsoft

You’ll need to enable Sandbox first, before you begin using it.

Like Hyper-V, Windows Sandbox will not automatically be enabled. You’ll need to type “Windows Features” in the Search box and check the Sandbox box. Your PC will probably restart. Testing an app will then be as easy as running Sandbox and copying the app into the virtual environment.

Pulapaka noted that an app running in Sandbox will run in a somewhat lower-performance mode, because it’s using only part of the resources of your PC. (You’ll need at least 4GB of RAM, with 8GB recommended, 1GB of disk space, and at least 2 free CPU cores.) Microsoft engineered some tricks to reduce the VM’s size: It’s just 100 MB when actually running. And although the initial boot time will take some time, Microsoft will freeze the state of the VM, post-boot, and refer to it when opening future instances of Sandbox—reducing that boot time significantly. Sandbox will also be able to virtualize some of the PC’s graphics resources.

“The whole goal here is to treat the Sandbox like an app but with the security guarantees of a Virtual Machine,” Pulapaka wrote.

What this means to you: Virtualization is a key component of helping secure apps and websites that you may not trust: Windows Device Application Guard, for example, is a little-known secure browser within your PC for browsing untrusted sites. You may never need to use Windows Sandbox, but the idea is that it’s a safety net, and a tool to use if you’re just not that sure about whether an app is truly safe.