- Security threats are becoming more complex, but operating systems are fighting back to keep users secure.
- Running untrusted programs and apps in a secure environment, called a sandbox is one way to make sure your data is safe.
- Read on and find out what Windows Sandbox is, how to install on your machine and how to use it to test apps.
I’m no security expert and had my fair problems with computer viruses in the past. That was a while ago, and thankfully I’ve never lost important data to viruses, malware, or phishing. I’ve lost data to hard drives failing, overwriting important documents, and Google Drive sync issues recently, but that’s pretty much it.
I’m not what you would call very cautious when it comes to what I do and click online, but I generally know what not to do, so this is one reason I didn’t get into trouble.
If you’re not as lucky as I am I’m going to show you a way to test programs you don’t trust in a secure environment in Windows. This article is about an interesting security feature built into some Windows editions, called simply Windows Sandbox.
Let’s see what it does first.
What is Windows Sandbox?
A software sandbox is an isolated environment where you can safely run code that won’t have access to resources and data outside its container. This is a very safe way to test something without affecting the main system.
Windows Sandbox is a very lightweight desktop environment, a Windows Lite if you wish, where you can run software in isolation, or “sandboxed”.
The Windows Sandbox is temporary: you open it, do your thing, and when you close it, the sandbox resets completely. Open it again and it’s like brand new. You can’t continue where you left off. There’s simply no resume.
Apps installed on your Windows machine are not available in Windows Sandbox. If you need them you have to install them again in the sandboxed environment.
Windows Sandbox is not available in the Home Edition of Windows, but it looks like there are ways to install it there if really needed. That’s because Windows Sandbox uses the virtualization options available in the Pro and Enterprise Editions to create a completely isolated sandbox from the kernel and the physical machine hardware.
It’s a bit complicated, I know, but the TLDR is that Windows Sandbox is a lightweight, fast and secure type of isolated virtual machine for testing programs you don’t trust or apps you don’t want to have access to your local machine hardware and its stored data.
How to Install Windows Sandbox
The Windows Sandbox environment is included in Windows 10/11 Pro, but it’s not active by default. It’s an Optional feature that you must activate separately.
Don’t worry: we have a guide for adding and removing optional features in Windows. Just pick Windows Sandbox from the list.
Make sure first that your system meets the requirements below. Also, go to your BIOS/UEFI and enable virtualization. It won’t work without it. You may need to check your motherboard’s manual to figure out where the option is located and how it’s called.
Windows Sandbox Requirements
You can’t run Windows Sandbox on any machine, so a few requirements need to be met firsthand. These are:
- Windows 10 Pro, Enterprise, Education, Windows 11 Pro
- AMD64 or ARM64 compatible CPUs (this covers almost everything)
- Virtualization enabled in BIOS/UEFI
- Minimum 4 GB RAM (8 GB recommended)
- 1 GB free storage space
- Minimum 2 CPU cores (4 cores with hyperthreading recommended)
A reboot will be required for the installation to complete, so save your work and go ahead.
How to Test Untrusted Apps in Windows Sandbox
After completing installation you can search for the Windows Sandbox app in the Start menu.
Launch it and you will be greeted in a few seconds with something that looks exactly like Windows.
You will need to copy the app installer you intend to install from your local machine into the sandbox. Just Copy and Paste from Windows Explorer into the Windows Explorer instance you will open inside the sandbox. Then double click to install. You know the drill.
You could also use the Microsoft Edge browser inside the sandbox to download the app if it’s hosted somewhere on the Internet because Windows Sandbox has access to the Internet automatically through your local connection.
The sandboxed environment works just like the Windows you know and
hate love. It’s also pretty fast for a VM. I was really surprised by how snappy and responsive it felt.
Make no mistake, it’s a very lightweight version of Windows, just for testing purposes. So don’t expect every option to be available. This is what the Start menu looks like.
Right now Windows Sandbox is not even able to reboot. So, if you’re installing an app that requires a system restart, you’re out of luck. Microsoft is working to bring this option starting with build 22509, but for now, it isn’t supported.
If you’re reading this article in the future here’s how to check your current Windows build number.
When you’re done testing, you can either shut down from the Start menu or close the Windows Sandbox application window. Either way, you’ll get a warning that everything will reset.
Virtual Machines as Alternatives
Maybe you’re asking why not use a virtual machine instead. You could, that’s right, but for something quick and dirty I think Windows Sandbox is a much better alternative.
Virtual Machine will take a bit more time to set up, but they come with extra features and full Windows functionality. If you’re planning to resume work then VMs are definitely the way to go.
For quick testing, I think Windows Sandbox is a convenient alternative.
More on securing Windows:
I’ve tried something cool (I think): running Windows Sandbox into a virtual machine. For double safety, you know.
Microsoft says it’s possible, with a few tweaks, but I was not able to make it work. Maybe you’ll be luckier and let me know how you did it.
Before we end I think I need to mention that your private data, things like your credit card number and other sensitive personal info is not secure in an isolated sandbox if you’re willing to give it away to a shady website for example.
Providing that info into a website inside a sandbox is no different than doing it in your regular browser. I think it’s common sense, but also worth pointing out.