Windows Sandbox

If you[‘re forced to] use Windows this might be useful for compartmentalisation.

Windows Sandbox is a Windows 10 feature that enables the use of temporary Virtual Machines.

Enabling

Windows Sandbox isn’t enabled by default. To enable it follow these steps:

  1. Open “Control Panel” and click the upside down caret next to the back/forward buttons
  2. Click “All Control Panel Items”
  3. Navigate to “Programs and Features”
  4. On the left click “Turn Windows features on or off”
  5. Scroll down and tick the box next to “Windows Sandbox” if it isn’t already ticked

From the start menu search for “Windows Sandbox”. Hit enter and a fresh Sandbox window will appear.

Configuring

Once the sandbox window is closed all data is erased. Next time you open Windows Sandbox a fresh new VM is created.
This can make it annoying if you wish to sandbox a single program, but have to install it every time you start a new sandbox.

To make it easier for these cases you can pre-configure sandbox instances via .wsb files. With this file you can configure memory, networking, audio/video passthrough, among other things. See the Microsoft official documentation for Windows Sandbox configuration1. It also supports running a script at startup, and mapping network devices and local shares.

Example: Zoom

Zoom is a very popular group call/video conference software (I won’t bore you with the details I’m sure you have some idea what Zoom is by now). However, Zoom has had numerous security and privacy issues. If you’re paranoid like me you may feel uneasy just seeing it’s icon in the start menu - knowing you have it installed on the same machine along with all your other precious digital data. I digress, here is a configuration file for my Zoom sandbox:

<Configuration>
    <MappedFolders>
        <MappedFolder>
            <HostFolder>C:\Sandbox\Installers</HostFolder>
            <SandboxFolder>C:\Installers</SandboxFolder>
            <ReadOnly>true</ReadOnly>
        </MappedFolder>
    </MappedFolders>
    <AudioInput>Enable</AudioInput>
    <VideoInput>Enable</VideoInput>
    <VGpu>Enable</VGpu>
    <MemoryInMB>12288</MemoryInMB>
    <LogonCommand>
        <Command>C:\Installers\ZoomInstaller.exe</Command>
    </LogonCommand>
</Configuration>

It maps the local C:\Sandbox\Installers directory (where I store ZoomInstaller.exe) to C:\Installers in the VM itself. Enables audio (mic) and video (webcam) passthrough. I allocate 12Gb to the VM - should be more than enough on my laptop with 16Gb of RAM. It then runs the Zoom installer on startup.


  1. https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file 

Windows Sandbox