Windows Sandbox lets you run untrusted software without compromising your PC

Microsoft has added a way for Windows 10 users to easily check unknown apps without compromising their PCs in the process. Called Windows Sandbox (opens in new tab) (via The Verge), the feature is described as a "lightweight virtual machine" for Windows 10 Pro and Enterprise and is built using the same tech that powers Windows Containers, but without requiring the use of Windows Server.

From Microsoft:

How many times have you downloaded an executable file, but were afraid to run it? Have you ever been in a situation which required a clean installation of Windows, but didn't want to set up a virtual machine?At Microsoft we regularly encounter these situations, so we developed Windows Sandbox: an isolated, temporary, desktop environment where you can run untrusted software without the fear of lasting impact to your PC. Any software installed in Windows Sandbox stays only in the sandbox and cannot affect your host. Once Windows Sandbox is closed, all the software with all its files and state are permanently deleted.

Windows Sandbox is built directly into Windows 10 Pro and Enterprise build 18305 or later, and it requires at least 4GB of RAM and 1GB of disk space to get started. Once a sandbox instance is created, it acts as a clean installation of Windows that only takes up around 100MB of hard drive space. Simply create an instance, run whatever software you want to test, and close out of the sandbox when you're done.

Building a sandbox feature directly into Windows will surely be a boon for business and enterprise users who need to keep PCs running in top shape at all times. Microsoft's hope is this will be an effective replacement for the process of setting up a virtual machine every time you need to test a new executable file without the potential for harming your full Windows installation.

Dan Thorp-Lancaster

Dan Thorp-Lancaster is the former Editor-in-Chief of Windows Central. He began working with Windows Central, Android Central, and iMore as a news writer in 2014 and is obsessed with tech of all sorts. You can follow Dan on Twitter @DthorpL and Instagram @heyitsdtl

20 Comments
  • So will insiders see build 18305 before Christmas or is MS on holiday until the new year?
  • Likely. looking at the screenshot shows build 18301
  • That is absolutely fantastic
  • I am wondering if we can just use software all the time in the sandbox by starting it and stopping the sandbox. Or would we have to reinstall the application each time we shut down the sandbox or our machine.
  • You'll probably specify on the desktop icon properties.
    Like you can specify - run as an administrator.
    Its the return of safe mode and enhanced mode.
  • 18305 is currently downloading on Fast ring!
  • How about a right-click, "Run in sandbox" option for exe's?
  • This would be a great idea, problem is only technical people would think to use it.
  • Personally I wish that all internet activity were sandboxed with a restricted shared folder to move files back and forth between the sandbox firewall and you local un-networked airgap work environment
  • I hate connecting my pc to the internet... to many hungry cloud apps ready to suck your data to places you don’t want
  • What apps are you running and why not remove them.
  • Great, another way for corporate users to build unmanaged systems outside the control of IT in the Enterprise, then demand support for the Sandboxed app they have been running their department on for the last six months that just crashed (or got infected with a virus because they turned off or never installed any AV software on it, usually at the 3rd or 4th party software vendors recommendation.)
    This is why we have disabled Virtual Machines for all but users who use our runbooks to build them.
  • You do realise you can turn this off using group policy for example?
  • "Building a sandbox feature directly into Windows will surely be a boon for business and enterprise users who need to keep PCs running in top shape at all times. Microsoft's hope is this will be an effective replacement for the process of setting up a virtual machine every time you need to test a new executable file without the potential for harming your full Windows installation." Awesome. Now, can they create something similar so we IT folks can test their forced updates that are constantly grenading our environments?
  • Great step in the right direction.
  • I like the idea, and I currently use virtual machine to run untrusted exe. Some comments: 1) hope it starts fast, i.e., don't need to take minutes to initialize (create a whole new VM each time). 2) hope user can optionally keep current sandbox (continue using it next time), or throw away after close. 3) hope it could also somehow available to home version, but as it's based on Hyper-V, I know it's not likely.
  • Looks like Microsoft is finally getting it. These are the features I like to see.
  • I have used Sandboxie for lots of years, great to see MS finally decided to build such a feature in the OS.
  • Irritates me that Hyper V and Sandbox is for Pro only. Wish there was just ONE sku for Windows... just called... Windows... not Windows 10... Windows Vista... windows XP... just... Windows. It's supposed to be for "productive" ppl right? So why not just one SKU for enterprise and "prosumers"?
  • But wait, don't we have the windows store, UWP and project centennial for using or testing unsafe software? I guess in a way the sandbox is a more flexible option for legacy apps than developers having to code for the UWP container. They would be missing out of windows inegration though such as notification support and other native windows 10 goodies. Or are those plugins also supported natively in the sandbox? Or would that not be possible as the app is in a container within a container? Confused!? It would be interesting and awesome if the Sandbox had native VPN type features without sacrificing speed and performance within the Sandbox.