What to know about Microsoft's new Windows Sandbox mode

How Windows Sandbox works

Windows Sandbox isolates application installations within the sandbox environment from the host desktop. When the session ends, Windows Sandbox deletes the application along with any changes made in the host OS and returns the environment back to its original state.

In Windows Sandbox mode, IT can test applications that pose security risks or run an executable file that might contain malware without risking the host system. Developers can use Windows Sandbox mode to test a new application in a clean environment.

Like any VM, Windows Sandbox mode requires its own OS to run applications and manage the sandbox environment. Microsoft does this by generating a dynamic base image that uses clean copies of host OS files to use. The dynamic base image uses links to the host OS files, which are immutable. As a result, the OS can compress down to 25 MB when not in use, while consuming no more than 100 MB.

Windows Sandbox uses snapshots to streamline the boot process. Snapshots make it possible to boot the sandbox environment once and save the processor, memory and device state to disk. That way, the sandbox environment restores memory without having to go through the entire boot process.

Windows Sandbox incorporates advanced, kernel-based memory management capabilities that allow the host system to reclaim memory from Windows Sandbox if needed. In addition, Windows Sandbox uses a "direct map," which enables the sandbox to use the same physical memory pages as the host OS.

Microsoft implements a new technology called integrated scheduler that allows the host system to determine when the sandbox should run. The host OS treats the sandbox's virtual processors just like process threads, managing Windows Sandbox as a process rather than a traditional VM. This way, the base OS prioritizes host operations over those running in the sandbox.

Graphics in Windows Sandbox mode benefit from hardware-accelerated rendering, which can improve application performance and responsiveness. Additionally, Windows is able to dynamically allocate graphic resources where they're needed across the host and sandbox environments.

Get started with Windows Sandbox

Windows Sandbox is included as a feature in Windows 10 Professional and Enterprise, starting with Insider Build 18305. Users don't need to download a virtual desktop image or install a special OS. Windows Sandbox mode includes everything users need to run their applications.

To run Windows Sandbox mode, admins must enable virtualization within the host machine's basic input/output system. If Windows 10 is running in a VM, administrators must enable nested virtualization. Next, administrators must turn on the Windows Sandbox feature in the Windows Features settings.

Users can then launch Windows Sandbox from the Start menu just like any application. The first time they do, they must accept the User Account Control prompt to permit the program to make changes to the device. After that, the sandbox environment is ready to go.

To run an application, a user only needs to copy and paste an executable file from the main desktop to the sandbox window. From there, the user can work with the application just like one on the host system. The user can also access files on the main desktop from within the sandbox.

The future of Windows Sandbox

Microsoft continues to improve Windows Sandbox with each Insiders Build. For example, Windows Sandbox now supports configuration files, making it possible to automatically launch an application or script within the environment. Windows Sandbox also monitors the host's battery status to optimize battery consumption on laptops.

Despite its capabilities, it's unclear how widely organizations will adopt Windows Sandbox once it's generally available. It will depend on the types of administrative controls over the program.

Windows Sandbox's integration directly into Windows 10 and overall simplicity could make it a worthwhile tool, especially for more tech-savvy users and application developers.