Use Windows Sandbox and containers to test untrusted apps safely

In the realm of digital security, the presence of untrusted applications can be a significant disruption to your workflow. The age-old adage, one rotten tomato ruins the bunch, rings particularly true in this context. Fortunately, Windows 11 comes equipped with a suite of security features tailored to combat this issue. Among these is the innovative Smart App Control, designed to block untrusted or potentially harmful applications from executing on your device.

Today, we delve into another remarkable feature: Windows Sandbox. Microsoft describes it as “a lightweight virtual machine,” providing users with an isolated desktop environment for the safe execution of applications. This tool is particularly useful for testing, debugging, and interacting with unknown files, as well as experimenting with various tools.

Windows Sandbox employs cutting-edge container technology to deliver a unique blend of security, density, and performance—an achievement that traditional virtual machines often struggle to match. By running applications within the confines of Windows Sandbox, users can significantly mitigate the risks associated with untrusted software. This is made possible through hypervisor-based virtualization, which effectively isolates any harmful software from the host machine.

With Windows Sandbox, users can download executable files without the looming concern of compromising their device’s security. It also serves as a convenient option for performing clean installations of Windows, eliminating the need for a separate virtual machine setup.

How does Windows Sandbox work?

Consider Windows Sandbox as a temporary, isolated desktop environment where you can run untrusted software without concern for its effects on your Windows 11 PC. Each time you close Windows Sandbox, all installed software and files are deleted, ensuring a fresh start for every session. Notably, applications installed on the host system will not be accessible within the Sandbox, safeguarding your sensitive data. Users must explicitly install any applications they wish to utilize in this environment.

However, it’s important to note that “starting with Windows 11, version 22H2, data persists through restarts initiated within the sandbox, useful for applications requiring a reboot,” according to Microsoft. The platform includes several key features:

• Part of Windows: All necessary components are included in supported Windows editions such as Pro, Enterprise, and Education, eliminating the need for a separate VM installation.
• Disposable: No data persists on the device; everything is discarded upon closing the application.
• Pristine: Each launch of Windows Sandbox is as clean as a new installation of Windows.
• Secure: Utilizes hardware-based virtualization for kernel isolation, relying on the Microsoft hypervisor to run a separate kernel that keeps Windows Sandbox distinct from the host.
• Efficient: Launches in seconds, supports virtual GPU, and employs smart memory management to optimize resource usage.

How to get started with Windows Sandbox in Windows 11

For those eager to explore Windows Sandbox, setting it up is a straightforward process. Here’s a quick guide to get you started:

1. Open Start.
2. Search for Windows Sandbox, right-click the top result, and select Run as administrator.
3. Open File Explorer on your computer.
4. Navigate to the folder containing the untrusted app you wish to test.
5. Select the executable and click the Copy button from the command bar.
6. Right-click on the desktop and select the Paste option to transfer the installer to the Windows Sandbox desktop.
7. Double-click the installer (.exe, .msi, or other formats) to begin the installation.
8. Follow the on-screen instructions to complete the installation.

Windows Sandbox offers a secure environment for running untrusted software, launching in mere seconds while optimizing its power consumption based on the host’s battery state.