Windows Sandbox – How to configure

Windows Sandbox is an isolated, temporary, desktop environment where you can run untrusted software without the fear of lasting impact to your PC (Wikipedia). When Sandbox is closed, all software, user data and settings are lost. The next time Sandbox is run, it starts from scratch, just like after a new, fresh and clean install of Windows 10. Windows Sandbox is not activated, nor does it inherit the host computer’s license and activation status.

If you are like me you like to use a dark theme, and install your favorite browser and maybe other software in the Sandbox every time it starts, in addition to sharing some host folders. If so, you can create a configuration file and a startup script to do those things automatically. Naturally, using personalized settings increases the time required for Sandbox to start. On my laptop, Sandbox takes almost 20 seconds to start and be ready, whereas it needs almost a minute when I run it with my standard configuration set-up script.

You can have multiple different config file / startup script pairs for different purposes. Running Sandbox from the Start Menu runs it with defaults, running it from any configuration file applies your custom settings.

Here’s my standard configuration file. It must be saved using the extension .wsb (Windows SandBox):


I save the file as SBConfig.wbs in the %userprofile%\OneDrive\Sandbox folder.

The vGPU (virtualized GPU) tags can take either the Enable or Disable values. Personally, I see no reason to use Sandbox without vGPU, so it’s enabled. vGPU tags can also be removed from the config file, in which case the vGPU is enabled by default.

Networking tags are self-explanatory: they can take the values Default (networking and Internet enabled), or Disable. When removed from the config file, the default is value is Default.

In the MappedFolders tags, insert any host folders you want to share, each share in its own MappedFolder tags. Inside the ReadOnly tags you must tell Sandbox if you want to grant it read / write rights to that folder (value False), or Read Only rights (True).

Finally, in LogonCommand tags, insert each command you want to run on Sandbox when it starts. Each command resides within its own Command tags. In this sample config file, I run the script, a batch file to install software and customize Sandbox. In this case, I have first shared the host folder Sandbox, which is added to the default Sandbox user WDAGUtilityAccount‘s desktop. My script to personalize Sandbox SBConfig.bat will then be run from there.

OK, here’s a simple SBConfig.bat I use quite often. Save it to the same folder as the config file, and remember that this host folder must be shared with Windows Sandbox:

REM Apply a custom theme
REM As Windows Sandbox is not activated, this is the only way to personalize it

REM Install new Microsoft Edge
start /wait C:\Users\WDAGUtilityAccount\Desktop\Sandbox\MicrosoftEdgeEnterpriseX64.msi /quiet /norestart

REM Switch to Dark Mode
reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Themes\Personalize /v AppsUseLightTheme /t REG_DWORD /d 00000000 /f

REM Close Settings app left open when theme was applied
start /wait taskkill /F /IM SystemSettings.exe

It applies a custom theme, installs the new Microsoft Edge browser (my favorite) silently, edits the registry to apply the Windows Dark Mode (I like it!), and finally closes the Settings app. Closing Settings is left last for two reasons: first, when a theme is applied, Settings will be opened. I’ve not found a way to prevent it. On slower systems, the Settings app might open too slowly, so the taskkill command to close it has already run, and Settings will remain open. Cosmetics, I know, but I want to see my desktop with nothing open. Second, because the silent installers show no progress bar or similar output, it’s practical to close Settings to mark the moment when the Sandbox is ready to use.

I like the new Edge. Its offline installer can be found here: Download Microsoft Edge. If you want to use another browser, you need to get its offline installer. Silent install commands for some other browsers:

- Chrome: start /wait C:\Users\WDAGUtilityAccount\Desktop\Sandbox\ChromeStandaloneSetup64.exe /silent /install

- Firefox: start /wait C:\Users\WDAGUtilityAccount\Desktop\Sandbox\FirefoxSetup.exe -ms

- Opera: start /wait C:\Users\WDAGUtilityAccount\Desktop\Sandbox\Opera_VersionNumber_Setup.exe /silent /allusers=yes /launchopera=no /setdefaultbrowser=no

The preceding command samples assume that you have shared a host folder named Sandbox. Replace it if needed. Any software with a silent install option can be installed the same way.

Here’s my Sandbox folder on the host:

Click screenshots to open enlarged in a new tab.

It contains offline installers for Chrome, Edge and Firefox, my custom theme, and a few config files and scripts. Running any config (,wsb) file, Windows Sandbox starts with its respective settings and script (batch file).

The same folder is shown as a desktop folder on the default Windows Sandbox user’s (WDAGUtilityAccount) desktop:

That’s it. You know now how to customize your Windows Sandbox to cater to your needs.

Read more about Windows Sandbox on Microsoft Docs. Enjoy!


Author: Kari Finn

A former Windows Insider MVP, Kari started in computing in the mid 80’s writing code for VAX / VMS systems. Since then, he’s worked in a variety of IT positions. He specializes in Windows image capture, customization, repair and deployment as well as Hyper-V virtualization. Kari is a proud Team Member at number #1 Windows site