Stop opening new files or installing apps on your Windows PC without trying them out in Windows Sandbox first. This built-in mini-Windows is totally isolated from your main installation, so if you aren’t already using it for testing, you should start today.

What is Windows Sandbox?

TheWindows Sandboxis a feature that provides users with a completely isolated Windows environment to test in. It’s been available since Windows 10 19H1 to users with a Windows 10 or 11 Pro, Enterprise, or Education license. Unfortunately, Windows 10 and 11 Home users can’t use the feature.

It looks a lot like a virtual machine, but it’s a little bit different. For starters, this isn’t your typical VM. It’s self-destructing, meaning that when you exit the sandbox, it completely resets. Any files you’ve opened, any changes you’ve made, and any apps you’ve installed are removed, making it the perfect test environment.

An open Windows Sandbox window on Windows 11, showing a warning prompt about the erasure of data when the sandbox is closed.

If you’re runningWindows 11 22H2(or later) you can restart from within the environment without it self-destructing. This is a feature Microsoft added to allow you to use apps in the sandbox that require a restart to complete their installation. The environment is still temporary and, should you exit the sandbox app, it’ll reset to the default configuration.

It’s isolated from your main system, so even if you end up with a malware infection in the sandbox, it won’t impact your main Windows installation. By default, access to the internet is enabled via your network adapter, but this can be stopped by using a sandbox configuration file.

Opening the Optional Features settings menu in Windows 11 via the Run dialog box

What Should You Use the Windows Sandbox For?

Windows Sandbox isn’t a feature that Microsoft really pushes on users, but as far as I’m concerned, it’s an essential weapon in the security and privacy toolkit.

Let’s look at the basics. First, most users will receive a malware infection because of something that they themselves do. They might open up a virus disguised in a suspicious PDF file, or install a cracked version of an app that’s riddled with malware.

To enable Windows Sandbox, select the Windows Sandbox checkbox in the Optional Features menu before pressing OK.

You might be lucky. You might find that those infections are picked up by Microsoft Defender (or your own third-party antivirus). In sandbox mode, however, it doesn’t matter. The infection can’t damage anything. If you see a problem, you can just close the sandbox app. The infection is wiped without impacting anything in your main Windows installation.

I use the sandbox mode for any new app I install where I might question its origins or safety. I’ve also used it in the past to open up file attachments, especially with more troublesome file extensions.

Opening Windows Sandbox via the Windows 11 start menu.

You’ll Need the Right System (And Windows License)

While Windows Sandbox is intended to be a more lightweight version of Windows, it’ll still have an impact on your system performance, which means you’ll need a good enough PC to use it. Microsoft’s minimum requirements for a PC capable of running Windows Sandbox include:

There’s also the licensing to consider. As I mentioned, you can’t use the sandbox mode in Windows 10 or Windows 11 Home. You’ll need to upgrade your license to either Pro, Enterprise, or Education editions of Windows 10 or 11, or consider a more traditional virtual machine environment as an alternative instead.

An open Windows Sandbox window on a Windows 11 PC

How to Enable the Sandbox on Your Windows PC

If you haven’t used the sandbox before, you’ll need to set up a few things first. To start with, ensure that you’veenabled virtualization for your CPUin your BIOS or UEFI menu.

You’ll also need to install the files required for Windows Sandbox in theOptional Features menu on Windows 11oron Windows 10. To do this quickly, press theWindows+R, type “optionalfeatures”, and press “OK”.

A custom configuration file for a Windows Sandbox environment in a Notepad window

In the window that opens, verify to select “Windows Sandbox” before pressing “OK"to begin the installation.

After the installation (and a quick restart), you may find “Windows Sandbox” in the Start menu, either manually or via a search.

Opening Windows Sandbox via a custom configuration using a .wsb configuration file in File Explorer

Once it opens, a replica of a clean Windows 10 or Windows 11 installation (depending on your own version of Windows) will appear for you to use.

Windows Sandbox Is Good Protection, But Remain Vigilant

The weak link in the chain is always going to beyou(or whoever uses your PC). Windows Sandbox isn’t foolproof, and there are some attacks that the sandbox can’t protect you from if you don’t remain vigilant at first.

A good example is session hijacking. A rather famous incident in recent years was theattack on the Linus Tech Tips’ YouTube channel. An employee downloaded and opened a rogue PDF file, which contained rogue code. The code captured the session cookie for the channel from a web browser, allowing the attacker full access to the channel’s account as if they’d signed in themselves. No password required.

Mayhem ensued, but it didn’t have to be that way. For example, if that employee had opened the file in a fresh sandbox environment, then the attack would have failed. However, if the employee was signed into the account in a web browser within the sandbox, the attack wouldstillsucceed.

The moral of the story? Use the sandbox as a sandbox for one thing at a time. If you want to test a file, you should only open that file. If you want to try out an app, only try that app, and don’t risk any of your personal information doing so.

Should you need to test both, just close the app, restart the sandbox, and try it in a fresh environment.

For Extra Sandbox Security, Block Network Access

There’s a way to beef up security in Sandbox to make it even more secure and prevent attacks (like the session hijacking I described above) from succeeding. If you block network access in Windows Sandbox, your sandbox can’t interact with any other device, whether it’s another local PC or a server hosted on the internet.

To do this, open Notepad and type in the following text:

Save the file with any file name you want using the “.wsb” file extension (e.g.nonetwork.wsb).

When you want to run your sandbox without network access, just double-click the file. It’ll run with that configuration, with access to your PC’s network adapter blocked entirely.

There are someother Windows Sandbox configuration settingsyou can add, too, including the ability to map a folder share or disable the virtual GPU. I usually run the sandbox with both the vGPU and networking disabled, just to make the sandbox more secure.

Can’t Use Windows Sandbox? Create a Custom Virtual Machine Instead

If you’re a Windows 10 or 11 Home user, you can’t use the sandbox, but you can use a virtual machine. It won’t be self-destructing, but the same principles can still apply. There’s no reason why you can’t keep a backup of a fresh virtual machine to revert to and give yourself a sandbox-style environment.

If you decide torun Windows 11 in a virtual machine, however, then the process is going to include setting up Windows in that environment. It won’t be as quick or seamless, and you may find that the impact on your system resources is greater.

I think Windows Sandbox is one of the best features in modern Windows, but it’s completely undersold and definitely underutilized. If you ever need to try out a risky app or file, don’t put your main system at risk. Just open up Windows Sandbox instead.