Personally, I use Windows Sandbox a lot for testing Endpoint Manager packages or software, sometimes you want to start it with certain options (Connect a folder on your hard drive or start without a network connection) and you have to create a custom configuration file (.wsb) with those options. This blog post shows you how to start Windows Sandbox using PowerShell with parameters without the need of creating multiple configuration files.
- What is Windows Sandbox?
- How do install Windows Sandbox?
- How the script works
- The parameters that you can use
- vGPUdisable
- AudioInputDisable
- ClipboardRedirectionDisable
- LogonCommand
- MappedFolder
- MappedFolderWriteAccess
- MemoryInMB
- NetworkingDisable
- PrinterRedirectionEnable
- ProtectedClientEnable
- VideoInputEnable
- Using the Start-Sandbox function
- The script
- Adding the Start-Sandbox function to the PowerShell profile
What is Windows Sandbox?
“Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains “sandboxed” and runs separately from the host machine. A sandbox is temporary. When it’s closed, all the software and files and the state are deleted”
How do install Windows Sandbox?
You can install it by adding it as a Windows Feature using Add/Remove programs or by running:
Enable-WindowsOptionalFeature -Online -FeatureName:Containers-DisposableClientVM -NoRestart:$True
How the script works
I used all the options specified on https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file to create a Start-Sandbox function which creates a .wsb file (Basically a XML actually) It creates a very basic one if you don’t specify any parameter, but it adds more lines to the .wsb file if you start specifying more parameters. After the creation of the .wsb file, the script starts Windows Sandbox using it and then deletes the configuration file from your temp directory.
The parameters that you can use
Below are all the parameters that you can use in the Start-Sandbox Function:
vGPUdisable
Use this to disable vGPU sharing which will make the Windows Sandbox use software rendering.
AudioInputDisable
Use this to disable the microphone access in Windows Sandbox.
ClipboardRedirectionDisable
Use this to disable the copy/paste function between your computer and Windows Sandbox completely (In and outgoing).
LogonCommand
Specify the path to the executable or script that should be started when the Windows Sandbox is running.
MappedFolder
Use this to specify a local folder that you want to see in your Windows Sandbox session, for example, c:\temp.
MappedFolderWriteAccess
Use this to switch from Read-Only mode to Read Write mode for the MappedFolder that you specified.
MemoryInMB
Use this to specify the amount of RAM in Mb’s that Windows Sandbox should use, if you specify something below 2Gb it will show a warning telling you that Windows Sandbox could allocate more memory if needed.
NetworkingDisable
Use this to disable networking in Windows Sandbox, could be a good thing when testing software that you’re not completely sure about 😉
PrinterRedirectionEnable
Use this to connect your local printers in Windows Sandbox.
ProtectedClientEnable
Use this so that Windows Sandbox will run with extra security mitigations enabled.
VideoInputEnable
Use this to enable video input in Windows Sandbox.
Using the Start-Sandbox function
In the example below I use the following command-line to start an 8Gb RAM Windows Sandbox, printers connected, d:\temp directory connected in Read-Write mode and an automatically started Windows ISE session.
Start-Sandbox -MappedFolder d:\temp -MappedFolderWriteAccess -PrinterRedirectionEnable -MemoryInMB 8192 -LogonCommand C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe

The script
Below is the script for the Start-Sandbox function:
#https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file function Start-Sandbox { param( [parameter(Mandatory = $false)][string]$MappedFolder, [parameter(Mandatory = $false)][string]$MemoryInMB, [parameter(Mandatory = $false)][string]$LogonCommand, [switch]$vGPUdisable, [switch]$AudioInputDisable, [switch]$ClipboardRedirectionDisable, [switch]$MappedFolderWriteAccess, [switch]$NetworkingDisable, [switch]$PrinterRedirectionEnable, [switch]$ProtectedClientEnable, [switch]$VideoInputEnable ) #Validate if $mappedfolder exists if ($MappedFolder) { if (Test-Path $MappedFolder -ErrorAction SilentlyContinue) { Write-Host ("Specified {0} path exists, continuing..." -f $MappedFolder) -ForegroundColor Green } else { Write-Host ("Specified {0} path doesn't exist, exiting..." -f $MappedFolder) -ForegroundColor Red return } } #Set Read-Only or Read-Write if ($MappedFolderWriteAccess) { $WriteAccess = 'false' } else { $WriteAccess = 'true' } #Create .wsb config file $wsb = @() $wsblocation = "$($env:Temp)\sandbox.wsb" $wsb += "<Configuration>" if ($vGPUdisable) { $wsb += "<VGpu>Disable</VGpu>" } if ($AudioInputDisable) { $wsb += "<AudioInput>Disable</AudioInput>" } if ($ClipboardRedirectionDisable) { $wsb += "<ClipboardRedirection>Disable</ClipboardRedirection>" } if ($MappedFolder) { $wsb += "<MappedFolders>" $wsb += "<MappedFolder>" $wsb += "<HostFolder>$($MappedFolder)</HostFolder>" $wsb += "<ReadOnly>$($WriteAccess)</ReadOnly>" $wsb += "</MappedFolder>" $wsb += "</MappedFolders>" } if ($null -ne $MemoryInMB) { $wsb += "<MemoryInMB>$($MemoryInMB)</MemoryInMB>" if ($MemoryInMB -le 2048) { Write-Host "$($MemoryInMB) Mb(s) specified, Windows Sandbox will automatically allocate more if needed..." -ForegroundColor Yellow } } if ($NetworkingDisable) { $wsb += "<Networking>Disable</Networking>" } if ($LogonCommand) { $wsb += "<LogonCommand>" $wsb += "<Command>$($LogonCommand)</Command>" $wsb += "</LogonCommand>" } if ($PrinterRedirectionEnable) { $wsb += "<PrinterRedirection>Enable</PrinterRedirection>" } if ($ProtectedClientEnable) { $wsb += "<ProtectedClient>Enable</ProtectedClient>" } if ($VideoInputEnable) { $wsb += "<VideoInput>Enable</VideoInput>" } $wsb += "</Configuration>" #Create sandbox .wsb file in $env:\temp and start Windows Sandbox using it $wsb | Out-File $wsblocation -Force:$true Write-Host ("Starting Sandbox...") -ForegroundColor Green Invoke-Item $wsblocation #Wait for Windows Sandbox to start and delete the sandbox config file Start-Sleep -Seconds 5 Remove-Item -Force:$true -Confirm:$false -Path $wsblocation Write-Host ("Done!") -ForegroundColor Green }
Adding the Start-Sandbox function to the PowerShell profile
You can add the Start-Sandbox function to your profile by editing it (notepad $profile) and adding:
. c:\data\Start-Sandbox.ps1
Download the script(s) from GitHub here