Testing things is always essential, and Windows has a nice built-in Feature for that which is called Windows Sandbox. You can look at this as a throwaway Windows VM, you start and use it, and afterward, there’s no trace of it anymore, making it ideal for testing! In this blog post, I will show you how to test PowerShell scripts and Intune packages in Windows Sandbox.
What is Windows Sandbox?
“Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains “sandboxed” and runs separately from the host machine.
A sandbox is temporary. When it’s closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application. Note, however, that as of Windows 11 Build 22509, your data will persist through a restart initiated from inside the virtualized environment—useful for installing applications that require the OS to reboot.”
What is Run-in-Sandbox?
It’s a project from Damien Van Robaeys (MVP Microsoft / System and Desktop Engineer / Powershell / Deployment / MDT / XAML / Automation), and it’s available on https://github.com/damienvanrobaeys/Run-in-Sandbox .
What can it do? Well… A lot of things 🙂
When right-clicking on one of these filetypes below, you can:
- Run PS1 as a user or system in Sandbox.
- Run VBS, EXE, and MSI in Sandbox
- Run Intunewin file
- Open URL or HTML file in Sandbox
- Extract ZIP files directly in Sandbox.
- Extract 7z file directly in Sandbox.
- Extract ISO directly in Sandbox.
- Share a specific folder in Sandbox.
- Run multiple apps/scripts in the same Sandbox session.
How do I install Windows Sandbox?
It’s a Windows Feature that is available starting from Windows Pro. To install it, you can follow these steps:
Using the GUI
- Go to Optional Features (You can search for that in the Windows Settings menu)
- Click on More Windows features
- Select Windows Sandbox and click Ok
You can add the Windows optional feature by starting an Admin PowerShell session and running:
Enable-WindowsOptionalFeature -Online -FeatureName "Containers-DisposableClientVM" -All
Windows will install the component, reboot (close/save all programs first), and restart your system. After logging in again, you will have the Windows Sandbox app in your menu:
You can start it now, and in a few seconds, you will have a clean version of Windows 10/11 (Depending on your own Windows version) in which you can do anything you want. When closed, it will all be gone and fresh when starting again.
How do I install Run-in-Sandbox?
To install the extension in Windows, you can follow these steps:
- Go to https://github.com/damienvanrobaeys/Run-in-Sandbox
- Click on Code and select Download ZIP
- Extract the contents of the download ZIP file to a folder on your hard drive. It will run from here, so choose a permanent location like c:\program files\run-in-sandbox
- You should now have a folder that looks like this:
- Right-Click the Add_Structure.ps1 and check if the file is blocked. If so, remove the block so that it can be executed.
- Start an Admin PowerShell session, switch to the installation folder, and run .\Add-Structure.ps1
- It will create a System Restore point and start the installation, you will see the installation progress and it should look like this when finished:
You will now have the option to run things in a Windows Sandbox session when right-clicking files. For example:
Running PowerShell scripts in Windows Sandbox
As you can see in the example screenshot above, you can Run a ps1 file in Windows Sandbox. You can start it as System, User, or with parameters. I started one of my scripts (Install-Apps.ps1 from an earlier blog) in a Windows Sandbox session in the example below in which I selected the “Run PS1 as user option” because things already start as Admin in Windows Sandbox:
- Right-Click Install-Apps.ps1 and select Run PS1 in Sandbox, and Run PS1 as user
- Windows Sandbox Starts and runs the script. In this case, I don’t see the screen output, but my Start-Transcript action in the scripts shows the progress:
If the script has parameters, you can also run PS1 with parameters. This will bring up the following message box in which you specify just that:
Using Run-in-Sandbox makes testing scripts a lot easier and safe 🙂 (You don’t want to test things on your system too much 😛 )
Testing Intune packages in Windows Sandbox
You can also use Run-in-Sandbox to test .intunewin packages, and this saves a lot of time waiting for Intune to install a package on your test VM/System 🙂 The procedure for this is just like the one for PowerShell, right-click the .intunewin file and select “Test intunewin in Sandbox”
I installed an Adobe Reader package in Windows Sandbox in the example below. Steps are:
- Right-Click the .intunewin package and select Test intunewin in Sandbox
- The following message box should appear. I typed “.\install.cmd” as the install command.
- Click on the + sign to continue.
- Windows Sandbox should start now, and you will see two folders on the desktop:
- One is the contents of the folder that you right-clicked the .intunewin file from, and the other is the folder for the Run-in-Sandbox files.
- The script now runs the installation just like Intune would do that for you, and in a minute or two, the software is installed:
Note: There is an update pending of Run-in-Sandbox. I made a pull request with minor updates but with a new Intunewin decoder. If you have created packages with the latest intunewinapputil.exe, you might be unable to extract that package. Please check the mentioned Github page for updates.
Other things that you can use Run-in-Sandbox for
As mentioned in the What is Run-in-Sandbox part, you can also use it to extract files or safely test opening specific URLs. Windows Sandbox has no access to your host device and can’t access your system, making it safe to check suspicious URLs.