Using Run-in-Sandbox for testing scripts and Intune packages

/ Harm Veenstra

Testing things is always essential, and Windows has a nice built-in Feature for that which is called Windows Sandbox. You can look at this as a throwaway Windows VM, you start and use it, and afterward, there’s no trace of it anymore, making it ideal for testing! In this blog post, I will show you how to test PowerShell scripts and Intune packages in Windows Sandbox.

Table Of Contents
show

What is Windows Sandbox?

“Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains “sandboxed” and runs separately from the host machine.

A sandbox is temporary. When it’s closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application. Note, however, that as of Windows 11 Build 22509, your data will persist through a restart initiated from inside the virtualized environment—useful for installing applications that require the OS to reboot.”

Source: “https://learn.microsoft.com/en-us/windows/security/threat-protection/windows-sandbox/windows-sandbox-overview”

What is Run-in-Sandbox?

It’s a project from Damien Van Robaeys (MVP Microsoft / System and Desktop Engineer / Powershell / Deployment / MDT / XAML / Automation), and it’s available on https://github.com/damienvanrobaeys/Run-in-Sandbox .

What can it do? Well… A lot of things 🙂

When right-clicking on one of these filetypes below, you can:

  • Run PS1 as a user or system in Sandbox.
  • Run VBS, EXE, and MSI in Sandbox
  • Run Intunewin file
  • Open URL or HTML file in Sandbox
  • Extract ZIP files directly in Sandbox.
  • Extract 7z file directly in Sandbox.
  • Extract ISO directly in Sandbox.
  • Share a specific folder in Sandbox.
  • Run multiple apps/scripts in the same Sandbox session.

How do I install Windows Sandbox?

It’s a Windows Feature that is available starting from Windows Pro. To install it, you can follow these steps:

Using the GUI

  • Go to Optional Features (You can search for that in the Windows Settings menu)
  • Click on More Windows features
  • Select Windows Sandbox and click Ok

Using PowerShell

You can add the Windows optional feature by starting an Admin PowerShell session and running:

Enable-WindowsOptionalFeature -Online -FeatureName "Containers-DisposableClientVM" -All

Windows will install the component, reboot (close/save all programs first), and restart your system. After logging in again, you will have the Windows Sandbox app in your menu:

You can start it now, and in a few seconds, you will have a clean version of Windows 10/11 (Depending on your own Windows version) in which you can do anything you want. When closed, it will all be gone and fresh when starting again.

How do I install Run-in-Sandbox?

To install the extension in Windows, you can follow these steps:

  • Go to https://github.com/damienvanrobaeys/Run-in-Sandbox
  • Click on Code and select Download ZIP
  • Extract the contents of the download ZIP file to a folder on your hard drive. It will run from here, so choose a permanent location like c:\program files\run-in-sandbox
  • You should now have a folder that looks like this:

  • Right-Click the Add_Structure.ps1 and check if the file is blocked. If so, remove the block so that it can be executed.
  • Start an Admin PowerShell session, switch to the installation folder, and run .\Add-Structure.ps1
  • It will create a System Restore point and start the installation, you will see the installation progress and it should look like this when finished:

You will now have the option to run things in a Windows Sandbox session when right-clicking files. For example:

Running PowerShell scripts in Windows Sandbox

As you can see in the example screenshot above, you can Run a ps1 file in Windows Sandbox. You can start it as System, User, or with parameters. I started one of my scripts (Install-Apps.ps1 from an earlier blog) in a Windows Sandbox session in the example below in which I selected the “Run PS1 as user option” because things already start as Admin in Windows Sandbox:

  • Right-Click Install-Apps.ps1 and select Run PS1 in Sandbox, and Run PS1 as user
  • Windows Sandbox Starts and runs the script. In this case, I don’t see the screen output, but my Start-Transcript action in the scripts shows the progress:

If the script has parameters, you can also run PS1 with parameters. This will bring up the following message box in which you specify just that:

Using Run-in-Sandbox makes testing scripts a lot easier and safe 🙂 (You don’t want to test things on your system too much 😛 )

Testing Intune packages in Windows Sandbox

You can also use Run-in-Sandbox to test .intunewin packages, and this saves a lot of time waiting for Intune to install a package on your test VM/System 🙂 The procedure for this is just like the one for PowerShell, right-click the .intunewin file and select “Test intunewin in Sandbox”

I installed an Adobe Reader package in Windows Sandbox in the example below. Steps are:

  • Right-Click the .intunewin package and select Test intunewin in Sandbox
  • The following message box should appear. I typed “.\install.cmd” as the install command.
  • Click on the + sign to continue.
  • Windows Sandbox should start now, and you will see two folders on the desktop:

  • One is the contents of the folder that you right-clicked the .intunewin file from, and the other is the folder for the Run-in-Sandbox files.
  • The script now runs the installation just like Intune would do that for you, and in a minute or two, the software is installed:

Note: There is an update pending of Run-in-Sandbox. I made a pull request with minor updates but with a new Intunewin decoder. If you have created packages with the latest intunewinapputil.exe, you might be unable to extract that package. Please check the mentioned Github page for updates.

Other things that you can use Run-in-Sandbox for

As mentioned in the What is Run-in-Sandbox part, you can also use it to extract files or safely test opening specific URLs. Windows Sandbox has no access to your host device and can’t access your system, making it safe to check suspicious URLs.

18 thoughts on “Using Run-in-Sandbox for testing scripts and Intune packages

  1. Hey, maybe you should take a look at my fork https://github.com/Joly0/Run-in-Sandbox
    I have made a lot of changes and basically rewrote alot of code of the original project. Refactored alot, fixed various bugs and also added some new features.
    Maybe thats interesting for you, not sure if my changes will get merged, pr is open

    Reply

  2. When I try to run the intunewin, I paste in the install command and it opens but doesn’t seem to be doing anything….I see the two folders on the desktop

    Is this the behavior you are referring to latest winapputil?

    Reply

  3. When I try to run the intunewin, I paste in the install command and it opens but doesn’t seem to be doing anything….I see the two folders on the desktop

    Is this the behavior you are referring to latest winapputil?

    Reply

  4. Pingback: Intune Newsletter - 8th April 2023 - Andrew Taylor

      • Hey Harm i appreciate the response
        I’ve uninstalled and downloaded and ran yours, it comes up with the message “it seems you don’t have dowloaded all the folder structure”
        It does find the sources folder and im running it as admin

      • It counts the number of files in the Sources directory which should be 38… I just downloaded the whole structure from my clone repo into a clean VM and it just ran straight away, no issues… I downloaded it using these steps:
        – Go to https://github.com/HarmVeenstra/Run-in-Sandbox
        – Click on Code and Download Zip
        – Extract contents to a directory
        – Run Powershell as admin
        – Go to directory and run .\add_structure.ps1

        -edit-

        Download it from the GitHub page from Damien, it’s been fixed

  6. Held!
    Thank you, you pointed me in the right direction, since both folders old+new were merged it had more files probably than it was supposed to have.

    Reply

    • Dank je wel 🙂 I read it in the add_structure.ps1 and that was very specific 😉 And yes, merging is not always a good idea 😉 I think the new version, with my adjustments and another pull request, will be available later this month and I will update my blog to reflect that afterwards.

      Reply

  7. Hey Harm,
    tried your wonderful solution to test intuinewin packages in sandbox today. Unfortunately I get the same “it seems you don’t have dowloaded all the folder structure” error as Peter, but havent merged any repos. will try to git clone and see if it works then.
    Secondly I’m also facing the issue that nothing happens after intunewin is loaded in sandbox. Some of the above comments link to non-existing repos. Do you have the current status of the main repo from Damien? Are your patches merged?
    Would love to test my intunewin packages in the sandbox bevore uploading them to Intune.
    Thanks for your help

    Reply

    • Git clone the repository of Damien or download zip and extract. Updates are there and my clone is no longer there and I will update that in the comments 😊

      I tested it last week for something and updated my older version to the latest version in Damiens repository, it worked for me and should also work for you. Let me know!

      Reply

Leave a Reply to Harm VeenstraCancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.