XDA has highlighted a Windows 11 feature that remains easy to overlook: Windows Sandbox, Microsoft’s disposable virtual desktop for testing files, installers, and scripts without setting up a full VirtualBox or VMware machine.
Windows Sandbox is not new, but it has become more capable. Microsoft now distributes an updated Sandbox experience through the Microsoft Store on supported Windows 11 24H2 systems, bringing a refreshed interface, runtime controls for shared folders and input devices, and preview command-line functionality. The core attraction remains unchanged: close the Sandbox window and its installed apps, files, and configuration are deleted.

Windows Sandbox illustration showing isolated, read-only files, disabled networking, and automatic cleanup on closure.Built in, but not available to everyone​

Per Microsoft’s documentation, Windows Sandbox is included with Windows 11 Pro, Pro Education, Enterprise, and Education. It is not supported on Windows 11 Home. PCs also need hardware virtualization enabled, at least 4GB of RAM—8GB is recommended—1GB of available disk space, and at least two CPU cores.
Admins and enthusiasts can enable it through Turn Windows features on or off by selecting Windows Sandbox, then restarting if prompted. Microsoft also supports enabling the component with the Containers-DisposableClientVM optional feature in an elevated PowerShell session.
That is considerably less setup than downloading a third-party hypervisor, sourcing an ISO, creating a virtual disk, and installing a guest OS. Sandbox uses the local Windows installation to create an isolated, clean environment on demand rather than asking users to maintain a conventional VM image.

Configuration matters for risky files​

The XDA report correctly points to .wsb configuration files as the useful step beyond the default experience. These XML-based files can disable networking, map a host folder as read-only, set a startup command, control virtual GPU access, and adjust allocated memory. Microsoft also documents controls for microphone, webcam, printer, clipboard, and Protected Client mode.
Those settings are not merely convenience options. Microsoft warns that networking is enabled by default, which can expose an untrusted application to an internal network. Clipboard redirection is also enabled by default, allowing files and text to move between the host and the Sandbox. Mapped folders deserve particular caution: a writable mapping gives code inside the Sandbox a route back to host data.
For inspecting a suspicious download or an untrusted PowerShell script, a sensible baseline is a .wsb file with networking disabled and only a read-only folder mapped for the file under test. Protected Client mode adds another isolation layer through AppContainer isolation, though it can restrict copy-and-paste behavior.

A sandbox, not a full VM replacement​

Sandbox is best suited to short-lived validation: opening an unknown executable, checking an installer’s behavior, testing a script, or reproducing a minor issue in a clean Windows session. It is not a replacement for durable lab machines, multi-VM networks, snapshot-heavy testing, or workloads that need persistent state. Microsoft also notes that only one Sandbox instance can run at a time.
One wrinkle for Windows 11 24H2 users: Microsoft says inbox Store apps such as Notepad, Terminal, Photos, and Calculator are not currently included in Sandbox, although it says that capability is planned to return.
Windows 11 Pro, Enterprise, and Education users who test untrusted code should enable Sandbox and use a no-network configuration before reaching for a third-party VM.

References​

  1. Primary source: XDA
    Published: 2026-07-18T21:30:10+00:00
  2. Official source: learn.microsoft.com