Share this post One YouTube user asked me “How do I create the files to run my sandbox?” So I created this post.
Windows Sandbox now supports simple configuration files (.wsb extension). This feature is available in Windows Insider build 18342. Here’s how to do it:
Sandbox configuration files can be formatted in XML and are associated with Windows Sandbox via.wsb extension. The configuration file allows you to control the following features of Windows Sandbox.
vGPU (virtualized graphics processor) – Enable/Disable the virtualized GPU. Sandbox will use WARP (software rasterizer) if vGPU has been disabled.
Networking – Allow or disable network access to the Sandbox.
Shared folders – Share folders from the host that have read or write permissions.
Startup script – Logon action to the sandbox.
Double-click a config file in Windows Sandbox to open it, or invoke it using the command line.
What are the key words, values, and limits I should be aware of?VGpu- Enables or disables GPU sharing
Disable – disables vGPU functionality in the sandbox. If this value has been set, Windows Sandbox will use software rendering. This can be slower than virtualized GPU.
Default – This is the default value to enable vGPU support.
NOTE: Virtualized GPUs can increase the attack surface in the sandbox.
Networking – Enables and disables networking within the sandbox. To reduce the attack surface, the Sandbox can disable network access.
Disable – Disables the networking in the sandbox
Default – This is the default value of networking support. This allows networking by creating a virtual switch for the host and connecting the sandbox via a virtualNIC.
NOTE: Enabling networking may expose untrusted apps to your internal network.
MappedFolders – Wraps a map of MappedFolder objects
MappedFolder is a name for a single folder on the host computer that will be shared on the container desktop. Apps in the Sandbox are run under the user account “WDAGUtilityAccount.” Hence, all folders are mapped under the following path:
Example: “C:\ITPROTV” will be mapped as “C:\users\WDAGUtilityAccount\Desktop\ITPROTV”
ReadOnly – If true this will allow read-only access from the container to the shared folder. Supported values: true/false
NOTE: Files and folders that are mapped in from the host could be compromised by Sandbox apps or potentially affect the host.
LogonCommand – Specifies one Command that will be invoked after the container logs off.
NOTE: While very simple commands (launching a script or executable) will work, more complex scenarios that require multiple steps should be saved to a script file. This script file can be mapped to the container via a shared directory and then executed using the LogonCommand directive.
EXAMPLE.wsb Configuration Files
You can create the file.wsb in any editor. It is important to ensure that the file has the.wsb extension when you save it. Depending on which editor you use, you may need to modify the default extension or file type BEFORE you save to ensure you get the corre.