Last updated on Dezember 18, 2023

Windows Sandbox is a standard Windows feature, providing a lightweight desktop environment (Windows virtual machine) to safely run applications in isolation. In a Sandbox you can safely test apps or browse „unsafe“ websites. In contrast to „normal“ VMs Sandbox starts quickly, e.g starting Sandbox and installing Firefox takes less than 30 sec on my notebook.

Windows Sandbox comes preinstalled with Windows. One must only manually enable it via „Turn Windows Features on or off“.

One of the main features of Windows Sandbox is that it erases all state when closing. While this ensures not leaving any traces on your host machine, I find it cumbersome having to install commonly used apps every time I start a Sandbox.

To automatically install apps when starting Sandbox, I use the <LogonCommand> of a Windows Sandbox configuration file to run installers at Sandbox startup.

Sample .wsb file, installers and linksDownload

[ToDo: Experiment with the winget installer]

Using Ninite Installer

The free Ninite installer is the fastest installer option and provides unobstrusive status info with a Sandbox LogonCommand and :

[BTW, I am using the paid Ninite Updater on my Windows machines to keep apps automatically updated. I especially like its minimalistic UX and installing most of my apps on a new machine with a single command.]

  1. Select the apps you want on the Ninite website
  2. Download the configured installer
  3. Make the installer available in Sandbox
    1. Set <HostFolder> to the folder containing the installer
    2. <SandboxFolder> defaults to Desktop!
  4. Set the installer to run via <LogonCommand>
  5. Simply run the .wsb file to start Sanbox and install your apps
Apps offered by Ninite

The following .wsb file starts Sandbox and automatically installs Firefox and 7-ZIP via Ninite. It gives the Sandbox 6GB RAM too. 

<Configuration>
  <MappedFolders>
    <MappedFolder>
      <HostFolder>C:\Tools\SandboxConfig</HostFolder>
      <SandboxFolder></SandboxFolder>
      <ReadOnly>true</ReadOnly>
    </MappedFolder>
  </MappedFolders>
  <LogonCommand>  
		<Command>"C:\users\WDAGUtilityAccount\Desktop\SandboxConfig\Ninite 7Zip Firefox Installer.exe"</Command>
  </LogonCommand>
  <MemoryInMB>6144</MemoryInMB>
</Configuration>
Ninite status info while installing apps in Windows Sandbox

Using RuckZuck Installer

If Ninite does not offer the apps you need, the RuckZuck installer might do, see the RuckZuck app catalog.

The following .wsb LogonCommand uses RZGet to install Brave and 7-Zip:

 <Command>C:\users\WDAGUtilityAccount\Desktop\SandboxConfig\RZGet.exe install /verbose "Brave" "7-Zip"</Command>

Using Chocolatkey Installer and PowerShell Script

If you need more install features or more control, you can run Chocolatkey via a PowerShell script as LogonCommand.
Doing More with Windows Sandbox describes a complex Sandbox configuration using PowerShell.
To install Chocolatkey via Powershell use:

Set-ExecutionPolicy Bypass -Scope Process -Force
[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072
iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))

By default Windows Sandbox does not allow PowerShell scripts to run. My scripts do not disable this restriction generally, they only bypass it for their execution.

To force showing the PowerShell output of the Sandbox LogonCommand I start a PowerShell from within PowerShell [found no cleaner solution].

.wsb file starting a PowerShell script:

<Configuration>
  <MappedFolders>
    <MappedFolder>
      <HostFolder>C:\Tools\SandboxConfig</HostFolder>
      <SandboxFolder></SandboxFolder>
      <ReadOnly>false</ReadOnly>
    </MappedFolder>
  </MappedFolders>
  <LogonCommand>    
		<Command>powershell -executionpolicy bypass -command "start powershell {-noexit -file C:\Users\WDAGUtilityAccount\Desktop\SandboxConfig\InstallChocoAndApps.ps1}"</Command>
  </LogonCommand>
  <MemoryInMB>6144</MemoryInMB>
</Configuration>

PowerShell script installing Chocolatkey and apps:

Set-ExecutionPolicy Bypass -Scope Process -Force

$ElapsedTime = [System.Diagnostics.Stopwatch]::StartNew()

[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072
iex ((New-Object System.Net.WebClient).DownloadString('https://community.chocolatey.org/install.ps1'))

choco feature enable -n=allowGlobalConfirmation

choco install brave
choco install firefox 
choco install 7zip 

Write-Host "Elapsed Time: $($ElapsedTime.Elapsed.ToString())"

Exit