Note: Although very simple commands will work (launching an executable or script), more complicated scenarios involving multiple steps should be placed into a script file. Specifies a single Command which will be invoked automatically after the container logs on.Ĭommand: A path to an executable or script inside of the container that will be executed after login. ReadOnly: If true, enforces read-only access to the shared folder from within the container. Note that the folder must already exist the host or the container will fail to start if the folder is not found. HostFolder: Specifies the folder on the host machine to share to the sandbox. “C:\Test” will be mapped as “C:\users\WDAGUtilityAccount\Desktop\Test”. Hence, all folders are mapped under the following path: C:\Users\WDAGUtilityAccount\Desktop.Į.g. Apps in the Sandbox are run under the user account “WDAGUtilityAccount”. Specifies a single folder on the host machine which will be shared on the container desktop. Note: Files and folders mapped in from the host can be compromised by apps in the Sandbox or potentially affect the host.
Note: Enabling networking can expose untrusted applications to your internal network. This enables networking by creating a virtual switch on the host, and connects the sandbox to it via a virtual NIC. Default – this is the default value for networking support.Disable – disables networking in the sandbox.Disabling network access can be used to decrease the attack surface exposed by the Sandbox. Note: Enabling virtualized GPU can potentially increase the attack surface of the sandbox.Įnables or disables networking in the sandbox. Default – this is the default value for vGPU support currently this means vGPU is enabled.
If this value is set Windows Sandbox will use software rendering, which can be slower than virtualized GPU. Disable – disables vGPU support in the sandbox.
Note that exposing host directories may allow malicious software to affect your system or steal data.Īs demonstrated in the examples below, configuration files can be used to granularly control Windows Sandbox for enhanced isolation.ĭouble click a config file to open it in Windows Sandbox, or invoke it via the command line as shown: