You have an installer file from an unknown source. You want to test it without risking your main Windows 11 system. Windows Sandbox provides an isolated, temporary desktop environment for exactly this purpose. When you close the Sandbox, everything inside is permanently deleted. This article explains how to configure and use Windows Sandbox to run a single untrusted installer safely.
Key Takeaways: Running Untrusted Installers in Windows Sandbox
- Windows Sandbox (built-in Windows 11 Pro/Enterprise feature): Launches a clean, isolated virtual environment that deletes all changes on exit.
- Copy the installer file into the Sandbox window: Use Ctrl+V or drag-and-drop to transfer the file into the Sandbox without affecting the host system.
- Run the installer inside the Sandbox: Test the installation and behavior. Close the Sandbox window to erase all traces.
What Is Windows Sandbox and Why Use It for Untrusted Installers
Windows Sandbox is a lightweight virtual machine that runs a fresh copy of Windows 11 inside an isolated container. It uses the same kernel as your host system but does not share persistent storage, running applications, or user data. The Sandbox starts from a clean state every time you launch it. Any software you install, files you create, or settings you change are discarded when you close the Sandbox.
This makes Windows Sandbox ideal for one-shot testing of untrusted installers. You can run a downloaded .exe or .msi file, observe its behavior, and then close the Sandbox without leaving any trace on your main PC. Unlike a full virtual machine, the Sandbox requires no separate Windows license, no manual setup of virtual hard disks, and no snapshot management. It is a purpose-built tool for short-term, disposable testing.
Prerequisites for using Windows Sandbox on Windows 11:
- Windows 11 Pro, Enterprise, or Education edition. The feature is not available on Windows 11 Home.
- Virtualization enabled in the system BIOS or UEFI (Intel VT-x or AMD-V).
- At least 4 GB of RAM (8 GB recommended) and 1 GB of free disk space.
- The Windows Sandbox feature must be turned on in Windows Features.
Enable Windows Sandbox on Windows 11
Before you can use the Sandbox, you must enable it through Windows Features. This requires administrator access.
- Open Windows Features
Press the Windows key, type “Turn Windows features on or off”, and press Enter. - Locate Windows Sandbox
Scroll down the list. Check the box next to Windows Sandbox. - Install the feature
Click OK. Windows will install the required components. You may be prompted to restart your PC. Click Restart now.
After the restart, you will find Windows Sandbox in the Start menu. Type “Windows Sandbox” and click the app to open it.
Run the Untrusted Installer Inside Windows Sandbox
Once the Sandbox is enabled, you can run your installer safely. Follow these steps for a one-shot test.
- Launch Windows Sandbox
Open the Start menu, type Windows Sandbox, and press Enter. A new window appears showing a clean Windows 11 desktop. This is the isolated environment. - Copy the installer file into the Sandbox
On your host PC, locate the untrusted installer file. Right-click it and select Copy (or press Ctrl+C). Click inside the Sandbox window and press Ctrl+V. The file appears on the Sandbox desktop. You can also drag the file from File Explorer on the host directly into the Sandbox window. - Run the installer inside the Sandbox
Double-click the installer file inside the Sandbox. Follow the installation prompts as you normally would. The Sandbox has internet access by default, so the installer can download additional components if needed. Watch for any unusual behavior such as unexpected pop-ups, registry changes, or network connections. - Test the installed application
After installation, launch the application inside the Sandbox. Verify that it works as expected. Check for any unwanted side effects such as browser toolbars, system tray icons, or background processes. - Close the Sandbox to discard all changes
When you are finished, close the Sandbox window. A dialog appears: “Windows Sandbox will discard all content and shut down.” Click OK. The entire Sandbox environment is deleted, including the installer, the installed application, and any files you created. Your host system remains untouched.
Common Issues and Things to Avoid
“Windows Sandbox failed to start” error
This error usually means virtualization is not enabled in the BIOS or the Windows Sandbox feature is not installed correctly. Restart your PC, enter the BIOS setup (often by pressing F2, F10, or Del during boot), and enable Intel VT-x or AMD-V. After saving the change, boot into Windows and verify that the Sandbox feature is checked in Windows Features.
Can I save files from the Sandbox to my host PC
The Sandbox is designed to be disposable. If you need to keep a file, copy it out of the Sandbox before closing it. You can drag a file from the Sandbox desktop to your host desktop. Once the Sandbox window is closed, the file inside is gone permanently.
What if the installer requires a reboot
Windows Sandbox does not support rebooting. If an installer demands a restart, the installation will fail or behave unexpectedly. In that case, consider using a full virtual machine like Hyper-V or VirtualBox instead of the Sandbox for that specific installer.
Network isolation for the Sandbox
By default, the Sandbox has network access. If you want to run the installer without any network connectivity, you can create a Sandbox configuration file (.wsb) that disables networking. Create a text file named offline.wsb and paste this content:
<Configuration>
<Networking>Disable</Networking>
</Configuration>Save the file. Then right-click it and select Open with > Windows Sandbox. The Sandbox will launch without internet access. This prevents the installer from phoning home or downloading additional payloads.
Windows Sandbox vs Full Virtual Machine for Testing Installers
| Item | Windows Sandbox | Full Virtual Machine |
|---|---|---|
| Setup time | Instant after feature is enabled | Requires creating a VM, installing Windows, and configuring snapshots |
| Disk space used | Less than 1 GB base image | 20 GB or more for a full Windows installation |
| Persistence | None — all data deleted on exit | Optional — can save state or revert to snapshot |
| Reboot support | Not supported | Fully supported |
| Network isolation | Configurable via .wsb file | Configurable via virtual switch settings |
| Best use case | One-shot test of a single installer | Long-term testing or multiple installer sessions |
Windows Sandbox is the better choice for quick, disposable tests. A full virtual machine is better when you need to reboot, keep the environment across sessions, or run complex installation sequences.
You can now run any untrusted installer in Windows Sandbox on Windows 11 without risk to your main system. Start by enabling the feature in Windows Features, then copy the installer file into the Sandbox. After testing, close the Sandbox to erase all traces. For installers that require a reboot or persistent testing, consider using Hyper-V with a snapshot instead.