Windows Sandbox networking allows administrators to safely test suspicious apps in a virtual environment with internet access. Sandbox networking is enabled by default, but you may want to disable it to run fully isolated simulations or shield your network from malware.
This article explains how to disable or enable your network on Windows Sandbox, the key points for deployment, and commonly asked questions.
Configure Sandbox networking for secure online testing
Knowing the most optimal way to turn Windows Sandbox networking on or off can depend on your goals, your technical limitations, and many other factors. Be sure to consider these before choosing a method.
📌 Prerequisites:
- Requires Windows 11 Pro or Enterprise (Build 18305 or later)
- Windows Sandbox must be enabled via Windows Features
- Administrator privileges
📌 Recommended deployment strategies:
Click to Choose a Method | 💻 Best for Individual Users | 💻💻💻 Best for Enterprises |
| Method 1: Configuration file | ✓ | |
| Method 2: Group Policy | ✓ | ✓ |
| Method 3: Registry Editor | ✓ | |
| Method 4: PowerShell | ✓ | ✓ |
| Method 5: .reg file | ✓ | ✓ |
Method 1: Disable networking via configuration file (per instance)
This method is ideal if system-wide policy changes aren’t necessary, and it works by creating a launch file that has networking disabled.
📌 Use Cases: Per-session changes.
- Press Win + S, type Notepad, and press Enter.
- Paste the following:
<Configuration><Networking>Disable</Networking></Configuration> - Save the file with a .wsb extension (e.g., Sandbox-NetworkingOff.wsb).
- Run the file to launch Windows Sandbox without network access.
Method 2: Configure networking via Group Policy
To update your enterprise’s policy surrounding Windows Sandbox networking, set changes using Group Policy Editor (gpedit.msc).
📌 Use Cases: Enforce security standards by allowing or denying app settings changes.
📌Prerequisites: Group Policy with Windows 11 ADMX templates.
- Press Win + R, type gpedit.msc, and press Enter.
- Navigate to: Computer Configuration > Administrative Templates > Windows Components > Windows Sandbox
- Double-click Allow networking in Windows Sandbox.
- To allow networking inside Sandbox (default), choose Enabled.
- To prevent networking access inside the Sandbox, choose Disabled.
- To enable networking unless a configuration file explicitly overrides it, choose Not Configured.
- Click Apply, then OK.
- Run gpupdate /force or reboot the workstation to apply your changes.
Method 3: Configure via Registry Editor
⚠️ Warning: Editing the registry can cause system issues. Create a backup before proceeding.
📌 Use Cases: System-wide changes that impact all users on a workstation.
- Press Win + R, type regedit, and press Enter.
- Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sandbox
- Double-click the Sandbox key.
- If you don’t see the key, do the following:
- Right-click on the right-hand panel.
- Select New > DWORD (32-bit) value.
- Name the new value AllowNetworking.
- If you don’t see the key, do the following:
- Modify its value:
- To enable networking in Sandbox, type 1.
- To disable networking in Sandbox, type 0.
- Close the Registry Editor and restart the system.
Method 4: PowerShell script for automation
📌 Use Cases: Deploy specific scripts that automate Registry changes, saving time and resources.
- Press Win + R, type powershell, and press Enter.
- To disable Windows Sandbox networking, run this script:
New-Item -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows\Sandbox” -Force | Out-Null Set-ItemProperty -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows\Sandbox” -Name “AllowNetworking” -Value 0
- To enable Windows Sandbox networking, run this script:
Set-ItemProperty -Path “HKLM:\SOFTWARE\Policies\Microsoft\Windows\Sandbox” -Name “AllowNetworking” -Value 1
Method 5: Using a .reg file
📌 Use Cases: Apply Registry changes through commands contained in plain-text files.
- Press Win + S, type Notepad, and press Enter.
- To disable Windows Sandbox networking, paste this script:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sandbox]
“AllowNetworking”=dword:00000000
- To enable Windows Sandbox networking, paste this script:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Sandbox]
“AllowNetworking”=dword:00000001
- Save the file with a .reg extension (e.g., Sandbox_NetworkingOff.reg).
- Run the file as Administrator.
- Restart the PC.
⚠️ Things to look out for
Risks | Potential Consequences | Reversals |
| Malformed XML on your Configuration file |
| Verify <Networking>Enable</Networking> or <Networking>Disable</Networking> is properly set. |
| Disabling virtualization platforms on GPE | Sandbox fails to start | Re-allow outbound rules for Windows Sandbox NetNat, or related components |
| Deleting/changing Sandbox-related keys | Sandbox breaks permanently or crashes silently | Restore registry keys from backup (exported .reg file) |
| Removing the NAT configuration Sandbox relies on | Loss of internet within Sandbox | Recreate NAT with New-NetNat -Name “Sandbox” -InternalIPInterfaceAddressPrefix “ 192.168.100.0/24″ |
| Malformed .reg tweaks | Corrupted registry that breaks Sandbox | Use System Restore. |
Additional considerations when toggling Windows Sandbox networking
It’s important to consider how your changes can affect different parts of your system in order to optimize your process and avoid pitfalls. Here are the key points you should keep in mind.
Configuration files override Windows Sandbox networking settings
Windows Sandbox supports .wsb configuration files (XML), which empower IT admins to enable or disable features like networking, mapped folders, logon commands, and more. This is useful if your goal is to disconnect your sandbox from the internet, preventing potential data leaks.
No internet means no updates
Keep in mind that disabling Windows Sandbox networking also means losing Windows Update or any online services in your test environment. While this can illustrate how these apps behave offline, real-time updates won’t be available in your sandbox.
Data loss
Windows Sandbox sessions get deleted after every session. This means that you’ll be unable to upload diagnostic data reports to the cloud if you turn networking off.
Audit access
On the other hand, it’s important to stress that sandboxed apps can potentially access your internal network, exposing your organization’s resources. To improve your security posture, safeguard your audit-sensitive endpoints.
Manage Windows Sandbox networking for increased protection
Windows Sandbox allows users to run potentially unsafe apps within virtual instances. Internet access is permitted by default for improved simulations, but it exposes your company’s LAN, increasing potential attack vectors.
Toughen your security posture by disabling Windows Sandbox networking and limiting its use. When making changes, exercise caution, create registry backups when needed, and prioritize your IT infrastructure’s overall stability.
Related topics:
- What Is a Sandbox?
- How to Enable or Disable vGPU Sharing for Windows Sandbox in Windows 10
- How to Enable or Disable Clipboard Sharing with Windows Sandbox in Windows 10
Quick-Start Guide
Here are the methods to enable or disable networking in Windows Sandbox:
1. Using a Configuration File (.wsb):
– You can create a Windows Sandbox configuration file with networking options
– Use Enable to enable networking
– Use Disable to disable networking
– Default is the default setting
2. Group Policy:
– There’s a policy setting to allow or disable networking in Windows Sandbox
– This setting can be configured to disable network access to reduce the attack surface
3. Multiple Methods to Disable/Enable:
– Configuration file
– Group Policy settings
– Registry modifications
– PowerShell scripts
Key Points:
– Disabling networking can help reduce potential security risks
– Networking in Sandbox is achieved by creating a virtual switch on the host
– The default setting typically allows networking
– You can choose to completely isolate the Sandbox environment by disabling network access
