How to Check if Windows Sandbox is Available in Batch Script

Windows Sandbox is a lightweight, temporary desktop environment that allows you to run untrusted software in isolation. When you close the Sandbox, all the software, files, and state are permanently deleted. For security professionals and developers, verifying that Sandbox is available on a machine before attempting to use it for "detonating" suspicious files is a critical first step in automated workflows. However, Sandbox availability depends on several factors: the Windows Edition (Pro/Enterprise), BIOS virtualization settings, and whether the "Windows Sandbox" feature is enabled.

This guide explains how to check these prerequisites using a Batch script.

Why Check for Sandbox Availability?

Environment Guarding: Preventing your script from attempting to launch WindowsSandbox.exe on a system where it isn't supported.
Automated Setup: Triggering the installation of the Sandbox feature if it is supported but currently disabled.
Reporting: Identifying which machines on your network are "Sandbox-ready" for secure testing.

Prerequisites for Sandbox

Windows Edition: Pro, Enterprise, or Education (Home is not supported).
Architecture: 64-bit (x64) or ARM64.
Virtualization: Enabled in BIOS/UEFI.
Hardware: At least 4GB of RAM (8GB recommended).

Method 1: Checking the Windows Edition (First Filter)

Since Sandbox is not available on Windows 10/11 Home, the first step is to check if the OS edition is compatible.

@echo off
echo [PROCESS] Checking Windows Edition...

for /f "tokens=2 delims==" %%a in ('wmic os get Caption /value 2^>nul ^| find "="') do (
    for /f "delims=" %%b in ("%%a") do set "OS_CAPTION=%%b"
)

echo %OS_CAPTION% | findstr /i "Home" >nul

if %errorlevel% equ 0 (
    echo [ERROR] Windows HOME Edition detected. Sandbox is NOT available.
    pause
    exit /b 1
) else (
    echo [SUCCESS] Windows Edition is compatible.
)
pause

Method 2: Checking the Optional Feature State

If the OS is compatible, we need to check if the specific "Windows Sandbox" feature is toggled on.

@echo off
echo [PROCESS] Checking if 'Windows Sandbox' feature is enabled...

dism /online /get-featureinfo /featurename:Containers-DisposableClientVM 2>nul | findstr /i /c:"State" | findstr /i /c:"Enabled" >nul

if %errorlevel% equ 0 (
    echo [SUCCESS] Windows Sandbox is ENABLED and ready.
) else (
    echo [WARNING] Windows Sandbox is NOT enabled or not available.
)
pause

note

The internal feature name for Sandbox in DISM is Containers-DisposableClientVM.

Creating a Comprehensive "Readiness" Checker

The following script checks for every requirement to determine if the machine is truly "Sandbox-ready."

@echo off
setlocal

set "READY=1"

echo ============================================================
echo   Windows Sandbox Availability Auditor
echo ============================================================

:: 1. Check for Administrative Privileges (Required for DISM)
net session >nul 2>&1
if %errorlevel% neq 0 (
    echo [ERROR] This script must be run as Administrator.
    pause
    exit /b 1
)

:: 2. Check Edition
echo.
echo [CHECK 1] Windows Edition...
for /f "tokens=2 delims==" %%a in ('wmic os get Caption /value 2^>nul ^| find "="') do (
    for /f "delims=" %%b in ("%%a") do set "OS_CAPTION=%%b"
)

echo %OS_CAPTION% | findstr /i "Pro Enterprise Education" >nul
if %errorlevel% equ 0 (
    echo   [PASS] %OS_CAPTION%
) else (
    echo   [FAIL] Unsupported Edition: %OS_CAPTION%
    set "READY=0"
)

:: 3. Check Virtualization in BIOS
echo.
echo [CHECK 2] Virtualization Status...
systeminfo | findstr /i /c:"A hypervisor has been detected" >nul
if %errorlevel% equ 0 (
    echo   [PASS] Hypervisor is active.
) else (
    echo   [FAIL] Virtualization is NOT enabled in BIOS/UEFI.
    set "READY=0"
)

:: 4. Check Feature State
echo.
echo [CHECK 3] Sandbox Feature State...
dism /online /get-featureinfo /featurename:Containers-DisposableClientVM 2>nul | findstr /i /c:"State" | findstr /i /c:"Enabled" >nul
if %errorlevel% equ 0 (
    echo   [PASS] Containers-DisposableClientVM is Enabled.
) else (
    echo   [FAIL] Sandbox feature is NOT enabled.
    echo   [ACTION] Enable 'Windows Sandbox' in Optional Features.
    set "READY=0"
)

:: 5. Summary
echo.
echo ============================================================
if "%READY%"=="1" (
    echo   RESULT: Windows Sandbox is FULLY READY.
) else (
    echo   RESULT: One or more checks FAILED. See details above.
)
echo ============================================================
pause

Common Pitfalls and How to Avoid Them

Only Checking the .exe file

Simply checking if WindowsSandbox.exe exists in the System32 folder is not enough, as the file might be there but the driver required to run it could be disabled.

Wrong Way:

if exist C:\Windows\System32\WindowsSandbox.exe ...
:: This is often true even if the feature isn't "Started."

Correct Way: Always use the DISM check (Method 2) to ensure the entire virtualization stack for "Containers" is active and correctly configured.

RAM and Disk Space

Windows Sandbox won't launch if you have less than 1GB of free disk space or very low available RAM.

SEO and UX Tip

In your script, add a check for free disk space on drive C: to ensure the Sandbox has room to create its temporary virtual disk image.

Best Practices for Sandbox Management

Automated Enabling: If your script finds the feature is supported but off, you can enable it automatically:
```
dism /online /enable-feature /featurename:Containers-DisposableClientVM /all /norestart
```
Check for Reboots: Like Hyper-V, Sandbox requires a reboot to "activate" once enabled.
Hypervisor Conflicts: If you have third-party hypervisors (like old versions of VMware) running, they might block the Sandbox from starting even if the feature is "Enabled."

ARM64 Support

Windows Sandbox is supported on ARM64 hardware (like Surface Pro X) starting with Windows 10 build 20185. If you are on an ARM device, ensure you are on a modern build of Windows.

Conclusion

Checking for Windows Sandbox availability via Batch script is an essential preliminary step for secure software testing and automated malware analysis. By systematically verifying the Windows Edition, BIOS virtualization settings, and the status of the "Containers" feature, you can build reliable automation that ensures a safe "detonation" environment is always ready. This professional approach to environment verification reduces runtime errors and maintains the security of your host system, providing a robust and isolated platform for all your untrusted software evaluations.

Why Check for Sandbox Availability?​

Method 1: Checking the Windows Edition (First Filter)​

Method 2: Checking the Optional Feature State​

Creating a Comprehensive "Readiness" Checker​

Common Pitfalls and How to Avoid Them​

Only Checking the .exe file​

RAM and Disk Space​

Best Practices for Sandbox Management​

Conclusion​

Table of Contents