Use Intune and PowerShell to deploy application in Windows Sandbox on devices

2 A+ A-

In this post I will show a script I created that allows you to deploy Windows Sandbox with a specific installed application on a device with Intune.

You have some computers enrolled in Intune.
A user want to test an application before to install it on its own computer.
A user wants to test an application in an isolated environment.
The user doesn't have admin rights on his computer but he neeed to test an application that requires admin rights.

The script
You can find the script to install Docker for Windows on the GitHub link below.

The solution

To answer to the context you can use the Windows Sandbox feature.
This allows you to run a virtual environment of your OS and run for instance applicatin or script in an isolated environment from your computer.

The solution I shared procceds as below:
1. An XML config file allows you to set appli name, command line, file name, sandbox location on the device...
2. Create Win32 appli that deploys that copies and runs a specific Sandbox (using WSB file) depending of the XML
3. The Sandbox will be launched on the device and the application will be installed on it

XML configuration
A config file allows you to apply basic configurations to the Windows Sandbox and set application configuration.
This one called Sandbox_Config.xml

It allows you to set below options:
- Sandbox VGpu option
- Sandbox Networking option
- Sandbox ReadOnlyAccess option for shared folder
- WSB files location
- Application name
- File to run (with extension)
- Silent switch to add (if needed)
- Location of the Windows Sandbox file (on the host device)
- Location of the application sources (on the host device)

See below an overview:
If the Sources_Location is set to Default, WSB file will be saved in Programdata.
If the WSB_Location is set to Default, application sources will be saved in the device desktop.
You can type your own location.
Copy the application sources in the Sources folder: exe, msi, ps1...

XML examples
Install from a PowerShell script
You wan to install an application from the install.ps1 file.
The below the XML overview

Install from an EXE
You wan to install an application from an EXE file.
You want to add the silent switch /s.
The below the XML overview

We will use Microsoft Win32 Content Prep Tool from MS
To download it, go to this link.

What does the script ?
The script will proceed as below:
- Install Windows Sandbox feature, if it's not
- Add the current user in the Hyper-V admin group
- Generate a Windows Sandbox (WSB file) with configuration from the XML
- Launch the Windows Sanbdox
- Run application on the Sandbox

How it works ?
This will work in 3 steps:
- Create the intunewin package
- Create the Win32 app in Intune
- Assign the app

Create the folder project
As mentioned previously we want to deploy a Sandbox with GitHubDesktop installed.
1. Create a folder Deploy_Custom_Sandbox
2. Copy Intune_Deploy_WSB.ps1 in this folder
3. Copy Sandbox_Config.xml in this folder
4. Download GitHubDesktop
5. Copy the EXE in the folder Sources
6. If you use a ps1 file for installation, copy it in the Sources folder

The folder will look like as below:

Create the package
1. Run IntuneWinAppUtil.exe
2. Type the source folder path 
3. Type the Intune_Deploy_WSB.ps1
4. Type the Output folder path 
5. A package Intune_Deploy_WSB.intunewin will be created
6. Rename it to Sandbox_GitHubDesktop.intunewin (for our example)

Create the Win32 app
We will now integrate the intunewin package into Intune.
1. Go to Intune
2. Go to Client apps
3. Go to Apps
4. Click on Add
5. Select Windows app (Win32) then Select
6. Click on Select app package file

7. Browse to the package Sandbox_GitHubDesktop.intunewin

8. Click on OK
9. Type a name and a publisher name and configure as you want

10. In Install command type the below command:
11. In Uninstall command type the below command:
12. Click on Next
13. Choose your requirements

14. Click on Next
15. In Detection rules, select Manually configure detection rules

16. Click on Add
17. Configure as below
18. In my case it is C:\Windows\Debug\Deploy_WSB_GitHubDesktop.log
19. Click on OK 
20. Click on Next
21. In the Dependencies part click on Next
22. See below requirements mentioned by Docker
23. In the Scope tags part click on Next
24. In Assignments, go to Required and click on Add group

25. The group will be added

26. Click on Next
27. Click on Create
28. Go to Device install status
29. Once it has been installed, status will be as below:

Get the log
The process will create a log file under C:\Windows\Debug.
See below an overview:
Windows_Sandbox 6945200757016450759

Enregistrer un commentaire

2 commentaires

Anonyme a dit…

What are the commands to be submitted?

>> Create the Win32 app
10. In Install command type the below command:
11. In Uninstall command type the below command:

Diagg a dit…

Super nice solution to tests applications, You rock Dam !!!

Accueil item


Learn KQL in one month


You want to support me ?

Mes articles en français

Books in French