Windows sandbox: PowerShell and Application Workspace

  • Published on Aug 12, 2025
  • 5 minute(s) read
Prev Next

This article exemplifies how to deploy and configure applications from Application Workspace Setup Store using Application Workspace and a PowerShell script within a Windows Sandbox environment.

What the script does

These are the sequential steps executed by the script given as an example in this article.

  1. Prepare Deployment Files
    The script copies Agent.json and Agentregistration.cer into a mapped folder ($mappedfolder) used by the sandbox and then downloads the Application Workspace Agent Bootstrapper.
    These files are essential for enabling the Application Workspace to install the Agent and initiate deployments from the main device.
  2. Customize Deployment Configuration
    The script updates Agent.json to reference either the default sandbox deployment or a custom one specified via the $deployment variable.
  3. Configure Persistent Sandbox Identity
    The script creates RecastComputerName.ps1 that runs at sandbox startup and after every reboot, and it removes existing hostname registry entries, sets the computer name and hostname to "RecastComputerName", updates domain name values in the Winlogon registry.
  4. Automate Agent Installation
    The script creates Recast.ps1, a script that installs the Application Workspace Agent inside the sandbox, uses the previously prepared files (Agent.json, certificate, and bootstrapper) and triggers the deployment process once the agent is activated.
  5. Launch and Monitor Sandbox
    The script generates a .wsb configuration file to define sandbox behavior (e.g., mapped folders, networking) and launches the sandbox, which:
    Automatically runs Recast.ps1, installs a default set of applications (e.g., Notepad++, Visual Studio Code) and logs progress to Processing.txt and Done.txt.
WdagUtilityAccount

Windows Sandbox uses the default WdagUtilityAccount, which normally limits app linking. With Application Workspace , you can log in using an Entra ID account, making it easy to test apps for specific users or groups.

Two scenarios where Application Workspace can add value when used with Windows Sandbox

In the first scenario, we use Application Workspace to install several applications from the Application Workspace Setup Store when the Sandbox starts, so it is always up to date. We then configure settings for the applications mentioned.

Video

In the second scenario, we use the DTAP cycle of the Application Workspace. We deploy the application in the Test stage on a Sandbox VM to test new versions and settings in an isolated environment. Meanwhile, we deploy the Production phase of the application on the main device.

Video

The script

Expand to show script
param( [parameter(Mandatory = $true)][string]$RecastComputerName, [parameter(Mandatory = $false)][string]$MappedFolder = 'C:\RecastSandbox', [parameter(Mandatory = $false)][string]$LogonCommand = 'Recast.ps1', [parameter(Mandatory = $false)][string]$Deployment = 'Sandbox' )

#Check if Windows Sandbox is already running. Exit if yes
if (Get-Process -Name 'WindowsSandbox' -ErrorAction SilentlyContinue) {
Write-Warning ("Windows Sandbox is already running, exiting...")
return
}

#Validate if MappedFolder) {
if (Test-Path $MappedFolder -ErrorAction SilentlyContinue) {
Write-Host ("Specified {0} folder exists, continuing..." -f $MappedFolder) -ForegroundColor Green
}
else {
Write-Host ("Creating Specified Sandbox folder {0} now..." -f $MappedFolder) -ForegroundColor Green
New-Item -Path true -Confirm:$false | Out-Null
}
}

#Create .wsb config file, overwrite the existing file if present, and check if specified logoncommand exists
try {
($MappedFolder)\WindowsSandbox.wsb"
Tee-Object -FilePath false -ErrorAction Stop
$wsb = @()
$wsb += ""
$wsb += ""
$wsb += ""
" data-latex-id="me8sgzb9oxo2rw83a" class="MathJax" jax="SVG">($MappedFolder)"
$wsb += "false"
$wsb += ""
$wsb += ""
$LogonCommandFull = 'Powershell.exe -ExecutionPolicy bypass -File C:\users\wdagutilityaccount\desktop' + $(Get-ChildItem -Path wsblocation) -Directory).Directory.Name + '' + $logoncommand
$wsb += ""
" data-latex-id="me8sgzbig1cmeerf8" class="MathJax" jax="SVG">($LogonCommandFull)"
$wsb += ""
$wsb += ""
}
catch {
Write-Warning ("Error creating {0}, check permissions. Exiting..." -f $wsblocation)
return
}

#Copy Recast Agent.json and Agentregistration.cer to $mappedfolder and download bootstrapper, exit if it doesn't exist
if ((Test-Path -Path $env:ProgramData\Liquit\Agent\Agent.json) -and (Test-Path -Path $env:ProgramData\Liquit\Agent\AgentRegistration.cer)) {
try {
Copy-Item $env:ProgramData\Liquit\Agent\Agent.json -Destination true -Confirm:$false -ErrorAction Stop
Copy-Item $env:ProgramData\Liquit\Agent\AgentRegistration.cer -Destination true -Confirm:$false -ErrorAction Stop
($MappedFolder)\AgentBootstrapper-Win.exe" -ErrorAction Stop
ProgressPreference = 'Continue' } catch { Write-Warning ("Error downloading or saving bootstrapper, check internet access! Exiting...") return } } else { Write-Warning ("No Recast Agent files found in {0}, these are required and exiting now..." -f "($env:ProgramData)\Liquit\Agent")
return
}

#Update Agent.json to point to Sandbox deployment (Default) or to the one specified manually using json = (Get-Content json.deployment.autoStart.deployment -ne $Deployment) {
try {
$json.deployment.autoStart.deployment = $Deployment
(true -Encoding utf8 -Append:false } catch { Write-Warning ("Error updating {0}, exiting..." -f "($MappedFolder)\Agent.json")
return
}
}

#Create RecastComputerName.ps1 script, which will run when the Recast Sandbox starts and after every reboot (Add the rename to HKCU)
try {
'Remove-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -name "Hostname"' | Out-File -FilePath "MappedFolder)\RecastComputerName.ps1" -Append:(true -ErrorAction Stop
'Set-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Control\Computername\Computername" -name "Computername" -value "RecastComputerName"' | Out-File -FilePath "MappedFolder)\RecastComputerName.ps1" -Append:(true -ErrorAction Stop
'Set-ItemProperty -path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -name "Hostname" -value "RecastComputerName"' | Out-File -FilePath "MappedFolder)\RecastComputerName.ps1" -Append:(true -ErrorAction Stop
'Set-ItemProperty -path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -name "AltDefaultDomainName" -value "RecastComputerName"' | Out-File -FilePath "MappedFolder)\RecastComputerName.ps1" -Append:(true -ErrorAction Stop
'Set-ItemProperty -path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -name "RecastComputerRename" -value "LogonScript"' | Out-File -FilePath "MappedFolder)\RecastComputerName.ps1" -Append:true -ErrorAction Stop } catch { Write-Warning ("Error creating {0}, exiting..." -f "($MappedFolder)\RecastComputerName.ps1")
return
}

#Create Recast.ps1 script, which will install Recast agent in Windows Sandbox
#Transcript logging will be in either 'Processing.txt' or 'Done.txt' when done on the desktop
try {
'Start-Transcript c:\users\wdagutilityaccount\desktop\Processing.txt' | Out-File -FilePath "MappedFolder)$(false -ErrorAction Stop
"Set-Location 'C:\users\wdagutilityaccount\desktop{0}'" -f (Get-Item (LogonCommand)" -Append:(LogonCommand)" -Append:(LogonCommand)" -Append:(LogonCommand)" -Append:(LogonCommand)" -Append:true -ErrorAction Stop } catch { Write-Warning ("Error creating {0}, exiting..." -f "(LogonCommand)")
return
}

#Rename RecastComputerName to the value from $RecastComputerName in the RecastComputerName.ps1 script and save
try {
($MappedFolder)\RecastComputerName.ps1" -ErrorAction Stop
$RecastScriptContents = ($RecastComputerName)"
MappedFolder.Split(':')[2])\RecastComputerName.ps1" | Out-File -FilePath "MappedFolder)\RecastComputerName.ps1" -Append:false -ErrorAction Stop } catch { Write-Warning ("Error updating {0}, exiting..." -f "($MappedFolder)\RecastComputerName.ps1")
return
}

#Create sandbox .wsb file in $mappedfolder and start Windows Sandbox using it
try {
$wsb | Out-File true -ErrorAction Stop
Write-Host ("Saved configuration in {0} and starting Windows Sandbox..." -f $wsblocation) -ForegroundColor Green
Invoke-Item $wsblocation -ErrorAction Stop
Write-Host ("Done!") -ForegroundColor Green
}
catch {
Write-Warning ("Error starting Windows Sandbox, check permissions. Exiting")
return
}

Further reading

Source article written by Donny van der Linde
Overview of Sandbox and how it works