Building a safe, effective sandbox to enable Codex on Windows
OpenAI Blog · 2026-05-15
OpenAI engineer David Wiesen explains how the team built a multi-layered Windows sandbox for the Codex coding agent after finding that all native Windows isolation primitives were unsuitable for open-ended agentic developer workflows.
Appears in
Extraction
Topics: coding-agentssandboxingwindows-securitycodexsystems-engineering
Claims
- Windows provides no single built-in primitive suitable for sandboxing an open-ended agentic coding workflow.
- OpenAI evaluated and rejected AppContainer, Windows Sandbox, and Mandatory Integrity Control labeling as each being the wrong shape for Codex's workload.
- Environment-variable-based network suppression was only advisory and could be bypassed by any process implementing its own networking stack.
- The final elevated sandbox creates two dedicated Windows user accounts, custom synthetic SIDs, write-restricted process tokens, and Windows Firewall rules to enforce both filesystem and network isolation.
- The architecture requires four components: codex.exe, a setup binary (codex-windows-sandbox-setup.exe), a command-runner binary (codex-command-runner.exe), and the child process.
Key quotes
Windows didn't hand us one primitive that cleanly maps to 'safe autonomous coding agent.' We composed several tools and concepts to build something coherent. Some early ideas were dead ends.
Security for a coding agent is a different beast than more classic application security. Codex has to work for real developer workflows. The engineering work was about balancing compatibility with agentic workloads against real enforcement.
Albert Einstein said, 'Everything should be made as simple as possible, but no simpler.' In that spirit, our design adequately solved each problem.