Windows sandbox
Use Codex on Windows with the native ChatGPT desktop app, the CLI, or the IDE extension.
The ChatGPT desktop app on Windows supports core workflows such as parallel tasks, worktrees, scheduled tasks, Git functionality, the built-in browser, file previews, plugins, and skills.
The app can run natively in PowerShell with a Windows sandbox instead of requiring WSL or a virtual machine. This keeps Codex in Windows-native workflows while enforcing bounded filesystem and network permissions.
<CodexScreenshot alt="ChatGPT desktop app Windows sandbox setup prompt above the message composer" lightSrc="/images/codex/windows/windows-sandbox-setup.webp" darkSrc="/images/codex/windows/windows-sandbox-setup.webp" maxHeight="400px" class="my-8" />
The native Windows sandbox has two modes:
- natively on Windows with the stronger
elevatedsandbox, - natively on Windows with the fallback
unelevatedsandbox.
Configure the Windows sandbox
When you run Codex natively on Windows, agent mode uses a Windows sandbox to block filesystem writes outside the working folder and prevent network access without your explicit approval.
Native Windows sandbox support includes two modes that you can configure in
config.toml:
[windows]
sandbox = "elevated" # or "unelevated"
elevated is the preferred native Windows sandbox. It uses dedicated
lower-privilege sandbox users, filesystem permission boundaries, firewall
rules, and local policy changes needed for commands that run in the sandbox.
unelevated is the fallback native Windows sandbox. It runs commands with a
restricted Windows token derived from your current user, applies ACL-based
filesystem boundaries, and uses environment-level offline controls instead of
the dedicated offline-user firewall rule. It's weaker than elevated, but it
is still useful when administrator-approved setup is blocked by local or
enterprise policy.
If both modes are available, use elevated. If the default native sandbox
doesn't work in your environment, use unelevated as a fallback while you
troubleshoot the setup.
Enterprise administrators can constrain which native sandbox implementations
Codex can use through requirements.toml:
[windows]
allowed_sandbox_implementations = ["elevated"]
This example requires the elevated sandbox and prevents users from falling
back to unelevated. To permit either implementation, include both values;
Codex prefers elevated when no mode is selected. See the
requirements.toml reference for
the supported values.
By default, both sandbox modes also use a private desktop for stronger UI
isolation. Set windows.sandbox_private_desktop = false only if you need the
older Winsta0\\Default behavior for compatibility.
Sandbox permissions
Running Codex in full access mode means Codex is not limited to your project directory and might perform unintentional destructive actions that can lead to data loss. For safer automation, keep sandbox boundaries in place and use rules for specific exceptions, or set your approval policy to never to have Codex attempt to solve problems without asking for escalated permissions, based on your approval and security setup.
Windows version matrix
| Windows version | Support level | Notes |
|---|---|---|
| Windows 11 | Recommended | Best baseline for Codex on Windows. Use this if you are standardizing an enterprise deployment. |
| Recent, fully updated Windows 10 | Best effort | Can work, but is less reliable than Windows 11. For Windows 10, Codex depends on modern console support, including ConPTY. In practice, Windows 10 version 1809 or newer is required. |
| Older Windows 10 builds | Not recommended | More likely to miss required console components such as ConPTY and more likely to fail in enterprise setups. |
Additional environment assumptions:
wingetshould be available. If it's missing, update Windows or install the Windows Package Manager before setting up Codex.- The recommended native sandbox depends on administrator-approved setup.
- Some enterprise-managed devices block the required setup steps even when the OS version itself is acceptable.
Grant sandbox read access
When a command fails because the Windows sandbox can't read a directory, use:
/sandbox-add-read-dir C:\absolute\directory\path
The path must be an existing absolute directory. After the command succeeds, later commands that run in the sandbox can read that directory during the current session.
Use the native Windows sandbox by default. Choose WSL when you need Linux-native tooling, your workflow already lives in WSL2, or neither native Windows sandbox mode meets your needs.
Troubleshooting and FAQ
If you are troubleshooting a managed Windows machine, start with the native sandbox mode, Windows version, and any policy error shown by Codex. Most native Windows support issues come from sandbox setup, logon rights, or filesystem permissions rather than from the editor itself.
My native sandbox setup failed
If Codex cannot complete the elevated sandbox setup, the most common causes
are:
- the Windows UAC or administrator prompt was declined,
- the machine does not allow local user or group creation,
- the machine does not allow firewall rule changes,
- the machine blocks the logon rights needed by the sandbox users,
- or another enterprise policy blocks part of the setup flow.
What to try:
- Try the
elevatedsandbox setup again and approve the administrator prompt if your environment allows it. - If your company laptop blocks this, ask your IT team whether the machine allows administrator-approved setup for local user/group creation, firewall configuration, and the required sandbox-user logon rights.
- If the default setup still fails, use the
unelevatedsandbox so you can continue working while the issue is investigated.
Codex switched me to the unelevated sandbox
This means Codex could not finish the stronger elevated sandbox setup on your
machine.
- Codex can still run in a sandboxed mode.
- It still applies ACL-based filesystem boundaries, but it does not use the
separate sandbox-user boundary from
elevatedand has weaker network isolation. - This is a useful fallback, but not the preferred long-term enterprise configuration.
If you are on a managed enterprise laptop, the best long-term fix is usually to
get the elevated sandbox working with help from your IT team.
I see Windows error 1385
If sandboxed commands fail with error 1385, Windows is denying the logon type
the sandbox user needs in order to start the command.
In practice, this usually means Codex created the sandbox users successfully, but Windows policy is still preventing those users from launching sandboxed commands.
What to do:
- Ask your IT team whether the device policy grants the required logon rights to the Codex-created sandbox users.
- Compare group policy or OU differences if the issue affects only some machines or teams.
- If you need to keep working immediately, use the
unelevatedsandbox while the policy issue is investigated. - Send
CODEX_HOME/.sandbox/sandbox.logalong with your Windows version and a short description of the failure.
Codex warns that some folders are writable by Everyone
Codex may warn that some folders are writable by Everyone.
If you see this warning, Windows permissions on those folders are too broad for the sandbox to fully protect them.
What to do:
- Review the folders Codex lists in the warning.
- Remove
Everyonewrite access from those folders if that is appropriate in your environment. - Restart Codex or re-run the sandbox setup after those permissions are corrected.
If you are not sure how to change those permissions, ask your IT team for help.
Sandboxed commands cannot reach the network
Some Codex tasks are intentionally run without outbound network access, depending on the permissions mode in use.
If a task fails because it cannot reach the network:
- Check whether the task was supposed to run with network disabled.
- If you expected network access, restart Codex and try again.
- If the issue keeps happening, collect the sandbox log so the team can check whether the machine is in a partial or broken sandbox state.
Sandboxing worked before and then stopped
This can happen after:
- moving a repo or workspace,
- changing machine permissions,
- changing Windows policies,
- or other system configuration changes.
What to try:
- Restart Codex.
- Try the
elevatedsandbox setup again. - If that does not fix it, use the
unelevatedsandbox as a temporary fallback. - Collect the sandbox log for review.
I need to send diagnostics to OpenAI
If you still have problems, send:
CODEX_HOME/.sandbox/sandbox.log
It is also helpful to include:
- a short description of what you were trying to do,
- whether the
elevatedsandbox failed or theunelevatedsandbox was used, - any error message shown in the app,
- whether you saw
1385or another Windows or PowerShell error, - and whether you are on Windows 11 or Windows 10.
Do not send:
- the contents of
CODEX_HOME/.sandbox-secrets/
The IDE extension is installed but unresponsive
Your system may be missing C++ development tools, which some native dependencies require:
- Visual Studio Build Tools (C++ workload)
- Microsoft Visual C++ Redistributable (x64)
- With
winget, runwinget install --id Microsoft.VisualStudio.2022.BuildTools -e
Then fully restart VS Code after installation.