What Codex Computer Use on Windows Actually Is
Codex computer use on Windows is an AI-driven desktop automation system where OpenAI’s coding agent controls foreground applications under strict security boundaries to perform autonomous task execution. Instead of running only in a terminal or code editor, Codex can now read the Windows screen, click UI elements, and type through workflows on the active desktop. This lets developers hand off GUI-heavy tasks such as installer checks, bug reproduction, or interface testing while still keeping AI agent security in place. The Windows update ties together the earlier desktop automation on macOS with mobile supervision through the ChatGPT app, so a phone becomes the review surface while the PC remains the execution surface. Codex runs only on the active user session, which means the same desktop cannot be used for normal work during automation, but in exchange it gains direct access to the tools and project context already on the machine.
From Unelevated Sandbox to a Dedicated Windows Security Model
OpenAI found that existing Windows isolation tools did not map neatly to autonomous coding agents, so the team built a custom Codex Windows sandbox. Windows Sandbox, for example, runs workloads in a disposable virtual machine, but Codex needs direct access to local tools, repositories, and project files. The first design, called the unelevated sandbox, combined security identifiers, access control lists, and write-restricted tokens to give Codex controlled write access only to specific directories like the current workspace. Sensitive locations, including Git metadata paths, stayed protected through ACL rules. According to OpenAI’s David Wiesen, earlier users had to pick between approving almost every action or granting full access, which hurt productivity. The unelevated model reduced that friction while still enforcing boundaries, but it left some networking and account isolation gaps that the team later addressed with a more capable elevated sandbox architecture.
Inside the Elevated Sandbox: SIDs, ACLs, and Restricted Tokens
In the elevated sandbox, OpenAI assembles several Windows primitives into a coherent AI agent security model. During setup, Codex creates dedicated local accounts such as CodexSandboxOffline and CodexSandboxOnline and runs commands under these identities with restricted tokens. This combination sharply limits what the agent can do outside approved areas while still letting it behave like a normal developer tool inside the workspace. OpenAI also adds a synthetic security identifier, often described as a sandbox-write SID, which grants write permissions only to configured directories and keeps everything else read-only or blocked via ACLs. Firewall rules shape network access so that filesystem and networking boundaries can be enforced together. The result is a Codex Windows sandbox where the AI agent can edit code, run tests, and manage builds while system-level changes, sensitive configuration files, and unrelated user data remain out of reach.
Foreground-Only Control and Phone Supervision for Safe Automation
On Windows, Codex controls the active desktop session instead of working in the background, which is a key part of desktop automation safety. Because the agent drives the same foreground UI a user would, it can test interfaces, step through bugs, and run deliberate workflows where context already lives, but it cannot quietly manipulate other sessions. This foreground-only rule means the PC must be treated as the task surface while Codex runs, rather than a spare screen for parallel work. The new phone-based workflow softens that tradeoff: developers connect their PC from the ChatGPT mobile app, then review approvals, diffs, screenshots, and terminal output remotely while Codex continues on the machine. The phone becomes a supervision surface, not an execution environment, so approvals stay in the user’s hands without weakening the sandboxed execution model on Windows.
Balancing Isolation, Performance, and Real-World Developer Workflows
The Codex Windows sandbox is designed to keep AI-powered autonomous task execution practical, not theoretical. OpenAI needed enough isolation to prevent an agent from treating the entire filesystem like a playground, while still giving it fast access to real tools and code. By basing the architecture on SIDs, ACLs, restricted tokens, and dedicated accounts, the company avoids heavy virtual machines that would add latency and complicate tooling integration. Everything runs on the host desktop, so performance stays close to a normal local workflow. At the same time, firewall controls and foreground-only sessions place clear limits around what Codex can touch. For developers, that means they can let the agent handle real tasks—GUI testing, build steps, bug reproduction—without constant micromanagement, while still maintaining clear, enforceable security boundaries between their system and the AI agent.
