Codex for Windows: Native Desktop Agent Sandbox Guide
OpenAI launches Codex as a native Windows app with open-source agent sandbox, parallel tasks, PowerShell integration, and per-task Git worktrees. Setup guide.
Windows App Released
Sandbox License
Parallel Tasks
Minutes Read
Key Takeaways
OpenAI launched Codex as a native Windows desktop application on March 4, 2026, marking the first time the autonomous coding agent has been available outside a browser. The release includes three features that distinguish it from existing AI coding tools: an open-source agent sandbox for transparent and auditable code execution, parallel task support with isolated Git worktrees, and deep PowerShell integration that makes Codex behave like a genuinely Windows-native tool rather than a web app wrapper.
For Windows developers who have been watching AI coding tools arrive first on macOS or as browser extensions, the native app is a meaningful change. The PowerShell integration in particular addresses a persistent gap: previous AI coding tools could suggest bash commands that Windows developers then had to mentally translate to PowerShell equivalents. Codex understands Windows conventions natively. For context on how this fits into the broader AI coding tool landscape, our comparison of GitHub Copilot Coding Agent's semantic search capabilities covers the competing approach to autonomous coding agents from Microsoft.
What Is OpenAI Codex for Windows
OpenAI Codex (not to be confused with the original Codex model from 2021) is the company's autonomous coding agent product that sits atop the GPT-5.4 model. It can read entire codebases, plan multi-step implementation tasks, write code, run tests, execute terminal commands, and commit changes — all without requiring the developer to provide step-by-step instructions.
Built as a native Windows application with direct file system access, PowerShell execution, and integration with Windows development tools. Not a browser wrapper or Electron port.
The code execution environment is publicly available under an open-source license. Developers can audit, modify, or self-host the sandbox for security compliance requirements.
Each task runs in an isolated Git worktree, enabling multiple agent tasks to execute simultaneously without code changes interfering between parallel workstreams.
The product targets professional developers working on non-trivial codebases, not beginners using AI to generate starter templates. OpenAI positioned the Windows release alongside improvements to the underlying agent's ability to handle large codebases, understand complex dependencies, and maintain context across multi-session development tasks. The GPT-5.4 model that powers Codex handles the reasoning and code generation while the desktop app handles task management, file system access, and execution environment.
Installation and Initial Setup
The Codex Windows app is available as a direct download from OpenAI's website and through the Microsoft Store. Installation follows standard Windows application conventions — run the installer, accept the permissions prompt, and sign in with your OpenAI account. The app requires Windows 10 (version 2004 or later) or Windows 11.
- Windows 10 version 2004+ or Windows 11
- 8 GB RAM minimum (16 GB recommended)
- Git for Windows installed
- OpenAI API key with sufficient quota
- PowerShell 5.1 or PowerShell 7+
- 1.Install app and sign in with OpenAI credentials
- 2.Add API key in Settings > API Configuration
- 3.Open a repository folder as a workspace
- 4.Configure sandbox permissions for your project
- 5.Run the built-in repository scan to index your codebase
First run recommendation: Start with a small, non-critical repository to familiarize yourself with how Codex interprets tasks and manages changes. The approval workflow lets you review all proposed changes before they are committed, but understanding the agent's behavior on a low-stakes project first will save time on production codebases.
The workspace concept is central to how Codex organizes work. A workspace corresponds to a Git repository root. Codex reads all files in the workspace to build its understanding of the codebase, which is why the repository index scan is important on first setup. Larger repositories may take several minutes to index, but the index is cached and updated incrementally after the initial scan.
The Open-Source Agent Sandbox
The agent sandbox is the component that controls what the Codex agent can and cannot do during task execution. Every file write, terminal command, network request, and process spawn goes through the sandbox, which enforces the policies you configure for your workspace.
OpenAI's decision to open-source the sandbox addresses one of the key objections enterprise developers have raised about AI coding agents: the “black box” problem. When an agent has access to your file system and terminal, you need to understand exactly what guardrails are in place. The sandbox code is publicly available, allowing security teams to audit the execution model rather than taking OpenAI's word for it.
Define which directories the agent can read, write, or create files in. Restrict operations to the workspace root, specific subdirectories, or expand to system-level paths for development tooling tasks.
Control which PowerShell cmdlets and external executables the agent can invoke. Pre-built profiles cover common development scenarios (build tools, test runners, package managers) without requiring manual policy configuration.
Configure outbound network access policies: block all internet access, allow specific domains (package registries, internal APIs), or permit unrestricted access for development workflows that require external resources.
Self-hosting the sandbox is the option most relevant for enterprises with strict data residency requirements. When you self-host, the agent's code execution happens in your own infrastructure. OpenAI's API still receives the conversation context (the task instructions and code output), but the actual file operations and command execution stay within your environment. This is not full air-gap isolation, but it addresses the most common enterprise data concerns about agent code execution.
Parallel Tasks and Per-Task Git Worktrees
The parallel task system is one of the most practically impactful features of Codex for Windows. Rather than requiring developers to wait for one task to complete before starting another, Codex can work on multiple independent tasks simultaneously. The key technical mechanism that makes this safe is per-task Git worktrees.
A Git worktree is a linked working directory that references the same repository but operates on a separate branch. When you assign a task to Codex, it automatically creates a new worktree on a new branch. All changes the agent makes for that task happen in its isolated worktree. When you review and approve the task, the changes are merged back to your development branch through the standard Git workflow.
Each task gets a branch named codex/task-[id] and a linked working directory. The agent can make any changes it needs without affecting your main branch or other in-progress tasks. Conflicts between tasks only need to be resolved at merge time, not during execution.
Common parallel task patterns: assign feature implementation, test writing, and documentation updates simultaneously. Or use one task to refactor a module while another runs the full test suite against the current codebase to establish a baseline.
Parallel task cost consideration: Each parallel task runs an independent agent session and consumes API tokens proportional to the task complexity. Running three parallel tasks simultaneously can cost three times what a single sequential task costs. Reserve parallelism for genuinely independent tasks where the speed benefit justifies the cost.
The task queue in the Codex UI shows all active, pending, and completed tasks with their worktree status, token consumption, and proposed changes. You can pause a running task, reassign it with modified instructions, or reject changes without those changes ever entering your main branch. The review workflow is similar to reviewing a pull request, but the entire PR was authored by the agent.
PowerShell Integration and Windows-Native Features
PowerShell integration is the most differentiating aspect of the Windows release relative to previous Codex access methods. The agent can generate and execute PowerShell commands natively, understands the distinction between Windows PowerShell (5.1) and PowerShell Core (7+), and handles Windows-specific path conventions, environment variables, and command syntax correctly.
- Native PowerShell script generation and execution
- .NET CLI and MSBuild integration
- winget and Chocolatey package management
- Windows Registry read operations for config detection
- Windows path convention awareness (backslash, drive letters)
- Visual Studio solution and project file awareness
- NuGet package management and restore operations
- IIS and Windows service configuration tasks
- Azure CLI and Azure Developer CLI (azd) integration
- Windows Subsystem for Linux (WSL2) command execution
The WSL2 integration is particularly useful for Windows developers working on cross-platform projects. Codex can switch between PowerShell commands for Windows-specific operations and bash commands through WSL2 for Linux-specific tooling within the same task. This eliminates the awkward context switching that made previous AI coding tools frustrating on Windows for projects that need to run on both operating systems.
Codex vs Cursor and GitHub Copilot Agent
The AI coding tool landscape in early 2026 has three dominant autonomous agent options: Codex, Cursor's Background Agents, and GitHub Copilot Coding Agent. Each takes a meaningfully different architectural approach. Understanding the differences helps developers choose the right tool for their workflow and avoid paying for overlapping capabilities.
Strengths: Deep Windows integration, open-source sandbox for auditability, self-hosting option, parallel task execution with Git worktrees, and direct API access for cost control. Best for: Windows-focused teams, enterprises with data residency requirements, developers who want direct control over the execution environment.
Strengths: Tighter editor integration with inline diff review, multi-model support (Claude, GPT-5.4, Gemini), seamless workflow for developers who live in the editor. Weaknesses: Less Windows-native than Codex, agent sandbox is not open-source, parallel execution is more limited. Best for: Editor-centric workflows where you want the agent experience integrated into your coding environment.
Strengths: Deep GitHub integration (PR creation, review responses, Actions workflows), semantic search across repository history, natural fit for GitHub-centric teams. Weaknesses: Less control over execution environment, requires GitHub Enterprise for full features. Best for: Teams already using GitHub Enterprise who want agent capabilities integrated directly into their PR workflow.
Security Model and Code Execution Sandboxing
Giving an AI agent read and write access to your local file system and terminal is a non-trivial security decision. Codex's security model addresses this through layered controls that apply at the sandbox level, the workspace level, and the individual task level.
By default, agents can only access files within the workspace directory. File operations outside the workspace require explicit permission grants in the sandbox configuration.
All file changes are staged for review before committing. Destructive operations (file deletion, branch force push, registry writes) require explicit approval at both the sandbox policy level and in the task review UI.
Every file operation, command execution, and network request is logged in the task audit trail. Logs are stored locally and can be exported for security review or incident investigation.
Secrets management warning: The Codex agent reads all files in the workspace directory to understand the codebase. Ensure .env files, credentials, and secrets are either excluded from the workspace or properly handled in your .gitignore. The agent context includes file contents, which are sent to OpenAI's API as part of task processing.
Practical Workflows for Windows Developers
The most effective way to use Codex is to assign it tasks that require reading multiple files, making consistent changes across a codebase, and verifying correctness through tests — exactly the kind of work that is tedious for developers but well-suited to an agent that can hold the entire codebase in context.
- Adding a consistent logging pattern across 20+ files
- Migrating from one library version to another across the codebase
- Writing unit tests for existing untested functions
- Refactoring a module to use a new interface
- Generating API documentation from code comments
- Initial architecture decisions for new systems
- Security-critical code paths (auth, payments, data access)
- Complex algorithmic work requiring deep domain knowledge
- Tasks where the requirements are ambiguous or evolving
- Debugging production incidents with unclear root causes
Windows-specific workflows that Codex handles particularly well include .NET project maintenance, PowerShell automation script generation, Azure resource configuration scripts, and Windows service setup tasks. For web development teams who deploy to Azure from Windows machines, our guide on modern web development practices covers the broader context of where AI coding agents fit in production development workflows.
Limitations and Current Constraints
Codex for Windows is a v1 product with meaningful limitations that developers should understand before integrating it into critical workflows. These are not disqualifying constraints, but they affect which use cases are well-suited to the current release.
Context window limits on large codebases: Repositories above approximately 500,000 lines of code require selective context configuration. The agent cannot hold the entire codebase in a single context window; you need to specify which modules are relevant to the task to avoid context truncation errors.
Variable cost predictability: Task costs depend on codebase size, task complexity, and the number of agent reasoning steps required. Long tasks on large repositories can be expensive. Set budget limits per task in the app settings to prevent unexpected charges.
GUI and front-end limitations: Codex works best with code that can be verified through automated tests and linting. UI-heavy work — building React components, adjusting CSS, creating visual layouts — is harder for the agent to verify correct output without a visual rendering step.
No real-time collaboration: Multiple developers cannot assign tasks to the same Codex workspace simultaneously in the current release. Team usage requires either separate workspaces per developer or a queued task assignment workflow.
Conclusion
Codex for Windows represents a meaningful step toward making autonomous coding agents practical for Windows-native development teams. The combination of genuine PowerShell integration, an open-source auditable sandbox, and parallel task execution with Git worktree isolation addresses the three main objections Windows developers had to previous AI coding agent options: platform misfit, opacity, and single-threaded operation.
The limitations around large codebase context and cost variability are real, but they are the expected constraints of a first release rather than fundamental design problems. Teams that invest in learning Codex's effective task patterns now — particularly around codebase-wide refactoring, test coverage expansion, and Windows-specific automation — will build practices that scale as the tool matures and the underlying model improves.
Ready to Modernize Your Development Workflow?
AI coding agents are one component of a modern development strategy. Our team helps businesses evaluate and implement development tooling that actually improves delivery velocity and code quality.
Related Articles
Continue exploring with these related guides