diff --git a/codex-rs/windows-sandbox-rs/src/lib.rs b/codex-rs/windows-sandbox-rs/src/lib.rs
index 3b6a33c10b..9a1a7bcfc0 100644
--- a/codex-rs/windows-sandbox-rs/src/lib.rs
+++ b/codex-rs/windows-sandbox-rs/src/lib.rs
@@ -513,6 +513,15 @@ mod windows_impl {
                     return Err(err);
                 }
             };
+            if persist_aces && let Some(psid_workspace) = psid_workspace {
+                let workspace_cap_sid = workspace_cap_sid_for_cwd(codex_home, cwd)?;
+                sync_persistent_deny_read_acls(
+                    codex_home,
+                    &workspace_cap_sid,
+                    additional_deny_read_paths,
+                    psid_workspace,
+                )?;
+            }
             if !persist_aces {
                 for path in applied_deny_read_paths {
                     guards.push((path, psid_generic));
diff --git a/codex-rs/windows-sandbox-rs/src/spawn_prep.rs b/codex-rs/windows-sandbox-rs/src/spawn_prep.rs
index b0cf0f3075..5287229933 100644
--- a/codex-rs/windows-sandbox-rs/src/spawn_prep.rs
+++ b/codex-rs/windows-sandbox-rs/src/spawn_prep.rs
@@ -272,6 +272,15 @@ pub(crate) fn apply_legacy_session_acl_rules(
         } else {
             apply_deny_read_acls(additional_deny_read_paths, psid_generic.as_ptr())?
         };
+        if persist_aces && let Some(psid_workspace) = psid_workspace {
+            let workspace_cap_sid = workspace_cap_sid_for_cwd(codex_home, current_dir)?;
+            sync_persistent_deny_read_acls(
+                codex_home,
+                &workspace_cap_sid,
+                additional_deny_read_paths,
+                psid_workspace.as_ptr(),
+            )?;
+        }
         if !persist_aces {
             guards.extend(applied_deny_read_paths);
         }