Microsoft is trying to make Windows the place where AI agents can do real work without being handed the keys to the whole machine.
Microsoft used Build 2026 to introduce Microsoft Execution Containers, or MXC, an early preview SDK built for one of the biggest problems now facing enterprise AI: agents are becoming useful enough to run code, read files, call networks and automate workflows, but most companies still do not want them operating with the full authority of a logged-in employee.
That distinction matters. A chatbot that answers a question is one thing. An agent that can open a terminal, edit a repository, scrape through local files and connect to online services is something else entirely. Once software starts taking actions across a desktop or development environment, security teams stop asking whether the model is clever and start asking what it is allowed to touch.
MXC is Microsoft's answer to that question. As Microsoft said in its Windows Developer Blog, the new SDK is a cross-platform, policy-driven execution layer for agents running across Windows and WSL. Developers can define what an agent can access, including file and network permissions, while Windows enforces those limits at runtime.
The useful part of MXC is not that it wraps agents in another developer tool. It is that Microsoft is treating agent behavior as an operating system problem. Agents do not behave like normal applications. They generate actions dynamically, often in response to prompts that change from one task to the next. That makes old assumptions about app permissions feel too broad for the work now being attempted.
Microsoft says MXC will support a spectrum of containment options. The first is process isolation, designed for lighter, faster workloads such as coding agents that need to stay responsive while running model-generated commands. GitHub Copilot CLI has already adopted MXC process isolation, which gives Microsoft an immediate proving ground inside one of the most visible AI developer workflows.
The second is session isolation, which separates an agent from the human user's desktop, clipboard, input devices and active sessions. That is aimed at longer-running workflows where an agent may need its own environment to open apps or automate tasks without creating risks such as input injection, UI spoofing or cross-session data leakage. Microsoft says process isolation and session isolation will be available to Windows Insiders shortly after Build.
This is the practical tension behind the announcement. Companies want the productivity gains promised by agents, but they do not want a model-generated command wandering across a developer laptop or business workstation with whatever access the user happened to have. Containment gives the agent enough room to work while making the blast radius smaller when it makes a bad decision.
Microsoft is building the control plane around the agent
The more strategic part sits above the sandbox. MXC is designed to work with Agent 365, Entra and Intune, so organizations can apply policy from the same administrative systems they already use for employees, devices and applications. In other words, Microsoft is not only offering a runtime. It is trying to make agent governance feel like a natural extension of enterprise IT.
That is where Windows becomes more than a place to run agents. Microsoft wants Windows to assign agents their own local ID or Entra-backed cloud identity, then attribute activity to that identity. For security teams, this is a major shift. The question becomes not just who ran a command, but whether a human or an agent performed the action, under which policy, from which device and with what access.
Agent 365 reached general availability on May 1, and Microsoft has been positioning it as a control plane to observe, govern and secure agents across organizations. The MXC announcement gives that control plane a more concrete execution layer on Windows. It also brings local agents closer to the same managed world as cloud apps, where identity, audit logs and policy enforcement are expected rather than optional.
The partner list also shows where Microsoft thinks the market is heading. OpenClaw is running securely on Windows with MXC. NVIDIA is bringing OpenShell to Windows through MXC. Hermes, Manus and OpenAI are listed as ecosystem partners. NVIDIA's own OpenShell project already focuses on sandboxed execution, policy enforcement and auditability for autonomous agents, which makes the overlap easy to understand.
There is still a catch. MXC is early preview software, and Microsoft's GitHub repository warns that current profiles should not yet be treated as security boundaries. Some policies are still overly permissive, and several containment options, including micro-VMs, Linux containers and MXC integration for Windows 365 for Agents, remain on the roadmap rather than in general use. That caveat is important because agent security cannot survive on branding alone.
Even so, the direction is clear. The agent market is moving out of demos and into the ordinary mess of enterprise work: repositories, terminals, local files, cloud resources, credentials and compliance requirements. Whoever controls the layer that decides what agents can do will have influence over how companies adopt them.
For developers, MXC may become another thing to wire into an agent stack. For Microsoft, it is a bid to make Windows the trusted execution surface for autonomous software. If the company can turn containment, identity and policy into default expectations for agents, it will have done something more valuable than ship another AI feature. It will have defined where the guardrails live.
Also read: OpenAI is chasing finance and legal work as Anthropic gains speed • Trump narrows AI oversight after industry pushback. • Withings Is Turning the Smart Scale Into a GLP-1 Care Device
