Alongside Build 2026, Microsoft announced a set of security primitives for AI agents built directly into the operating system. The reasoning is straightforward: agents are no longer chatbots that answer and go quiet. They run on their own, touch files, open network connections and make decisions. Microsoft wants those limits enforced in Windows itself, not bolted onto each app.
Microsoft Execution Containers (MXC)
The centerpiece is the Microsoft Execution Containers (MXC) SDK, a policy-driven execution layer for agents that works on Windows and WSL. Developers define the constraints and Windows enforces them at runtime through an abstraction layer. It ships in early preview shortly after Build 2026, with the code published on GitHub under microsoft/mxc. It targets developers building agents on both consumer and enterprise systems.
MXC offers several isolation modes that combine depending on how risky the workload is:
- Process isolation: lightweight containment within the user environment, restricting file and network access per the defined policy. It suits coding agents that need a responsive development loop. GitHub Copilot CLI already uses it.
- Session isolation: separates agent execution from the human user environment (desktop, clipboard, UI, inputs). It uses distinct local or cloud-provisioned identities through Entra, which prevents UI spoofing and cross-session data leakage. The initial release supports non-interactive sessions only and is managed through Intune policies.
On the roadmap are micro-VMs with hardware-backed hypervisor isolation for higher-risk workloads handling sensitive data, plus Linux container support via WSL for Linux-first toolchains and ML frameworks.
What’s available now
Windows 365 for Agents is generally available. It runs agents in separate Intune-managed Cloud PC instances, with MXC integration planned, and fits enterprise agent fleets under centralized policy.
Underneath, the security baseline includes Defender real-time protection against prompt injection and emerging agent threats, post-quantum cryptography in Insider builds, Secure Boot as a hardware root of trust, passwordless sign-in with passkeys, Hotpatch updates without restarts, and production drivers written in Rust to cut memory-safety bugs.
Policy controls are applied through Microsoft Entra and Intune, letting admins tell human and agent activity apart and keep full audit trails. Microsoft isn’t doing this alone: it’s working with Hermes, Manus, NVIDIA, OpenAI and OpenClaw. OpenClaw runs its node and gateway over MXC with a new Windows companion app, and NVIDIA integrates MXC into OpenShell for always-on agent deployments.
If sandboxing agents with NVIDIA runtimes rings a bell, we covered it recently on the Linux side: Canonical and NVIDIA bring OpenShell to Ubuntu as a snap for AI agents.
Who it affects
Developers building agents get an official containment mechanism instead of improvising sandboxes. IT teams and enterprises get the ability to apply and audit policies with Entra and Intune. Many of these capabilities already ship in Windows Insider builds, and the broader developer preview program starts after Build 2026.
Source
Based on Microsoft’s original announcement on the Windows blog: Windows platform security for AI agents. All product and feature names belong to Microsoft.