Microsoft just put an AI agent sandbox inside Windows

At Build 2026, Microsoft announced Microsoft Execution Containers (MXC) — a cross-platform, policy-driven execution layer for AI agents on Windows and WSL, with kernel-level isolation primitives and a roadmap that includes process, session, micro-VM, and Linux-container isolation. OpenAI, NVIDIA, Manus, Nous Research, and OpenClaw are already building on the SDK.

What You Need to Know: Microsoft introduced the Microsoft Execution Containers (MXC) SDK at Build 2026, providing a policy-driven, kernel-enforced execution layer for AI agents on Windows and WSL. Process isolation and session isolation are shipping in early preview, with micro-VM and Linux container support on the roadmap. NVIDIA's OpenShell, OpenAI's Codex, Nous Research's Hermes Agent, Manus, and OpenClaw are confirmed partners building on the SDK. The work is part of Microsoft's broader Agent 365 governance framework for enterprise agents.

Why It Matters

• Microsoft has turned Windows into the OS for trustworthy agents. The MXC SDK gives developers policy-based controls over what files, network calls, and UI elements an agent can touch, and the kernel enforces those rules in real time. This is the first OS-level primitive designed for the agent era at the scale Windows provides.
• The partner list is the story: NVIDIA, OpenAI, Nous, Manus, OpenClaw. When the agent-runtime layer spans the largest GPU company, the largest model lab, the leading open-weights research lab, the leading autonomous-agent platform, and the leading open-source agent project, you have a de-facto standard being formed in real time.
• The composable sandbox / containment spectrum is the architecture to study. Process isolation for low-overhead coding agents, session isolation for long-running workflows, micro-VMs for high-risk workloads, Linux containers for ML toolchains, and Windows 365 for Agents for cloud-resident execution — all under one policy model and one SDK.
• Microsoft is winning the enterprise agent platform war before most companies realized it started. If your agent runs on Windows (which is most enterprise endpoints), the security model is now Agent 365 + MXC, and the alternative is to build your own isolation stack. Most teams will not.

What Actually Happened

Microsoft Execution Containers (MXC) SDK: kernel-level isolation for agents

At Build 2026 (June 2-3, San Francisco), Microsoft introduced the Microsoft Execution Containers (MXC) SDK, a cross-platform, policy-driven execution layer for AI agents on Windows and WSL. The SDK is Microsoft's answer to the question every enterprise CISO has been asking since 2024: how do you let agents act on real data, in real systems, at real scale, without giving them the keys to the kingdom? The answer MXC provides: developers define what to constrain in their apps and agents, and Windows enforces those constraints consistently at runtime through MXC, with an abstraction layer across isolation primitives so developers don't have to manage low-level isolation details.

The core idea is the composable sandbox and containment spectrum: a coding agent and an enterprise data-processing agent may not need the same guardrails, but they do need one coherent trust story. The same policy model and SDK can map to different isolation constructs depending on the workload and containment requirements. Agent 365's policy-based controls with Microsoft Entra and Intune apply MXC constraints to a specific agent.

The isolation tiers: process, session, micro-VM, Linux, cloud

MXC ships with a tiered set of isolation primitives, each mapped to a workload shape:

• Process isolation provides fast, lightweight containment within the user's environment for scenarios like running model-generated code within a dedicated process boundary that restricts access to files and network domains outside defined policy. It is ideal for coding agents where the developer inner loop must stay responsive. GitHub Copilot CLI has adopted MXC process isolation to constrain what dynamically generated and executed code can do.
• Session isolation is for workloads that span many long-running processes or need their own resources. Sessions in Windows separate the agent's execution from the human user's environment — interactive desktop, clipboard, UI, input devices, and active sessions — mitigating UI spoofing, input injection, and cross-session data leakage. Windows assigns a local ID or a cloud-provisioned identity backed by Entra, attributing all activity from the container to that identity. Intune policies can require MXC isolation with guardrails such as filesystem rules.
• Micro-VM (roadmap) uses hardware-backed isolation via the hypervisor with lightweight images to raise the bar against sandbox escapes. Suited for agents processing sensitive data or running untrusted external code, where LLMs are developing capabilities around escaping sandboxes.
• Linux containers (roadmap) bring the containment model to Linux-first agent toolchains via WSL, enabling compatibility with Linux ML frameworks and package ecosystems with OS-enforced boundaries.
• Windows 365 for Agents, now generally available, extends containment beyond the local device. The agent runs in an Intune-managed Cloud PC, fully separate from the user's machine. With future MXC integration, Windows 365 for Agents will scale from lightweight local isolation to stronger hardware-backed boundaries — through a single SDK and policy model.

Source coverage: Windows Developer Blog — "Windows platform security for AI agents", Microsoft Build 2026 announcements, Microsoft Security Blog — Microsoft Agent 365 GA, GitHub repo for MXC.

The partner list: NVIDIA, OpenAI, Nous Research, Manus, OpenClaw

The MXC launch came with a confirmed partner list that reads like the who's who of the agent ecosystem:

• NVIDIA brings OpenShell to Windows, built on MXC. Integrating MXC via OpenShell provides developers with an easy-to-deploy package for autonomous, always-on agents safely.
• OpenAI's Codex is integrating MXC for safer code generation and execution. Per David Wiesen, Member of Technical Staff at OpenAI: "Working with Microsoft on the Microsoft Execution Containers (MXC) allows us to explore new patterns for AI agents to safely and efficiently generate and execute code. By combining Codex's capabilities with MXC's execution environment, we aim to help developers move from intent to reliable execution faster, while maintaining the security and control enterprises need."
• Nous Research's Hermes Agent will be integrating OpenShell and MXC in their new Windows application. Per Dillon Rolnick, CEO of Nous Research: "Continuously running local agents, like Hermes Agent, require intentional isolation. Developers need control over what an agent can access and trust that those controls will hold. Microsoft Execution Containers (MXC), integrated with OpenShell, provides a policy-driven foundation for private, on-device agents on Windows."
• Manus is integrating MXC to expand what autonomous agents can do in enterprise environments. Per Tao Zhang, Chief Product Officer at Manus: "Manus is built to help users move from intent to completed work across tools, files, code, and workflows. With Microsoft Execution Containers (MXC), Windows gives developers a policy-driven way to define what an agent can access and enforce those boundaries at runtime."
• OpenClaw now runs the node and gateway securely on Windows leveraging MXC, with a new Windows companion app to set up claws or connect to existing ones.

The same set of capabilities integrates with Microsoft Defender (which provides real-time protection against prompt injection and other emerging agent threats) and the broader Secure Future Initiative investments (passkey-based passwordless sign-in, hotpatch updates, Rust-based drivers, post-quantum cryptography, Secure Boot).

The Take

Microsoft just did what Microsoft does best in platform wars: it used the OS to set the terms of the next computing era before the competitors realized the game had started. MXC is to agents what UAC was to consumer Windows, what AppLocker was to enterprise, and what Hyper-V was to the cloud — a kernel-level primitive that makes the platform the default safe place to run the new class of software.

For agent developers: if you ship an agent that runs on Windows, MXC is the new baseline. The policy model is clean, the SDK is on GitHub, the isolation tiers map to your workload shape, and the partner list means your customers are already going to expect MXC-compatible behavior. Building without it is now a feature gap, not a different design choice.

For enterprise security teams: the agent governance problem just got a real solution. Agent 365 + MXC + Intune is the first end-to-end stack for "discover, govern, and isolate" agents across the enterprise. If you're running a security program that needs to answer "what are our agents doing right now, and what are they allowed to do," the answer is here. Most teams haven't started asking the question yet — start.

For the broader industry: the agent-runtime layer is consolidating faster than people think. When the OS-level sandbox, the largest model lab, the dominant GPU company, and the leading open-weights lab are all on the same SDK, the path to a de-facto standard is short. The alternative stacks (custom sandboxes, agent-only OSes, browser-based isolation) have a window, but the window is closing.

Quick Summary

Microsoft introduced the Microsoft Execution Containers (MXC) SDK at Build 2026 — a policy-driven, kernel-enforced execution layer for AI agents on Windows and WSL. Process and session isolation are in early preview; micro-VM and Linux-container support are on the roadmap. NVIDIA, OpenAI, Nous Research, Manus, and OpenClaw are confirmed partners building on the SDK. The architecture is the new baseline for trustworthy enterprise agents.

Sources

• Windows Developer Blog — Windows platform security for AI agents
• Microsoft Build 2026 announcements
• Microsoft Security Blog — Microsoft Agent 365 GA
• GitHub — microsoft/mxc SDK
• Windows Forum — Microsoft Execution Containers (MXC) coverage

Source: VentureBeat / Microsoft Build 2026 (2026-06-02) | mr.technology — The Master Skill Index