In the past two years, the tech industry has been in a race to enhance AI agents’ capabilities, enabling them to write code, navigate software, manage files, and execute complex workflows with growing autonomy. However, a crucial question remains unanswered: what happens when an AI agent malfunctions?
On Tuesday, during its annual Build developer conference, Microsoft unveiled a potential solution. The company introduced Microsoft Execution Containers (MXC), a policy-driven execution layer integrated into the Windows operating system. This allows developers and IT administrators to specify what an AI agent can access, with these boundaries enforced by the OS kernel during operation.
This announcement, part of a larger set of developer updates, is perhaps the most significant platform change Microsoft made at Build this year. It could fundamentally alter how enterprises worldwide approach the deployment of autonomous AI software.
MXC isn’t a product available for purchase; it’s an SDK and a policy model embedded within Windows and the Windows Subsystem for Linux. Microsoft describes it as providing a “composable sandbox spectrum,” ranging from lightweight process isolation, already used by GitHub Copilot’s command-line interface, to micro-virtual machines, Linux containers, and full cloud instances on Windows 365.
This system isolates an agent’s execution from the user’s desktop, clipboard, user interface, and input devices. Importantly, it assigns a strong identity to each agent, whether a local ID or a cloud-provisioned identity backed by Microsoft Entra, ensuring every action the agent takes can be traced, audited, and managed.
The implications are significant. Previously, deploying AI agents in enterprises faced a paradox: the more autonomous and useful an agent is, the more risky it becomes to operate it on a corporate network without safeguards. Microsoft’s MXC aims to resolve this paradox by creating a more controlled operating environment without compromising the agents’ capabilities.
Why every autonomous AI agent is a security incident waiting to happen
Understanding the importance of MXC requires considering what an AI agent does when running on a computer. Unlike traditional applications with clear boundaries, AI agents are inherently unpredictable. They receive goals in natural language, reason ways to achieve them, and execute actions like opening files, running code, calling APIs, browsing the web, and interacting with other software. Each of these interactions increases the “attack surface” security professionals are concerned about.
Microsoft highlighted the challenge in its blog, emphasizing that more capable and autonomous agents bring productivity gains but also new risks. The issue isn’t just the agent itself but the entire system it operates within. Every interaction with humans, tools, applications, models, and other agents introduces new vulnerabilities and potential failure modes, which Microsoft describes as a “multi-layer systems problem.”
This concern isn’t theoretical. Before Build, security researchers showcased several ways AI agents could be exploited, including prompt injection, malicious tool calls, and data exfiltration disguised as standard workflow. For enterprises handling sensitive data, proprietary models, and regulated information, the lack of a trusted execution environment has been a major obstacle to deploying agents beyond demo phases.
Microsoft’s answer is a sandbox that scales from a single process to a full virtual machine
MXC operates on a straightforward principle: define what the agent can do before it runs, and the operating system enforces these rules at runtime. Developers or IT administrators set policies that specify which files, directories, and network resources an agent can access. MXC then creates a sandboxed execution environment that maintains these boundaries, regardless of the agent’s actions.
What sets MXC apart is its wide range of isolation options. Microsoft designed it so a single SDK and policy model can adapt to the appropriate isolation construct for any workload. A lightweight coding assistant might require only fast process isolation, while a more autonomous agent executing arbitrary internet-downloaded code might need a full micro-VM. The system is “dynamically composable based on intent and risk,” allowing isolation levels to adjust based on the agent’s activities rather than its category.
Session isolation is a key feature, separating the agent’s execution from the user’s desktop, clipboard, UI, and input devices. This mitigates several types of attacks that are particularly threatening for AI agents, including UI spoofing, input injection, and cross-session data leakage.
A live demo showed an AI agent trying to delete files — and failing, because the OS wouldn’t let it
In a pre-briefing with VentureBeat, a Microsoft developer demonstrated MXC’s capabilities. Using the open-source agent framework OpenClaw within MXC’s sandbox on his development machine, he instructed the agent to delete all desktop files. The agent attempted the action, but the sandbox prevented it. “If you look at my desktop here, you see how clean my desktop is,” the developer noted. “That’s a lie.” He explained that the files were safe because “the container won’t allow it.”
The demonstration also highlighted MXC’s control granularity. Users can set specific files as read-only, limit browser and screen capture access, and manage these permissions centrally through enterprise IT departments using Intune policies. The agent functions within a one-way mirror: it can perform its assigned tasks but can’t access anything outside its policy-defined boundaries.
Pavan Davuluri, Microsoft’s Executive Vice President for Windows and Devices, emphasized that the security, containment, isolation, and user control features MXC introduces are crucial for making AI agents commercially viable. He stressed that these capabilities are “not unique to OpenClaw” and apply to any agent on a Windows device, ensuring safety for both consumers and corporate deployments.
Defender, Entra, Intune, and Purview integration arriving in July turns MXC into an enterprise control plane
The most impactful part of the MXC announcement for corporate IT departments isn’t the SDK but its integration with Microsoft’s existing enterprise security stack through Agent 365. Set to preview in July, Agent 365 integrates Microsoft’s Entra identity service and Intune device management platform with MXC, allowing IT administrators to centrally govern agent containment while developers select the necessary isolation level for their workloads.
This integration extends further: Microsoft Defender offers runtime threat protection, Entra handles identity and access management, Intune enforces device-level policies, and Microsoft Purview extends data governance and compliance to agent activity. Consequently, enterprises could permit employees to use AI agents on corporate machines, even those executing code and managing files, while maintaining centralized control akin to traditional applications.
Microsoft outlined the identity layer in its official blog: “Windows assigns agents a local ID or a cloud-provisioned identity backed by Entra, attributing all container activity to that identity, clearly distinguishing human from agent actions.” For regulated industries like financial services, healthcare, and government, generating an audit trail differentiating human from agent actions on the same machine might be a regulatory necessity, not just a desirable feature. This architecture, attributing every agent action to a specific identity and enforcing containment through existing policy infrastructure, could finally transition AI agents from pilot to production stages.
OpenAI, Nvidia, Manus, and Nous Research are already building on MXC — and that changes the calculus
Platform announcements at developer conferences often aim high. What sets the MXC launch apart is the range and specificity of partners already utilizing it. Microsoft identified five: OpenAI, Nvidia, Manus, Nous Research (creator of the Hermes agent), and the OpenClaw open-source project. Each is integrating MXC in unique ways that demonstrate different applications for the technology.
OpenAI’s participation is particularly noteworthy. David Wiesen, part of OpenAI’s technical team, stated that working with Microsoft on MXC allows exploration of new patterns for AI agents to generate and execute code safely and efficiently. By combining Codex’s capabilities with MXC’s execution environment, the aim is to expedite developers’ transition from intent to reliable execution while maintaining necessary security and control for enterprises. The mention of Codex, OpenAI’s code-generation agent, suggests MXC could become the default execution environment for one of the industry’s most anticipated agent products.
Nvidia is incorporating its OpenShell framework into Windows using MXC, offering what Microsoft calls “an easy-to-deploy package for autonomous, always-on agents safely.” Manus, a Chinese AI agent startup that gained viral attention earlier, is also integrating. Tao Zhang, Manus’s Chief Product Officer, noted that MXC provides developers with a policy-driven method to define agent access and enforce these boundaries during runtime, enabling more autonomous agents to function safely in business settings. Dillon Rolnick, CEO of Nous Research, concisely articulated MXC’s significance: “Continuously-running local agents, like Hermes Agent, require intentional isolation. Developers need control over what an agent can access and trust that those controls will hold.”
How an open-source agent framework became Microsoft’s proving ground for AI safety on Windows
A revealing story behind the MXC announcement involves OpenClaw. During a press pre-briefing, a Microsoft developer explained how the partnership developed organically when Peter Steinberger, OpenClaw’s creator, reached out in January to express interest in collaboration. What began as a casual discussion evolved into a full platform partnership, with Microsoft developers contributing to the OpenClaw Windows companion app, built as a native WinUI application rather than a wrapped web app.
The OpenClaw integration serves as what Scott described as “the ultimate test app for everything [the Windows platform team] is creating.” If OpenClaw, which inherently grants agents broad autonomy to perform tasks on a user’s machine, can operate securely within MXC’s containment boundaries, then the containment system is robust enough for any agent. Scott shared the philosophy behind the work: “Think of OpenClaw Windows as the ultimate test app… If OpenClaw can succeed on Windows, that means the Linux support is there, the container support is there, the containment is there.”
The companion app showcases the full spectrum of MXC’s enterprise controls — file permissions, network access, screen capture restrictions, location data — all centrally manageable through Intune policies. Microsoft has donated the project to OpenClaw and plans to continue contributing as an open source. As a member of the Windows leadership team said during the briefing: “All agents, all comers, everyone is welcome on Windows… It’s going to run great on Windows because the primitives are there. The base of the pyramid is solid.”
Building containment into the OS gives Microsoft a strategic edge over Apple’s walled garden and Google’s cloud-first model
MXC arrives at a pivotal moment when the technology industry faces a fundamental tension. AI agents may represent the most significant new software category since mobile applications, and all major tech companies are racing to develop them. However, the security and governance infrastructure needed to deploy these agents responsibly in enterprise environments is lacking. Microsoft’s approach is unique because it places the trust layer at the operating system level rather than in the agent framework, the model provider, or a third-party security product.
This architecture is a deliberate choice. By integrating containment into Windows, Microsoft ensures that security guarantees apply regardless of the agent, model, or framework a developer selects.
It also implies that hundreds of millions of Windows devices already managed through Intune and secured via Defender can potentially become agent-ready through a software update instead of a complete overhaul.
Apple’s approach to AI agents relies heavily on its walled-garden ecosystem, providing security by restricting which agents can run and what they can do. Google’s strategy, focused on its cloud infrastructure, offers security through centralization. In contrast, Microsoft’s model provides security through declaration and enforcement, allowing any agent to run while containing its impact through OS-level policy.
For businesses operating in diverse environments with various toolchains and multiple AI providers, Microsoft’s model may be the most practical. The competitive landscape is already shifting: with OpenAI’s Codex, Nvidia’s OpenShell, and independent agent frameworks like Manus and Hermes all building on MXC, Microsoft is positioning Windows not just as the platform where agents run, but as the platform where agents can be trusted to run.
The hardest part isn’t building the sandbox — it’s writing the policies that go inside it
MXC is now available in early preview, allowing developers to start working with the SDK and testing containment policies. The Agent 365 integration with Defender, Entra, Intune, and Purview is set for preview in July — a timeline suggesting significant engineering work is complete, but with room for developer feedback-based refinement.
The real challenge, however, will arise when enterprises deploy agents at scale on production networks. Containment is effective only when governed by appropriate policies, and crafting these policies for complex enterprise environments will be a new discipline that IT departments haven’t yet mastered and no vendor has figured out how to teach. The technology is promising, but an empty sandbox is merely an empty box. Filling it with the right rules, for the right agents, in the right contexts, will demand a level of organizational sophistication that most companies are just beginning to consider.
Despite this, the importance of Microsoft’s announcement on Tuesday cannot be overstated. For the first time, a major operating system vendor has proposed a comprehensive, kernel-level solution for containing, identifying, and governing autonomous AI software on devices where much of the world’s work is done. The industry spent two years teaching agents to act. Microsoft’s current focus is on teaching the operating system to monitor.
