On June 2, 2026, at its annual Build developer conference, Microsoft announced an early preview of Microsoft Execution Containers (MXC), a software development kit designed to confine what autonomous AI agents can do on Windows PCs and Windows Subsystem for Linux (WSL). The move marks Redmond’s most concrete step yet toward making AI agents—tools that can read files, execute code, and interact with services without constant human oversight—safe enough for everyday and enterprise use.
What Microsoft Announced at Build 2026
The headline announcement is MXC: a policy-driven execution layer that lets developers define strict boundaries around how an AI agent operates, and then relies on Windows itself to enforce those boundaries at runtime. It’s built for both Windows and WSL, so the same containment rules can apply whether an agent runs native Windows software or Linux-based tools inside WSL.
Microsoft is not pinning its hopes on a single sandboxing technique. Instead, MXC is a control plane that spans multiple isolation approaches. A low-risk agent might run in a simple process with limited permissions. A more demanding one could be placed in a separate user session or a Linux container via WSL. For high-stakes workloads, Microsoft is offering micro-VM‑style isolation and even cloud-hosted Windows 365 for Agents environments—disposable Cloud PCs managed through Intune. This spectrum of containment lets organizations dial up security based on the agent’s trust level.
The SDK is deeply integrated with Microsoft’s existing management stack. Agent discovery, policy enforcement, and auditing are woven into Agent 365, Microsoft Defender, and Intune. That means IT teams won’t have to hunt for unknown agents across endpoints; they’ll be able to see which agents are running, what identities they use, which MCP connectors they rely on, and what cloud resources they can touch—all from the same consoles they already use.
Microsoft also named a set of launch partners that signal where it sees the heaviest use: OpenAI (for coding agents), NVIDIA (for local AI workloads), Manus, Hermes, and OpenClaw (for autonomous personal and organizational agents). The SDK is in early preview, meaning developers can start experimenting now, but it’s not yet ready for production deployment.
What the Containment Technology Actually Does
Think of MXC as a bouncer for your PC. When an AI agent tries to act—say, to read a folder, run a script, or call a cloud service—MXC checks that action against a policy the developer (or an admin) declared. If the action isn’t allowed, Windows blocks it on the spot.
This runtime enforcement is fundamentally different from traditional endpoint controls. Antivirus software and application allowlists decide whether a program can launch. MXC wraps the agent while it’s already running. That matters because agents often generate behavior dynamically: a coding assistant might write and execute a shell command on the fly, or a data-crunching agent might decide to access a new API endpoint mid-task. A static “allowed/blocked” model can’t anticipate these choices. MXC promises to intervene the moment the agent tries to step outside its permitted lane.
The containment options are designed to match the risk. At the low end, you might just need to restrict an agent to a single directory and block network access. A more complex scenario—like an untrusted AI tool from an open‑source repository—could be wrapped in a lightweight virtual machine. For enterprise fleets, Windows 365 for Agents takes this further: the entire agent environment runs in a managed Cloud PC that can be erased after each session, leaving no footprint on the user’s primary machine.
What This Means for You
The practical impact depends on who you are.
For everyday Windows users
Right now, there’s nothing to install. MXC is an SDK for developers, not a feature that magically appears in Windows Update. But over the coming months and years, you could see AI-powered tools—whether built into Windows or downloaded from the Store—that carry a “confined” badge. A productivity agent might request permission to access only your Documents folder, for instance, and Windows could show a clear prompt: “This agent will work inside a limited sandbox.” That’s far safer than granting a blanket “access my whole PC” consent, which is what today’s early assistants often ask for. The key takeaway: Microsoft is building the plumbing so that future agents don’t need to roam free to be useful.
For power users and developers
If you tinker with AI coding assistants, run agent frameworks, or build MCP servers, MXC is immediately relevant. The SDK is in early preview, so you can download it and start defining execution policies for your own agents. Microsoft’s documentation shows how to wrap an agent in a container, specify file‑system and network boundaries, and test that the restrictions actually hold. The company is also making WSL a first-class target, so Linux‑based agents you run under WSL can be governed by the same policies. That eliminates a common headache: until now, WSL often sat outside Windows’ security perimeter, making it a blind spot for many IT teams.
For IT administrators
This is where the announcement hits hardest. If your organization is already seeing employees adopt AI coding helpers or autonomous SaaS agents, MXC—combined with Agent 365, Defender, and Intune—gives you a way to bring those tools under governance without simply blocking them. You’ll be able to discover unsanctioned agents, enforce policies such as “agents may only access HR‑related folders and nothing else,” and audit every action an agent takes, tied to its own identity, not just the user who launched it. Microsoft is effectively turning agents into manageable inventory items, and that’s a big deal for compliance. No immediate action is required, but now is the time to begin conversations about agent governance frameworks, especially if your business deals with regulated data.
How We Got Here: The Road to Agent Containment
Autonomous AI agents have exploded in the past two years. GitHub Copilot moved from code completion to fully independent coding mode in 2025. OpenAI’s ChatGPT and Google’s Gemini let users connect to APIs, run scripts, and manage files. Meanwhile, the Model Context Protocol (MCP) created a standard way for agents to discover and interact with local and cloud tools. These advances made agents vastly more capable—and vastly more dangerous. A tool that can read your email, edit a spreadsheet, and push code to production is a security nightmare if it’s hijacked by a prompt-injection attack or a malicious instruction.
Microsoft saw the gap. At Ignite 2025, it introduced the concept of Agent ID: a unique identifier that separates an agent’s actions from the human’s in audit logs. It also released native MCP support for Windows in public preview, along with built‑in connectors for File Explorer and System Settings—functions that are mundane until an autonomous agent starts clicking around. The MXC announcement ties these pieces together. Without containment, MCP support would be a disaster waiting to happen; with containment, it becomes a safely usable superpower.
The company also treats WSL as more than a compatibility shim. Since open‑sourcing WSL in 2025, Microsoft has positioned it as a core part of the developer platform, and now as a substrate for Linux‑heavy agent workloads. By applying the same containment model across Windows and WSL, Microsoft aims to prevent a split‑brain situation where Windows is locked down but the agent’s Linux underbelly is free to roam.
What You Should Do Right Now
Because MXC is an early preview, the immediate steps depend on your role:
- Windows users: Stay informed. No action needed today, but when you see new AI features (especially those that request access to your files or settings), look for indications that they’re running in a confined space. Be skeptical of any agent that demands broad, unfettered access.
- Developers: Head to the Windows Developer blog (posted June 2) for the MXC preview SDK. Start experimenting on a non‑production machine. Familiarize yourself with the policy definition language and test how your existing agents behave when wrapped in a container. Incorporate MXC into your CI/CD pipeline early so you’re ready when tighter restrictions become industry standard.
- IT administrators and security teams: Begin an inventory of AI agent usage across your organization. Survey employees about coding assistants, personal automation tools, and SaaS agents. Evaluate whether your current endpoint security controls (Defender, Intune) are configured to handle dynamic, model‑generated behavior. Microsoft’s documentation outlines how to connect MXC to Agent 365, so you can start mapping out a governance model even before the SDK reaches general availability.
There are no hard deadlines yet, but the pattern is clear: agent sprawl is the new shadow IT. By the time you’re asked to audit an autonomous tool’s actions, having a containment framework in place will be far easier than retrofitting one later.
What to Watch Next
The success of MXC hinges on two things: developer adoption and simplicity. If building a contained agent takes hours of configuration, many will skip it. If the secure path is also the easiest path, the ecosystem could shift quickly. Expect Microsoft to refine the SDK, release reference architectures, and likely embed one‑click agent confinement into Visual Studio and other toolchains.
On the governance side, Microsoft will almost certainly tie MXC deeper into its licensing models—for example, advanced agent‑monitoring features may require an E5 or Copilot‑plan subscription. Competitors, notably Apple (with its tight consumer trust story) and the broader Linux ecosystem (where security often depends on the distribution), will be watching. For Windows users, the real test will be whether Microsoft can make agent containment so boringly automatic that you barely notice it—until an agent tries to overstep, and Windows quietly stops it.