Microsoft Execution Containers (MXC) Bring OS-Enforced Security to AI Agents on Windows and WSL

Microsoft unveiled Microsoft Execution Containers (MXC) at Build 2026, introducing an early-preview SDK and a policy-driven execution layer designed to secure AI agents running on Windows and Windows Subsystem for Linux (WSL). The move addresses growing enterprise anxiety over autonomous AI systems that can browse files, execute commands, and access networks without granular guardrails.

What Are Microsoft Execution Containers?

MXC is a new Windows platform feature that wraps AI agent processes in a lightweight, OS-enforced sandbox. Unlike traditional Docker containers that rely on namespaces and cgroups, MXC taps directly into the Windows hypervisor and kernel to create hard boundaries. The result is an isolation model that prevents an errant or compromised agent from reading sensitive files, exfiltrating data, or tampering with the host system.

The technology builds on hypervisor-protected code integrity (HVCI) and virtualization-based security (VBS) already present in Windows. It extends those protections to user-mode AI agents without requiring developers to rewrite their applications. A JSON-based policy file governs what an agent can and cannot do, giving IT administrators fine-grained control over file system access, network egress, child process creation, and even GPU usage.

Why AI Agents Need a New Security Model

Autonomous AI agents are fundamentally different from traditional server workloads. They often combine large language models with tool-calling frameworks like LangChain, allowing them to executeshell commands, interact with REST APIs, and manipulate local files. A single badly formed prompt could convince a coding agent to delete a system directory or an email agent to forward sensitive attachments to an external server.

Existing containment approaches fall short. Virtual machines impose too much overhead for ephemeral tasks. Application Guard and Windows Sandbox are user-visible and not designed for automated orchestration. Docker-on-Windows lacks tight integration with Hyper-V’s isolation model and requires developers to manage container images and networking. MXC aims to fill this gap by offering instant, policy-defined containers that launch in milliseconds and clean up automatically after the task completes—much like ephemeral serverless functions.

How MXC Works Under the Hood

At its core, MXC leverages the Windows Hypervisor Platform to create a minimal virtualized environment for each agent instance. The kernel enforces all access rules, making it impossible for an agent to bypass restrictions even if it escalates privileges inside the container. The architecture resembles Windows Defender Application Guard but with a programmable control plane.

A typical workflow looks like this:

1. A developer or IT administrator defines a policy in JSON or YAML. The policy might specify that an agent can only access a dedicated workspace folder, can only reach approved API endpoints, and cannot spawn child processes.
2. An application (such as a code editor extension, chat bot, or CI/CD pipeline) calls the MXC API to create a new execution container, passing the policy blob.
3. The MXC service instantiates a hypervisor-isolated environment, mounts the allowed volumes, and launches the agent process within it. The container shares no kernel objects with the host.
4. When the agent completes its task—or if the calling process sets a timeout—the container is automatically destroyed, wiping all temporary state.

Microsoft has baked this capability directly into Windows 11 and the next version of Windows Server. WSL integration means Linux-based AI tools (such as Python scripts using AutoGen or CrewAI) can also be wrapped in MXC containers, receiving the same level of OS-enforced isolation as native Windows executables.

Developer Experience: The Early-Preview SDK

The SDK, available now on GitHub and through NuGet and PyPI, exposes a simple programming model. Developers wrap any executable or script with an MxcContainer class and provide a policy. Here’s a conceptual snippet:

var policy = @"{
  ""allowedFilePaths"": [""C:\\workspace\\""],
  ""networkAccess"": ""internet"",
  ""maxMemoryMB"": 512,
  ""timeoutSeconds"": 30
}";

using var container = new MxcContainer("agent.exe", policy);
container.Start();
var output = await container.GetOutputAsync();

The SDK also supports streaming standard output and error, injecting environment variables, and attaching debuggers. For Linux workloads on WSL, developers can use the same API from inside a WSL distribution, with the MXC service brokering the hypervisor calls across the VM boundary.

Enterprise Policy Management and Integration with Intune

Microsoft is positioning MXC as a Zero Trust enabler for the AI era. IT administrators can push organization-wide MXC policies through Microsoft Intune, Group Policy, or custom MDM solutions. A policy catalog includes templates for common AI agent scenarios:

• Code assistants: Allow file writes only to a temporary directory and block all network access except to approved AI model endpoints.
• Email summarizers: Restrict file reads to a single PST file, forbid write operations, and allow outbound connections only to Microsoft Graph.
• Data analysis bots: Grant read-only access to a designated dataset, permit network calls to a predefined set of APIs, and cap CPU/memory usage.

All policy changes roll out within seconds without requiring a reboot. The management surface also logs every container creation, including the policy snapshot, duration, and any security violations, feeding into Microsoft Sentinel and Defender XDR for real-time threat hunting.

The integration with Microsoft 365 is particularly notable. MXC containers can be assigned to specific user contexts, ensuring that even if an AI agent runs under a privileged account, the container strips away those rights and enforces the policy-defined restrictions. This aligns with the upcoming “Agent 365” initiative, which aims to bring AI copilots into Excel, Outlook, and Teams, each operating within a tightly scoped sandbox.

Performance and Compatibility

Early benchmarks shared at Build 2026 indicate that MXC adds less than 5% CPU overhead compared to running processes outside a container, thanks to the hypervisor’s direct device assignment for critical resources. Memory overhead is a modest 40–60 MB per container, which makes it viable for running dozens of concurrent agents on a single developer workstation.

Compatibility is broad. The MXC execution layer supports both Win32 and UWP applications, as well as any WSL2 distribution (Ubuntu, Debian, etc.) that includes the MXC guest components. Clipboard integration, audio, and webcam access are blocked by default but can be enabled via explicit policy statements if needed for multimodal agents.

One important limitation of the early preview: GPU passthrough for AI acceleration is currently restricted to Windows agents; WSL-based agents must rely on CPU inference, though support for WSL GPUs via paravirtualized drivers is on the roadmap.

Community Reaction and First Impressions

Reaction from the Windows development community has been cautiously optimistic. Many see MXC as a necessary evolution of container technology, tailored for the unique risks of LLM-powered automation. A developer posting on the WindowsForum shortly after the Build session remarked, “Finally a native Windows sandbox that doesn’t require spinning up a full Docker Desktop. Agent security has been the missing piece in enterprise AI adoption.” Others point out that the JSON policy format is simple enough to embed in Infrastructure as Code (IaC) templates, reducing friction for DevOps teams already using Terraform or Bicep.

Some concerns persist. A few community members worry that MXC could become yet another Windows‑only API, fragmenting cross-platform AI tooling. Microsoft’s decision to extend support via WSL partially mitigates this, but native Linux and macOS developers would still need alternatives. Additionally, the early preview lacks a clear migration path from existing Docker-based CI/CD pipelines, though Microsoft engineers have hinted at a Docker plugin that would translate Compose files into MXC policies.

Security researchers have praised the hypervisor-backed isolation. “We’ve seen too many prompt-injection attacks that lead to arbitrary code execution in agents,” said one analyst. “Policy-enforced containers at the OS level are a strong countermeasure. It’s like AppLocker for AI.” This sentiment underscores why MXC could become a cornerstone of responsible AI deployment on Windows.

MXC vs. Traditional Containers: A Quick Comparison

What This Means for the Future of AI on Windows

Microsoft Execution Containers represent more than a security feature—they signal a strategic bet that AI agents will become as ubiquitous as web apps, and that they must be managed like any other enterprise workload. By embedding the execution layer directly into the operating system, Microsoft can offer deterministic security without the performance tax of third-party solutions.

Looking ahead, the roadmap includes Just-in-Time (JIT) policy generation where an AI model itself proposes a least-privilege policy for a task, subject to administrative approval. There’s also talk of a policy-as-code GitOps model, where MXC configurations live in repositories and get deployed through CI/CD pipelines.

For Windows enthusiasts and enterprise IT professionals, the early preview SDK is a chance to test-drive a platform that could soon become mandatory for running AI agents in regulated industries. Microsoft has released the source code under MIT license, and the community is already building plugins for Visual Studio Code, GitHub Actions, and PowerShell.

Get started today by visiting the Microsoft Build 2026 session recordings or cloning the SDK from GitHub. The early preview requires Windows 11 Build 26100 or higher and WSL2 with kernel version 5.15.167.1 or later.

Resources

• Microsoft Build 2026: MXC Session
• MXC Documentation on Microsoft Learn
• GitHub Repository: microsoft/mxc-sdk
• Windows Developer Blog: Introducing Execution Containers
• Intune Policy Reference for Execution Containers