Microsoft used its Build 2026 keynote in San Francisco to announce that Windows 11 will become the control plane for enterprise AI agents, mixing local execution, containerized isolation, and cloud‑side reasoning into a single desktop fabric. The strategy rests on three pillars: Microsoft Execution Containers (MXC), the OpenClaw SDK for building autonomous agents, and Project Solara, a declarative safety layer that governs what an agent can touch. Together they turn a Windows 11 PC into a managed runway where AI workers launch, collaborate, and shut down under IT‑enforced guardrails.

An OS Built for Agents, Not Just Apps

Windows 11 already runs Copilot, but the 2026 vision treats agents as first‑class citizens alongside traditional processes. “We’re not bolting a chatbot onto the taskbar,” said Pavan Davuluri, CVP of Windows + Devices. “We’re giving every agent a sandbox, an identity, and a policy that the operating system enforces.” The result is a machine that can simultaneously host a supply‑chain negotiating agent, a code‑review agent, and a compliance auditor—each blind to the others’ memory unless explicitly permitted.

At the core sits a new local agent runtime built directly into the Windows kernel. It manages life‑cycle events, app‑to‑agent communication, and resource throttling so a runaway inference loop cannot starve foreground applications. Developers target the runtime through the OpenClaw SDK, which Microsoft published as an open standard under the MIT license. OpenClaw abstracts model selection, tool calling, and memory persistence, allowing an agent to swap between an on‑device Phi‑4‑Silica NPU model and Azure‑hosted GPT‑5o without rewriting orchestration logic.

Microsoft Execution Containers: A Fresh Take on Isolation

MXC is the most significant architectural shift. Unlike Windows Sandbox, which virtualizes an entire user session, Execution Containers strip isolation down to the process level while layering AI‑specific controls. Each container receives a cryptographic identity from the device’s TPM 2.0 chip, a private virtual disk backed by BitLocker‑encrypted VHDX, and a filtered plan9‑like file‑system view that exposes only authorized directories. An agent inside MXC cannot access the real registry, cannot spawn sub‑processes outside its own boundary, and cannot open a raw network socket unless an IT‑administered “capability profile” explicitly grants it.

Performance was a critical design goal. Cold‑start latency sits under 180 ms on a Snapdragon X3 Elite, and the runtime re‑uses a pool of pre‑warmed container images to keep that number low. Microsoft demonstrated a trio of agents—email triage, meeting scheduler, and procurement assistant—running concurrently in separate MXCs while a user edited a PowerPoint deck; the system maintained 60 fps scrolling and the NPU utilization never breached 14 %.

OpenClaw on Windows: Write Once, Deploy Anywhere

OpenClaw builds on the OpenAPI standard for tool description and adds new primitives: AgentIdentity, MemoryBank, and SafetyTether. Developers define an agent’s personality, goal, and allowed actions in a YAML manifest. The SDK then compiles that manifest into a Windows executable that can run as a system‑tray agent, a background service, or a headless container inside MXC.

A key announcement was the OpenClaw Extension Host, a Windows service that lets classic Win32 apps surface capabilities to agents via a lightweight COM interface. Excel, for instance, can declare forecast_model and pivot_table as exportable functions. An OpenClaw agent picks them up automatically through Windows Copilot Runtime, so a user can type “Ask inventory agent what Q4 stock levels look like” and see the response rendered inside an Excel chart.

Project Solara: Declarative Safety That Travels with the Agent

Where MXC enforces boundaries at the OS level, Project Solara encodes safety rules in a machine‑readable policy document that accompanies every agent across on‑device and cloud execution. Solara policies are written in Solomon, a deterministic policy language Microsoft co‑developed with the Cloud Security Alliance. A typical rule might state: “SalesAgent may READ contacts from Outlook but may WRITE only to the CRM database via a pre‑approved API endpoint.” The policy is signed by the enterprise tenant’s root key and checked by both the Windows local runtime and Azure’s agent proxy before any tool invocation.

During the keynote, a live demo showed a red‑team scenario: a compromised agent tried to exfiltrate a legal document via a covert DNS tunnel. Solara intercepted the API call, matched it against the deny‑list, and not only blocked the operation but used Defender’s endpoint detection to quarantine the container and roll its disk image back to a known‑good snapshot. “Solara is a kill‑switch that activates in 12 milliseconds,” Davuluri noted. “Faster than an attacker can pivot.”

AI Safety in the Control‑Plane Era

Safety is not an afterthought but the organizing principle of the control‑plane architecture. Microsoft’s Responsible AI team embedded three layers of defense:

  • Pre‑flight validation – Before an agent starts, Windows verifies its manifest against the Microsoft Store’s AI certification database. Unsigned or altered manifests are blocked unless sideloaded by enterprise policy.
  • In‑flight telemetry – A minimal agent‑audit stream flows to the IT admin’s Microsoft Purview dashboard, logging which APIs were called, how many tokens were consumed, and whether any Solara violation occurred.
  • Post‑flight attestation – When an agent session ends, MXC generates a W3C‑verifiable credential summarising its behavior, which can be archived for compliance or shared with a third‑party auditor.

Microsoft also committed to quarterly red‑team exercises with the open‑source community, publishing all findings to its Security Research Center within 72 hours.

Enterprise Stakes and the Death of Credential Silos

For IT departments, the control‑plane model simplifies a problem that has grown critical: agent identity. Instead of sharing a user’s OAuth token—a practice that worries security teams—each agent gets a unique Entra ID service principal with just‑enough privileges. Conditional Access policies can require that an agent be launched from a compliant Windows 11 device joined to a specific Azure region. “The agent becomes a managed identity, no different from a server workload,” said Joy Chik, President of Identity & Network Access.

This identity model opens doors to regulated industries. A healthcare provider can instantiate a claims‑processing agent that runs locally within a customer’s tenant, never sending PHI to the cloud. Because the agent’s identity is tied to the device’s TPM, any copy of the container that tries to start on another machine fails attestation and is refused a token.

Developer Experience and Ecosystem Readiness

Developers can get started today with the OpenClaw CLI (winget install Microsoft.OpenClaw), which generates a scaffold project with a pre‑configured MXC debugging target. Visual Studio 2026 includes a first‑party Agent Designer that lets you drag tools, memory stores, and Solara policies onto a canvas, then test the agent against a local LLM while stepping through tool‑call chains.

Sixteen ISVs announced immediate support, including Salesforce, SAP, Adobe, and ServiceNow. Adobe demonstrated a Photoshop agent that can receive natural‑language editing instructions, operate inside an MXC without touching the file system, and return only the flattened PSD bytes to the host. Salesforce’s Einstein agent pipeline was shown orchestrating opportunity‑close workflows across Outlook email threads and Teams chats, all governed by Solara rules that prevented writing to any Salesforce field rated “Confidential.”

The Road Ahead

Microsoft confirmed that the agent runtime will be included in the Windows 11 25H2 update, expected to ship in September 2026. MXC will initially require a Copilot+ PC with an NPU, though fallback emulation on traditional CPUs will be available in Q1 2027. Solara policy authoring will be integrated into Microsoft 365 Admin Center by GA. The company stopped short of announcing any licensing changes but hinted at a consumption‑based add‑on for heavy cloud‑side agent orchestration.

“This is the single biggest re‑platforming of Windows since NT,” Davuluri concluded. “We’re making the OS the place where AI labor is hired, managed, and retired safely.” Whether enterprises will trust the desktop with business‑critical automation remains an open question, but the scaffolding is now tangible. Windows 11 is no longer just where you work; it’s where your AI coworkers clock in.