On June 2, 2026, Microsoft announced Microsoft Execution Containers (MXC) at its annual developer conference, Build 2026, held in San Francisco and online. MXC is a cross-platform, policy-driven execution SDK and sandboxing layer designed to securely isolate AI agents and other applications from their host environment — with enforcement built into the Windows operating system itself and extended to the Windows Subsystem for Linux (WSL). The GitHub repository for MXC also describes experimental support for Linux and macOS.

As AI agents become increasingly capable of reading files, invoking APIs, executing code, and chaining multi-step workflows with minimal human oversight, Microsoft argues that application-level promises are no longer sufficient. MXC moves agent security out of the developer’s hands and into the OS kernel, making Windows the active enforcement point for what agents are and aren’t allowed to do.

Architecture Overview

MXC is structured as a layered SDK. Rust and TypeScript are used as primary development languages. The four main layers are:

Layer 1
Application Layer
User-facing command-line tools and a TypeScript SDK for developers integrating MXC into their agent applications.
Layer 2
MXC Core
JSON-based policy management engine; handles backend orchestration and full lifecycle management from deployment through execution to teardown.
Layer 3
Isolation Backend Layer
A pluggable layer supporting multiple backends. Developers select the backend based on the required isolation strength and platform.
Layer 4
Execution Environment (Sandbox)
Enforces policy restrictions on the file system, network, clipboard, and UI. Isolates untrusted code — including AI model output, plugins, and tools — from the host environment.

Isolation Backends by Platform

MXC offers a “composable sandbox spectrum,” allowing teams to choose isolation weight based on workload risk — from lightweight process isolation for coding-agent scenarios to stronger VM-based containment for sensitive workloads.

Platform Available Backends
Windows ProcessContainer (default) Windows Sandbox WSL Container MicroVM HyperLight isolation_session
Linux Bubblewrap (default) LXC MicroVM HyperLight
macOS Seatbelt

Developers can declaratively define — in JSON — exactly which files and network endpoints an agent is permitted to access. MXC enforces these constraints at runtime, meaning policy violations are stopped by the operating system rather than caught after the fact.

Agent 365 Integration & Partner Ecosystem

Microsoft is integrating MXC with its enterprise agent governance platform, Agent 365, and several major ecosystem partners:

Agent 365 Native Integration
Brings Defender, Entra, Intune, and Purview protections to locally running agents. IT teams can centrally govern containment policy. This integration is available in preview starting in July 2026.
OpenClaw on Windows via MXC
OpenClaw — an open-source AI agent framework — is already running on Windows inside MXC containers, enabling multi-step workflows under OS-enforced security boundaries.
NVIDIA OpenShell
NVIDIA’s OpenShell secure runtime for autonomous, always-on agents uses MXC as its foundation and adds policy management, inference routing, and PII obfuscation capabilities on Windows.
Other Ecosystem Partners
Nous Research’s Hermes Agent, Manus, and OpenAI are listed as additional launch ecosystem partners building on MXC.

Roadmap

Microsoft notes that micro-VMs, Linux containers, and deeper integration with Windows 365 for Agents are currently on the MXC roadmap as future containment capabilities.

Early Preview Status & Security Caveats

⚠️
Important Notice MXC is currently in early preview. Microsoft’s own GitHub repository explicitly states that no MXC profiles should currently be treated as definitive security boundaries. Generated policies may still be unnecessarily permissive, and the specifications remain subject to change. Organizations should not rely on MXC alone as a complete security solution and should layer it alongside established identity, endpoint, and governance controls.

Significance

MXC is not a standalone product — it is an SDK and policy model, a foundational primitive embedded in Windows and WSL. By embedding containment at the OS level, Microsoft is making the case that Windows should be the authoritative security boundary for the next generation of autonomous AI agents. The announcement represents one of the most consequential platform security moves at Build 2026, with the potential to reshape how enterprises approach deploying and governing agent-based software at scale.