Microsoft introduced Microsoft Execution Containers, or MXC, at Build 2026 on Tuesday. MXC is a policy-driven execution layer embedded in the Windows operating system that lets developers and IT administrators declare exactly what resources an AI agent can access, with containment boundaries enforced at runtime by the OS kernel. OpenAI, Nvidia, Manus, Nous Research, and OpenClaw are the first five partners building on the SDK.
How MXC Works
MXC ships as an SDK and policy model — what Microsoft calls a “composable sandbox spectrum” — according to the Windows Developer Blog. That spectrum ranges from lightweight process isolation (already adopted by GitHub Copilot’s CLI) up through micro-virtual machines, Linux containers, and full cloud instances on Windows 365. The isolation level is “dynamically composable based on intent and risk,” meaning it adjusts to what the agent is doing, not just what category it belongs to.
Session isolation separates an agent’s execution from the user’s desktop, clipboard, UI, and input devices. Every agent gets bound to a strong identity, either a local ID or a cloud-provisioned identity backed by Microsoft Entra, so that every action is attributable and auditable.
“Windows assigns agents a local ID or a cloud provisioned identity backed by Entra and attributes all activity from the container to that identity, so you can clearly differentiate human from agent,” Microsoft wrote in its official blog.
The Live Demo
During a pre-briefing with VentureBeat, a Microsoft developer ran OpenClaw inside MXC on his personal machine and instructed the agent to delete all files on his desktop. The agent tried to comply. The sandbox stopped it. “If you look at my desktop here, you see how clean my desktop is,” the developer said. “That’s a lie.” The files were untouched because the container blocked the operation.
The demo showed granular controls: marking files as read-only for agents, restricting browser and screen capture access, controlling location data visibility, and managing all permissions centrally through Intune policies.
Pavan Davuluri, Microsoft’s Executive Vice President for Windows and Devices, said these capabilities are “not unique to OpenClaw” and that “this pattern repeats itself over and over” for any agent on Windows, according to VentureBeat.
Enterprise Stack Integration in July
The bigger play arrives in July with Agent 365, which layers Microsoft Defender, Entra, Intune, and Purview on top of MXC. This turns the sandbox into a full enterprise control plane: Defender provides runtime threat protection, Entra handles identity and access, Intune enforces device-level policies, and Purview extends data governance to agent activity. IT departments could allow employees to run autonomous agents on corporate machines while maintaining centralized visibility through the same infrastructure that already governs hundreds of millions of Windows devices.
For regulated industries, the audit trail distinguishing human actions from agent actions on the same machine could become a compliance requirement, not just a security feature.
Launch Partners
OpenAI’s David Wiesen said MXC “allows us to explore new patterns for AI agents to safely and efficiently generate and execute code,” with the goal of combining Codex capabilities with MXC’s execution environment, according to VentureBeat. Nvidia is bringing its OpenShell framework to Windows built on MXC. Manus and Nous Research (Hermes agent framework) are also integrating. OpenClaw runs natively on Windows using MXC, with a companion app for setup, according to the Windows Developer Blog.
The Agent Deployment Bottleneck
Enterprise agent deployment has been stuck on a specific problem: the more autonomous an agent becomes, the more dangerous it is to run on a corporate network without guardrails. MXC addresses this by controlling the environment rather than limiting the agent. The SDK is in early preview now, with Agent 365 integration following in July.