Microsoft built the agent sandbox into Windows itself
At Build last week Microsoft shipped the least flashy and possibly most important agent thing of the conference: MXC, Microsoft Execution Containers. It's not a product you buy. It's a primitive baked into Windows and WSL that lets you declare, before an agent runs, exactly which files, folders, and network it's allowed to touch, and the OS kernel enforces it at runtime no matter what the agent tries to do.
This is the missing piece everyone's been hand-waving past. We've all been letting coding agents run with full file-system access and just hoping. MXC gives you a spectrum: fast process isolation, which GitHub Copilot CLI already uses, session isolation that cuts the agent off from your clipboard and screen, up to hardware-backed micro-VMs for agents running untrusted code or touching sensitive data. You pick the blast radius.
The partner list tells you this isn't a demo. OpenAI, Nvidia, Hermes, Manus, and OpenClaw are all building on it, and Nvidia is bringing its OpenShell to Windows on top of MXC for always-on autonomous agents. It also stitches into Agent 365: Entra for identity, Intune for device policy, Defender for runtime threat protection, Purview for compliance. Read together, the message is blunt. Windows wants to be the operating system agents run on, and security is how Microsoft plans to win the enterprise where the consumer agent wars don't reach. Link: venturebeat.com/security/microsoft-launches-mxc-an-os-level-sandbox-for-ai-agents-with-openai-and-nvidia-already-on-board
← Back to all articles
This is the missing piece everyone's been hand-waving past. We've all been letting coding agents run with full file-system access and just hoping. MXC gives you a spectrum: fast process isolation, which GitHub Copilot CLI already uses, session isolation that cuts the agent off from your clipboard and screen, up to hardware-backed micro-VMs for agents running untrusted code or touching sensitive data. You pick the blast radius.
The partner list tells you this isn't a demo. OpenAI, Nvidia, Hermes, Manus, and OpenClaw are all building on it, and Nvidia is bringing its OpenShell to Windows on top of MXC for always-on autonomous agents. It also stitches into Agent 365: Entra for identity, Intune for device policy, Defender for runtime threat protection, Purview for compliance. Read together, the message is blunt. Windows wants to be the operating system agents run on, and security is how Microsoft plans to win the enterprise where the consumer agent wars don't reach. Link: venturebeat.com/security/microsoft-launches-mxc-an-os-level-sandbox-for-ai-agents-with-openai-and-nvidia-already-on-board
Comments