Microsoft’s Build 2026 developer conference opened with a message that will reshape enterprise computing: Windows is no longer just a platform for users to run applications—it’s an operating system built to host armies of autonomous AI agents. During the two-day event in San Francisco, CEO Satya Nadella and Windows chief Pavan Davuluri unveiled a trio of technologies designed to bring agentic AI to every PC: OpenClaw, a new open-source agent framework; Microsoft Execution Containers (MXC), a security isolation layer for agents; and a refreshed line of Surface hardware with dedicated neural processors. The announcements position Windows as the control center for a workforce that increasingly blends human and AI labor, with security and trust as the non-negotiable foundation.

OpenClaw: An Open Framework for Windows Agents

At the heart of the agentic push is OpenClaw, an open-source framework that lets developers build, test, and deploy autonomous agents directly on Windows. Unlike existing agent SDKs that rely heavily on cloud-based reasoning, OpenClaw is optimized for local execution on Copilot+ PCs. It plugs into the Windows Copilot Runtime and exposes a unified API for agents to interact with the operating system—launching applications, manipulating files, reading on-screen content, and even simulating keyboard and mouse input with user permission.

Davuluri described OpenClaw as “the plumbing that makes every Windows PC an agent host.” Developers write agent logic once, and OpenClaw handles sandboxed execution, context management, and fallback to cloud models when on-device capacity is exceeded. The framework leverages the same screen understanding models that power Click-To-Do and Recall, enabling agents to see and interpret UI elements across any application, including legacy Win32 programs.

During a live demo, a supply chain agent built with OpenClaw processed an email invoice, cross-referenced it against a Dynamics 365 order, flagged a discrepancy, and drafted a response—all without leaving the PC. The agent navigated Outlook, Excel, and Edge, performing actions that previously required RPA tools or custom integrations. Nadella stressed that OpenClaw is “open by design,” releasing under an MIT license to encourage community contributions and third-party runtime auditing.

Microsoft Execution Containers: A Security-First Sandbox

Unleashing agents that can see screens, click buttons, and access files demands a radical rethinking of security. Enter Microsoft Execution Containers (MXC), a new isolation technology built into the Windows kernel. MXC creates lightweight, ephemeral virtual environments for each agent session, ensuring that an agent can only access data and applications that an administrator has explicitly allowed.

MXC goes beyond traditional app sandboxes by combining Hyper-V-based isolation with a declarative policy engine. Developers define an agent’s capabilities in a manifest—what folders it can read, which URLs it can visit, whether it can access the clipboard—and Windows enforces those rules at the kernel level. Even if an agent is compromised or behaves unexpectedly, the blast radius is contained. Containers are destroyed after each task, leaving no residual state.

Microsoft also announced VBS Enclaves for agents, extending virtualization-based security to protect agent memory and runtime state from even the OS kernel. This addresses the attack vector of a malicious driver or kernel exploit trying to steal agent credentials or inject spurious actions. Combined with the existing Pluton security processor in new hardware, MXC makes Windows the first commercial OS to offer hardware-rooted container isolation for AI agents.

Surface AI PC: Hardware Purpose-Built for Agentic Workloads

All that software muscle needs silicon to run on, and Microsoft chose Build 2026 to launch three new Surface devices engineered specifically for local agent execution. The Surface Pro 12 and Surface Laptop 8 both feature a custom Qualcomm Snapdragon X Elite 2 processor with a second-generation Hexagon NPU capable of 70 TOPS. The headline feature, however, is the dedicated Agent Offload Engine (AOE)—a tiny, ultra-efficient core that runs always-on agent inference without touching the main NPU or CPU clusters. This lets agents remain responsive even when the device is asleep, much like a smartphone’s always-on voice assistant.

The flagship Surface Studio 3+ adds a discrete AMD neural processor card, bringing total AI throughput above 150 TOPS for the heaviest multi-agent workloads. All three devices include a secure microcontroller unit (MCU) that integrates with MXC to measure boot integrity and seal agent container keys. Microsoft claims these are the first “Security-First PCs,” compliant with the upcoming NIST AI 800-60 guidelines for autonomous software agents.

The Agentic Desktop Experience

Software changes are equally dramatic. A new “Agent Panel” slides out from the Windows taskbar, showing active agents, their current tasks, and permission statuses. Users can pause, approve, or revoke agent actions in real time. File Explorer and Microsoft 365 apps gain an “Agent context” ribbon that surfaces actions an authorized agent can perform on selected content, such as summarizing, translating, or formatting.

Windows Copilot is being rebranded as Windows Agent Hub—a central control room where users can chain agents into multi-step workflows using a visual drag-and-drop canvas. A marketing professional, for example, could create a routine that has one agent analyze campaign performance from Power BI, another generate a draft report in Word, and a third schedule a Teams review meeting—all triggered by a natural language command like “get me a campaign wrap-up before 5 PM.”

Entrusting Agents with Enterprise Governance

Recognizing that enterprise IT will be the first large-scale adopter of agentic Windows, Microsoft is weaving MXC and OpenClaw into Microsoft Intune and Azure AD. Administrators can curate catalogs of approved agents, enforce mandatory container policies, and audit every agent action via Microsoft Purview logs. Agent sessions generate immutable trust trails that record which model performed which action, on which data, at what time—a prerequisite for regulated industries.

Microsoft is also introducing an Agent Trust Score, a dynamic rating that evaluates an agent’s behavior against expected patterns and user feedback. Agents with low scores can be automatically suspended by Intune policy. “We’re moving from ‘trust but verify’ to ‘never trust, always verify, and contain’,” said security VP Vasu Jakkal during the security track keynote.

Developer Tools and the Future of Win32

The Win32 platform receives its most significant upgrade in a decade with a new set of APIs under the “Project Volterra” codename. The Agent UI Automation API gives agents a standardized way to interact with application controls, reading and manipulating UI elements safely. A new Agent File System filter driver allows one agent to write to a directory while blocking another from even enumerating its contents, all managed through MXC policies.

Microsoft concurrently released the OpenClaw SDK for Visual Studio Code and a local agent simulator that lets developers run and debug agent logic in a fully containerized environment identical to production. The simulator includes pre-built templates for common agent categories: RPA migration, knowledge worker assistance, creative design, and developer coding agents.

Ecosystem and Competitive Landscape

The announcements position Microsoft squarely against startups like Adept and Imbue, as well as Apple’s rumored agentic features in macOS 17. By open-sourcing OpenClaw, Microsoft is betting that a vibrant third-party ecosystem will create more capable agents faster than any single vendor could. Already, Adobe, SAP, and ServiceNow demonstrated extensions that use OpenClaw to bring Photoshop compositing, ERP transaction processing, and ITSM ticketing into the Windows agent fabric.

Google’s Project Mariner and Anthropic’s computer-use API remain cloud-dependent, which Microsoft’s hybrid design leverages as a differentiator—critical for latency-sensitive tasks and for organizations that cannot send data off-device. The local-first approach also aligns with the EU’s evolving AI liability directives and a growing global appetite for data sovereignty.

The Road Ahead

OpenClaw and MXC enter public preview next month, with general availability slated for the Windows 11 2026 Update in October. The new Surface devices ship in July. Analysts expect the agentic capabilities to drive a PC refresh cycle, as older hardware lacks the NPU and security modules required for MXC. Enterprise customers on E3/E5 licenses will receive agent infrastructure credits to offset deployment costs.

For Windows enthusiasts and IT professionals, Build 2026 marks the moment the OS stops being a passive stage and becomes an active participant in work. The security-first architecture acknowledges that autonomous agents, once unleashed, will be targeted by attackers. Microsoft’s bet is that containment, not detection, is the right paradigm. As Davuluri concluded, “We’re giving everyone a powerful set of strings, but we’re also building the strongest gloves Windows has ever had.”