Microsoft is finally giving Windows and WSL a dedicated sandboxing mechanism purpose-built for the AI era. At Build 2026, the company unveiled Microsoft Execution Containers (MXC), a preview security layer that lets developers and administrators define exactly which files, apps, networks, and identities an AI agent—or any executable—can touch. The announcement marks a fundamental shift in how Windows handles untrusted code, moving beyond traditional antivirus towards proactive, policy-driven isolation.

MXC arrives as enterprises scramble to harness AI copilots and autonomous agents without blowing a hole in their security posture. Modern AI agents often require broad file system access, network connectivity, and the ability to execute tools, making them a nightmare for security teams. With MXC, Microsoft aims to let organizations harness agent productivity while clamping down on lateral movement and data exfiltration risks.

What Exactly Are Microsoft Execution Containers?

At its core, MXC is a lightweight sandboxing technology built directly into Windows and the Windows Subsystem for Linux (WSL). Unlike Hyper-V-based containers or the older Windows Sandbox, MXC does not virtualize an entire operating system. Instead, it relies on a combination of existing Windows security primitives—AppContainer isolation, capability-based access control, and integrity levels—augmented with new policy engines and AI-aware restrictions.

The result is an execution environment where every file read, network socket, process creation, and identity token use is mediated by a fine-grained policy. Administrators can author policies in a declarative language (likely JSON or YAML) that specifies, for example: “This agent can only read from the SalesDocuments share, access api.contoso.com over HTTPS, and must not spawn child processes.” The container then enforces these rules at the kernel level, making them difficult to bypass.

During the Build 2026 session, Microsoft emphasized three design principles behind MXC:

  • Least Privilege by Default: Applications start with zero permissions and must explicitly declare what they need.
  • Portable Policy Definitions: The same policy file works across Windows 11, Windows Server, and WSL distributions, ensuring consistent security regardless of where the agent runs.
  • Deep Observability: All access attempts—allowed or blocked—are logged to Windows Event Log and can be shipped to SIEM tools, giving security teams full audit trails.

Why AI Agents Demand a New Isolation Model

Traditional application sandboxing focuses on user-installed software with well-defined behavior. AI agents upend that model. An agent prompted to “summarize these sales reports and email the CFO” might touch dozens of files, call a web API, authenticate via a saved credential, and invoke a legacy COM object—all in a single run. Blocking any one of those operations could break the workflow, but allowing all of them unchecked invites compromise.

MXC tackles this with dynamic capability tokens. When an agent is launched inside a container, MXC issues a token that encodes the allowed permissions. If the agent later needs to access a resource not listed in the policy, the system can trigger a just-in-time (JIT) approval flow—perhaps via Microsoft’s Entra ID conditional access—rather than simply failing. That keeps agents productive while maintaining auditability.

This approach aligns with enterprise zero-trust architectures. “We’re moving from a world of ‘binary yes/no’ access to one where every action is contextual and revocable,” a Microsoft program manager noted during the session, according to attendees. The JIT capability is still experimental and may rely on integration with Azure Policy or Intune, details that will likely firm up as MXC moves toward general availability.

How MXC Works with WSL: Bridging Two Worlds

One of the more surprising engineering feats is MXC’s native support for WSL. Linux workloads inside WSL2 run in a lightweight VM, which has historically made container-like isolation redundant—you already have a VM boundary. But that VM boundary is too coarse for selective file access controls. An AI agent running Python inside WSL can freely traverse the Linux file system and, through WSL’s transparent interop, reach Windows files via /mnt/c.

MXC for WSL introduces a cross-OS policy plane. Policies describe both Linux and Windows resources in a unified schema. Under the hood, MXC leverages the Plan 9 file server and the new virtio-fs sharing to propagate Windows access checks into the Linux VM. When a Linux process tries to open a file on a Windows drive, MXC intercepts the request and applies the same policy that would govern a native Windows executable. The net effect is that developers can author a single policy file and apply it uniformly whether the agent runs as a .NET service, a Python script, or a Node.js daemon inside WSL.

This is a boon for DevOps teams that rely on Linux toolchains but deliver software for Windows servers. Previously, securing cross-platform workloads meant maintaining two separate policy stacks (AppLocker on Windows, SELinux or seccomp profiles on Linux). MXC collapses that into one management interface, likely surfaced through the Microsoft Intune admin center or the new Windows Security Portal.

Real-World Scenarios: From Ransomware to Rogue Copilots

Microsoft painted several threat scenarios that MXC is designed to mitigate.

Ransomware through AI Tool Use: A common agent architecture allows the LLM to call a "filesystem" tool. An attacker coercing the model into deleting or encrypting files could cause havoc. MXC restricts the tool’s visibility to a whitelisted directory tree, preventing it from touching the entire volume.

Prompt Injection Leading to Data Exfiltration: A malicious prompt instructs an agent to POST the contents of a sensitive document to a rogue webhook. MXC’s network policies allow outbound connections only to pre-approved domains and can inspect HTTP headers to ensure the endpoint matches the intended service.

Credential Theft from Agent Memory: Attackers can sometimes extract cached credentials from agent process memory. MXC uses Credential Guard and restricts which identities the container can impersonate. Even if the agent is compromised, the attacker cannot harvest credentials because the containerized process never sees the raw token.

Lateral Movement via WSL: A compromised agent could spawn a bash process inside WSL and attempt to access Windows network shares. MXC’s unified policy blocks SMB access from the Linux side and logs the attempt as a Windows security event, correlating it with the parent agent process.

These controls are not hypothetical. In the Build demo, Microsoft showed an AI coding assistant confined by MXC. When the assistant tried to read credentials from the user’s ~/.ssh folder, the operation was denied, and a real-time alert appeared in Microsoft Defender. The developer could then decide whether to permanently update the policy or flag the behavior as malicious.

Under the Hood: Policy Engine and Enforcement

The policy engine in MXC appears to be an evolution of the Windows Filtering Platform (WFP) and the AppContainer technology first introduced with Windows 8. AppContainers gave modern UWP apps a locked-down identity, but they were rarely used for classic Win32 applications. MXC extends the concept to any process, including command-line tools and services.

A policy is compiled into a binary security descriptor and attached to the process token. The kernel’s Security Reference Monitor (SRM) consults this descriptor on every access check. For network operations, the Windows Filtering Platform enforces rules at the socket level. For file I/O, the mini-filter driver—likely a new one named MXCflt.sys—intercepts create and read/write calls.

What makes MXC particularly interesting is its integration with Microsoft’s AI ecosystem. The declarative policy format includes primitives for semantic boundaries. For example, a policy can declare: “Allowed network hosts: microsoft.com, github.com, MY_AZURE_ML_ENDPOINT.” The variable MY_AZURE_ML_ENDPOINT is resolved at runtime from a configuration store, so the policy remains portable across dev, test, and production environments. Early documentation suggests YAML-based authoring with a CLI tool (mxc-cli) that validates and signs policies.

Deployment and Management: Enterprise-Ready Controls

Microsoft made clear that MXC is not just a developer plaything; it’s built to satisfy the strictest compliance regimes. Policies can be deployed via:

  • Group Policy Objects (GPO) for on-premises environments.
  • MDM policies through Intune for cloud-managed endpoints.
  • Custom OMA-URI settings for hybrid scenarios.

When MXC is enabled via group policy, the operating system can be configured to require a container for all untrusted executables. This would completely block any process from running unless it has an associated MXC policy—a mode akin to “deny-all” application control but with the flexibility of dynamic capability grants.

For software developers, MXC integrates with the Visual Studio debugging experience. You can attach the debugger to a process inside the container, step through code, and see real-time access violations in the output pane. The container’s behavior is deterministic: a process either runs exactly as the policy allows or crashes with a descriptive error code. This makes it easier to tune policies during development.

Community Reaction: A Long-Overdue Security Remedy?

On the WindowsForum thread that exploded shortly after the Build announcement, system administrators and developers were cautiously optimistic. “Finally, a way to lock down AI agents without breaking them,” wrote a user named ‘SysadminSteve.’ “But I hope Microsoft doesn’t tie this exclusively to Enterprise E5 licenses.” Another user, ‘DevDiva42,’ pointed out that Intune integration is great for corporate fleets but leaves small businesses and self-employed developers in the cold unless there is a standalone version.

Security researcher ‘MalwareMike’ questioned whether MXC would be resilient against kernel-mode rootkits that could disable the filter driver. Microsoft has not yet released a detailed security model, but the company’s track record with VBS enclaves and secured-core PCs suggests that MXC will be protected by virtualization-based security (VBS) on compatible hardware. An official Microsoft response in the thread confirmed that MXC enforcement runs in VTL1, isolated from the main OS kernel, which would require a hypervisor escape to bypass.

Several comments also highlighted the need for extensive testing with legacy line-of-business applications. “We still run a VB6 app that accesses random registry keys,” noted ‘ITVeteran.’ “Will MXC break that without detailed policy tuning?” Microsoft’s team replied that MXC includes a learning mode that profiles an application’s behavior and auto-generates a starter policy—similar to AppLocker’s audit mode. This eases migration but still requires human review to prevent overly permissive rules.

The Bigger Picture: Windows as a Secure AI Platform

MXC is the latest piece in Microsoft’s multi-year effort to make Windows the preferred platform for AI agents. The company has already shipped Copilot Runtime with built-in model hosting, the AI Toolkit for Visual Studio Code, and the AI Dev Gallery. Adding a native containment layer closes the gap that previously forced enterprises to sandbox AI agents using Docker Linux containers or heavyweight VMs, negating the performance and familiarity advantages of Windows.

Satya Nadella’s Build 2026 keynote referenced MXC as part of the “intelligent edge” strategy. “We want every developer to be able to ship an AI agent with the confidence that it will integrate securely into the enterprise without CIOs losing sleep,” he said. The sentiment resonated: the conference session on MXC was standing-room only, with long lines of IT pros eager to get hands-on.

Analysts view MXC as a direct response to growing AI security mandates from regulators. The EU AI Act’s high-risk classification for autonomous systems that interact with sensitive data will require technical safeguards. MXC’s detailed audit logs and policy enforcement could become a compliance checkbox for organizations deploying agents in healthcare, finance, and critical infrastructure.

Getting Started: Preview Limits and Roadmap

As of Build 2026, Microsoft Execution Containers are available in preview for Windows 11 Enterprise and Windows Server 2025 with the latest Dev Channel build (build number not disclosed). WSL support requires a separate insider build of WSL with the mxcls kernel module. The preview includes:

  • The MXC runtime and policy compiler (via Windows Feature on Demand).
  • Basic policy authoring tools (mxc-cli) and Visual Studio Code extension.
  • Ten pre-configured policy templates for common AI scenarios (Semantic Kernel agent, LangChain agent, etc.).
  • Integration with Microsoft Defender for Endpoint for alerting.

Microsoft has committed to releasing MXC for general availability in Q3 2026, with plans to backport the feature to Windows Server 2022 and add support for Kubernetes pods on Windows nodes. A Linux-only version for standalone WSL is under consideration but not confirmed.

For now, the preview targets enterprise customers with Microsoft 365 E5 or E3 licenses. The community forum request for a free-tier or developer-only license has been acknowledged by the product team, with a promise to evaluate based on feedback.

What Developers Should Do Now

If you’re building AI agents on Windows, start auditing your application’s file, network, and process dependencies. Map out a minimal set of required permissions—think file shares, API endpoints, and registry keys. Microsoft plans to release a profiling tool that captures this automatically, but manual analysis will still produce a safer baseline.

Download the preview ISO from the Windows Insider portal and experiment in a VM. Join the MXC Insider community on GitHub (link expected soon) to provide feedback on the policy DSL and tooling. The more real-world scenarios Microsoft sees, the better the final product will accommodate legacy and modern applications alike.

Enterprises should start a pilot project with a non-critical agent, deploy MXC policies in report-only mode, and feed the logs into Sentinel or Splunk. Use the insights to educate developers about the principle of least privilege and to refine incident response playbooks. The shift to policy-driven execution won’t happen overnight, but early adopters will be best positioned when AI agent deployment becomes mainstream.

Conclusion: A Foundational Layer for the Agent Era

Microsoft Execution Containers represent more than a feature update. They are a fundamental rethinking of how Windows handles code it cannot fully trust—code that learns, reasons, and acts autonomously. By embedding policy-based isolation directly into the OS and extending it seamlessly to WSL, Microsoft is laying a foundation that could make Windows the most secure platform for AI agents, regardless of the programming language or framework.

The developer and administrator feedback from the Build 2026 announcement has been overwhelmingly positive, though questions about licensing, legacy compatibility, and long-term support remain. As MXC moves from preview to production, the Windows ecosystem stands to gain a security primitive as important as the firewall or User Account Control—tailored for an age where the biggest threats don’t come from malicious executables, but from well-intentioned agents gone rogue.