AI agents have transcended their traditional roles, evolving from mere question-answering systems to dynamic entities capable of executing actions across various platforms with remarkable autonomy. This transformation introduces a new layer of complexity regarding control and trust, challenging long-standing security paradigms in computing.
As developers craft agents that can read files, invoke services, and modify environments at unprecedented speeds, a pressing question arises: how can we ensure these systems remain trustworthy when they operate independently and at scale on real data?
This evolution necessitates a shift in the foundational requirements for developers, IT, and security teams. To foster confidence in agent deployment, security must be ingrained in the very architecture of the platform. With a solid foundation, organizations can embrace agent adoption while preserving essential control and trust. Windows is designed with containment, identity, and manageability as core principles, extending security beyond applications and models into the operating system itself.
In May, we unveiled the expansion of Microsoft Agent 365, enhancing its capabilities to discover and manage local agents on Windows, starting with OpenClaw and soon extending to popular agents like GitHub Copilot CLI and Claude Code. A significant development is the introduction of policy-based controls, allowing organizations to establish guidelines governing agent actions.
Policy-based controls
Containment is pivotal in defining what agents can access and perform, ensuring that their non-deterministic behavior does not lead to uncontrollable risks. Unlike traditional applications, agents exhibit dynamic behavior, often generating complex code at runtime. Containment allows agents to execute meaningful tasks without granting them full authority over the user’s session.
The Microsoft Execution Containers (MXC) SDK
To balance agent impact with productivity, we are excited to introduce an early preview of the Microsoft Execution Containers (MXC) SDK. This cross-platform, policy-driven execution layer for agents on Windows and WSL enables developers to define constraints within their applications. Windows then consistently enforces these constraints at runtime through MXC, providing an abstraction layer that alleviates the burden of managing low-level isolation details.
The composable sandbox and containment spectrum
The composable sandbox exemplifies how Windows implements isolation and containment, with MXC serving as the control surface for developers. The same policy model and SDK can adapt to various isolation constructs based on workload and containment needs. For instance, a coding agent may require different guardrails than an enterprise data-processing agent, yet both demand a unified trust narrative. The composable sandbox offers the flexibility and control necessary for developers and IT teams, with Agent 365’s policy-based controls leveraging Microsoft Entra and Intune to apply MXC constraints to specific agents.
Windows supports a diverse array of containment options, allowing guardrails to align with the nature and risk of each workload. Upcoming releases will introduce additional functionality and security enhancements to meet the evolving demands of the agent ecosystem.
Process isolation
Windows is streamlining the process of enabling process isolation for agents, providing fast and lightweight containment within the user’s environment. This is particularly beneficial for scenarios where model-generated code needs to run within a dedicated process boundary, restricting access to files and network domains outside defined policies. GitHub Copilot CLI has already adopted MXC process isolation, effectively constraining the capabilities of dynamically generated and executed code, showcasing the successful collaboration between Windows and GitHub.
Session isolation
For workloads that involve numerous long-running processes or require dedicated resources, session isolation offers a solution. This feature separates the agent’s execution environment from the human user’s workspace, mitigating risks such as UI spoofing and cross-session data leakage. By running sessions with distinct user accounts, Windows ensures that all activities from the container are attributed to a unique identity, enabling precise control and auditability. Access policies can be enforced to ensure agents operate independently with controlled local access, all managed through Microsoft Entra and Intune.
Our initial release will support non-interactive sessions, with plans for additional capabilities in future updates.
Micro-VM
As research advances in agent security, the concept of micro-VMs emerges as a promising solution. These lightweight, hardware-backed isolation environments can provide the desirable properties of process isolation while enhancing security against sandbox escapes. Micro-VMs are particularly suited for high-risk workloads, processing sensitive data or executing untrusted external code.
Linux containers
We are also extending the containment model to Linux-first agent toolchains via WSL, enabling compatibility with Linux ML frameworks and package ecosystems while maintaining OS-enforced boundaries.
MXC integration for cloud VM Windows 365 for Agents
Windows 365 for Agents, now generally available, takes containment beyond local devices. Agents operate within an Intune-managed Cloud PC, ensuring that any potential compromise is limited to a disposable cloud instance. This setup is ideal for enterprise-managed agent fleets with centrally provisioned policies and compliance. Future MXC integration will enhance Windows 365 for Agents, scaling from lightweight local isolation to stronger hardware-backed boundaries through a unified SDK and policy model.
Innovating with partners in the ecosystem
We are collaborating with industry leaders such as Hermes, Manus, NVIDIA, OpenAI, and OpenClaw to ensure that our containment strategies align with real developer needs. OpenClaw now securely operates the node and gateway on Windows, leveraging MXC, while NVIDIA’s OpenShell integrates MXC to provide developers with a streamlined package for autonomous agents.
Hermes Agent is set to incorporate OpenShell and MXC into its new Windows application. Dillon Rolnick, CEO of Nous Research, emphasizes the importance of intentional isolation for continuously running local agents, stating, “Developers need control over what an agent can access and trust that those controls will hold.”
David Wiesen from OpenAI highlights the potential of MXC to facilitate faster, reliable execution of code while maintaining necessary security and control for enterprises. Tao Zhang, Chief Product Officer at Manus, echoes this sentiment, noting that MXC empowers developers to define agent access and enforce boundaries at runtime.
Built on a secure foundation by design
The agentic security model we are developing is built on a Windows platform designed to minimize risk by default. Years of investment in Windows have laid the groundwork for robust agentic security capabilities. Under the Secure Future Initiative, we remain committed to continuously strengthening this foundation.
Windows reduces the attack surface and elevates the security baseline, ensuring that agents inherit protection without additional effort. Features such as passwordless sign-in, Hotpatch updates, and production drivers written in Rust contribute to this enhanced security posture. Windows Defender provides real-time protection against emerging threats, including prompt injection, benefiting all Windows users.
Enterprise manageability has long been a cornerstone of Windows, and with Agent 365, we now offer native integration of observability, governance, and security capabilities for agents operating in Windows environments. This ensures that agents can be deployed securely and maintained in a secure state.
As we continue to enhance platform security with initiatives like Baseline Security Mode, we are dedicated to providing a secure foundation for trustworthy agentic computing.
Start building secure agents today
The true value of an agent lies not only in its capabilities but also in its trustworthiness in production environments. Windows empowers developers to create agents that are secure, governable, and ready for real-world deployment.
Many of these features are currently available in Windows Insider builds, with more on the horizon through our developer preview program. As Windows evolves, we are excited to support developers and organizations in their pursuit of AI innovation while ensuring trust and security remain paramount.
To embark on this journey, developers are encouraged to explore the available resources and begin building secure agents today.
