How Microsoft Execution Containers Define Boundaries for AI Agents

Microsoft has announced Microsoft Execution Containers (MXC), a new security-focused execution layer for AI agents, at its annual Build developer conference. MXC is available on Windows and Windows Subsystem for Linux (WSL), allowing organizations to define and enforce strict boundaries around agent actions and resource access.

Microsoft highlighted that as AI agents become more capable and independent, they also become harder to predict and control. These agents can write code, access files, and carry out multi-step tasks on their own, and even a small mistake or misuse could lead to serious consequences such as data exposure or unauthorized actions. To deal with this issue, Microsoft is creating stricter boundaries around what these agents are allowed to do and ensuring that they operate within clearly defined limits.

MXC offers multiple levels of isolation for AI workloads

Microsoft Execution Containers (MXC) allow a developer or an administrator to declare exactly what an AI agent can access (files, network, apps). MXC then creates a contained execution environment that enforces those rules at runtime. This tool offers several layers of containment, including process isolation and session isolation. Administrators can adjust the level of isolation based on the agent’s activity.

In process isolation, MXC runs the AI agent within the same user session, but its access is restricted through policies. It’s typically used for low-risk tasks such as simple tool execution or automation. On the other hand, MXC separates the agent’s execution from the user’s desktop, UI, clipboard, and input devices. This approach helps to prevent different types of cyberattacks against AI agents, including UI spoofing, input injection, and cross-session data leakage.

According to Microsoft, users can choose to mark specific files as read-only for AI agents and restrict access to the browser, screen capture, and location data. IT departments can also manage all those permissions centrally through Microsoft Intune.

Agent 365 extends MXC with enterprise security controls

For IT departments, MXC will provide integration with Microsoft’s existing enterprise security stack through Agent 365. Agent 365 builds on MXC by integrating Microsoft Entra and Intune, allowing IT admins to centrally control how agents are contained while still allowing developers to select the appropriate level of isolation for their specific workloads.

Microsoft Intune will be responsible for enforcing device-level policies, Microsoft Defender for providing runtime threat protection, and Microsoft Entra for handling identity and access management. Microsoft Purview will also extend its data governance and compliance capabilities to agent activity. This means organizations could allow employees to use advanced AI agents on corporate devices without compromising oversight. At the same time, IT teams would retain centralized monitoring and control similar to managing standard enterprise software.

“Beyond containment, every agent activity must be attributable and governed. Windows assigns agents a local ID or a cloud provisioned identity backed by Entra and attributes all activity from the container to that identity, so you can clearly differentiate human from agent,” explained Pavan Davuluri, Executive Vice President, Windows + Devices.

OpenClaw demonstrates the potential of secure autonomous agents

The development of MXC was illustrated through its collaboration with OpenClaw, which began informally when its creator reached out to Microsoft about working together. This partnership grew into a practical test case, with Microsoft helping build a native Windows app that pushes MXC’s limits by allowing highly autonomous agent behavior within controlled boundaries.

This project reflects a major change in how operating systems handle AI, as vendors are now designing built-in mechanisms to manage intelligent software directly at the core level. It shows an effort to ensure that autonomous agents can be controlled, tracked, and securely operated on everyday devices where most business and personal computing takes place.

The Microsoft Execution Containers (MXC) feature is currently available in preview, and developers can begin building and testing containment policies. The Agent 365 integration with Microsoft Entra, Defender, Purview, and Entra will be available in preview in July.