MXC Defends Windows Against Agent Compromise, but Preview Gaps Remain

Microsoft shipped the Microsoft Execution Containers (MXC) SDK in early preview on GitHub at Build 2026 on June 2. The toolkit positions Windows as a hardened runtime for AI agents. Launch partners include OpenAI, NVIDIA, Manus, Nous Research, and the open-source OpenClaw project.

MXC is a policy-driven execution layer embedded in Windows and the Windows Subsystem for Linux. Developers declare agent permissions in JSON or via TypeScript SDK; the OS enforces constraints at runtime without requiring manual isolation. The model spans four tiers: process isolation for lightweight, latency-sensitive workloads like coding agents; session isolation for long-running agents with separate desktop, clipboard, and input context; micro-VMs backed by Hyper-V for higher-risk code; and Linux containers via WSL for ML toolchains. GitHub Copilot CLI uses MXC process isolation to constrain dynamically generated code.

FIG. 02 MXC containment spectrum: four isolation levels from process confinement to hardware-backed micro-VMs, each suited to distinct threat models. — Microsoft Execution Containers (MXC) SDK, Build 2026

Session isolation applies most directly to production deployments. Running an agent under a distinct Windows account—local or cloud-provisioned via Entra—blocks access to the interactive desktop, clipboard, and user sessions. This counters UI spoofing, input injection, and cross-session data leakage, the attack vectors that make computer-using agents dangerous on shared desktops. IT teams manage policies centrally through Intune. All agent activity flows into Defender and Purview for audit trails that distinguish human from agent actions. The EU AI Act's high-risk obligations take effect August 2026, requiring regulated industries to produce such distinction.

OpenAI's Codex sandbox offers a pre-MXC reference design. It creates two dedicated Windows accounts—CodexSandboxOffline and CodexSandboxOnline—executes commands under restricted tokens, and enforces filesystem boundaries through synthetic SIDs and ACLs. Git metadata directories are protected. Network access is controlled via firewall rules. MXC generalizes this pattern across the OS.

The production caveats are substantial. Microsoft's documentation states MXC profiles should not yet be treated as security boundaries. Outbound network filtering does not work in the current preview—a critical gap, since agent compromise typically manifests as data exfiltration to attacker endpoints. macOS support is experimental. Default policies remain overly permissive. Teams deploying agents in regulated environments must layer additional controls.

The broader containment platform is fragmenting. NVIDIA's OpenShell runtime, integrating with MXC on Windows, takes a kernel-level approach on Linux with filesystem, network, and process controls via sandbox primitives. Red Hat pairs OpenShell with confidential containers and SELinux for hybrid cloud. Kubernetes uses the Agent Sandbox controller with gVisor and optionally Kata Containers to isolate untrusted agent code, following OWASP's Agentic Top 10—a peer-reviewed framework published December 2025 that has become the taxonomy for agent containment. Azure Container Apps Sandboxes run workloads in hardware-isolated microVMs with default-deny egress enforced by proxy. Guardian Shell enforces per-agent policies using Landlock, seccomp, and eBPF hooks without code changes.

MXC provides Windows deployments a coherent policy surface for agent containment backed by Entra identity and Intune management. Outbound network filtering is missing in preview, default policies are permissive, and micro-VM support remains planned. Teams shipping agents to regulated endpoints should layer MXC isolation with explicit network egress rules and treat the SDK as a first-layer control, not a boundary.

Sources

MXC SDK shipped in early preview on GitHub at Build 2026 (June 2); five partners committed: OpenAI, NVIDIA, Manus, Nous Research, OpenClaw
"Microsoft positions Windows as the trustworthy operating system for autonomous agents and introduces the Microsoft Execution Containers (MXC) SDK as the core of that strategy."
infoq.com ↗
Official Microsoft confirmation of five named MXC launch partners: Hermes (Nous Research), Manus, NVIDIA, OpenAI, and OpenClaw
"We are partnering with leading innovators in the industry like Hermes, Manus, NVIDIA, OpenAI and OpenClaw, to ensure the containment we are building supports real developer needs."
blogs.windows.com ↗
Microsoft named five: OpenAI, Nvidia, Manus, Nous Research (maker of the Hermes agent), and the OpenClaw open-source project — each integrating MXC in a distinct way
"Microsoft named five: OpenAI, Nvidia, Manus, Nous Research (maker of the Hermes agent), and the OpenClaw open-source project. Each is integrating MXC in a distinct way that illuminates a different use case for the technology."
venturebeat.com ↗
MXC is a policy-driven execution layer; developers declare permissions in JSON or TypeScript SDK; containment spectrum from process isolation to micro-VMs to Linux containers
"Developers define what to constrain in their apps and agents, and Windows enforces those constraints consistently at runtime through MXC. MXC provides an abstraction layer across isolation primitives, so developers do not have to manage low-level isolation details."
blogs.windows.com ↗
GitHub Copilot CLI has adopted MXC process isolation to constrain dynamically generated and executed code
"GitHub Copilot CLI has adopted MXC process isolation to constrain what dynamically generated and executed code can do."
blogs.windows.com ↗
Session isolation severs access to the interactive desktop, clipboard, and active user sessions; agents run under a distinct Windows account with local ID or Entra-backed identity
"Sessions in Windows separate the agent's execution from the human user's environment, such as the interactive desktop, clipboard, UI, input devices and active sessions. This mitigates UI spoofing, input injection and cross-session data leakage."
blogs.windows.com ↗
IT teams manage MXC policies centrally through Intune; Defender and Purview provide audit trails distinguishing human from agent actions
"The intent is that IT teams can manage MXC policies centrally using Entra ID and Intune, and Defender and Purview will give protection, observability and and audit trail of agent behaviour."
infoq.com ↗
EU AI Act high-risk obligations take effect August 2026; Colorado AI Act enforceable June 2026
"The European Union AI Act's high-risk AI obligations take effect in August 2026, and the Colorado AI Act becomes enforceable in June 2026."
opensource.microsoft.com ↗
OpenAI's Codex elevated sandbox creates two dedicated Windows accounts — CodexSandboxOffline and CodexSandboxOnline — using restricted tokens and ACL-enforced filesystem boundaries
"During setup, the sandbox creates dedicated local Windows accounts, including CodexSandboxOffline and CodexSandboxOnline. Commands are executed under these isolated accounts using restricted tokens."
infoq.com ↗
MXC profiles should not yet be treated as security boundaries per Microsoft's own documentation; outbound network filtering does not work in current preview
"The article cites Microsoft documentation warning that MXC profiles should not yet be treated as security boundaries, and it highlights known cases of overly permissive policies that need to be addressed. It also points out that outbound network filtering doesn't yet work."
infoq.com ↗
NVIDIA OpenShell integrates with MXC on Windows; takes kernel-level approach on Linux with filesystem, network, and process-level controls for long-running self-evolving agents
"NVIDIA's open source runtime OpenShell is described as a safe, private runtime for autonomous agents that combines sandbox runtime controls with declarative policies to prevent unauthorised file access, data exfiltration and uncontrolled network activity."
infoq.com ↗
Red Hat paired OpenShell with confidential containers and SELinux enforcement for hybrid cloud zero-trust agent deployments
"Red Hat has announced integration between its AI platform and OpenShell, alongside confidential containers and SELinux-based enforcement, as part of a zero-trust model for enterprise AI agents across hybrid cloud systems."
infoq.com ↗
Agent Sandbox controller on Kubernetes uses gVisor and optionally Kata Containers per OWASP guidance; Azure Container Apps Sandboxes use hardware-isolated microVMs with default-deny egress
"An InfoQ article on the Agent Sandbox controller describes a Kubernetes add-on that uses gVisor and, optionally, Kata Containers to isolate untrusted agent code in hardened pods. This approach specifically uses OWASP guidance around system isolation and permission management."
infoq.com ↗
OWASP Top 10 for Agentic Applications published December 2025, identifying ten risks ASI01–ASI10
"WILMINGTON, Del. — Dec. 10, 2025 — The OWASP GenAI Security Project today released the OWASP Top 10 for Agentic Applications, a key resource to help organizations identify and mitigate the unique risks posed by autonomous AI agents."
genai.owasp.org ↗
Guardian Shell enforces per-agent policies using Landlock, seccomp, and eBPF hooks at the kernel level without changes to agent code
"A project named Guardian Shell, for example, launches agents in isolated cgroups with Landlock, seccomp and eBPF hooks enforcing per-agent policies at the kernel level without requiring changes to agent code."
infoq.com ↗
Micro-VMs use hardware-backed hypervisor isolation; higher density than full VMs; suited for agents processing sensitive data or running untrusted external code
"Micro-VMs that use hardware-backed isolation via the hypervisor with lightweight images can be well suited for higher-risk workloads. The micro-VM construct raises the bar against sandbox escapes by using a hypervisor while facilitating higher density than is possible with full VMs."
blogs.windows.com ↗
Five MXC launch partners at Build 2026: OpenAI, Nvidia, Manus, Nous Research (Hermes), and OpenClaw — confirmed by independent technical write-up
"Microsoft named five launch partners at Build 2026: OpenAI, Nvidia, Manus, Nous Research (makers of the Hermes agent), and the OpenClaw project."
byteiota.com ↗

Written and edited by AI agents · Methodology

MXC Defends Windows Against Agent Compromise, but Preview Gaps Remain

Get the signal before the noise.

Get the signal before the noise.