Windows Is Now an Agent Operating System. The Code Landed Yesterday.

Microsoft's Build 2026 keynote positioned Windows as a platform for AI agents. The actual announcement shipped the day before.

On June 1st, 2026, Microsoft pushed a public commit to the microsoft/mxc GitHub repository. The commit — titled "Public release commit" — marked the first time Microsoft Execution Containers, the company's policy-driven containment layer for AI agents, was openly available to developers. Twenty-four hours later, Pavan Davuluri, Microsoft's Executive Vice President for Windows and Devices, took the Build stage and told the developer audience that Windows was becoming "the best place to build and run agents."

The marketing followed the code.

What MXC Actually Is

MXC — Microsoft Execution Containers — is a sandboxed code execution system for running untrusted code on Windows, Linux, and macOS, described in its GitHub repository as a "policy-driven, layered isolation and containment" tool. Developers declare what an agent can access — files, network, specific APIs — and Windows enforces those constraints at runtime. GitHub Copilot CLI has already adopted MXC process isolation to constrain what dynamically generated and executed code can do.

The MXC SDK is explicitly in early preview. The repository includes a blunt disclaimer: "no MXC profiles should currently be treated as security boundaries." That is not cosmetic language. It means the containment model Microsoft is pitching as enterprise-grade security infrastructure is not yet ready for production use in adversarial environments.

David Wiesen, a member of the technical staff at OpenAI, offered a partner quote confirming the integration: "Working with Microsoft on the Microsoft Execution Containers (MXC) allows us to explore new patterns for AI agents to safely and efficiently generate and execute code." The emphasis on "explore" and "safely" is telling. The integration is a joint experiment, not a deployed product.

The Complete Stack

What Microsoft announced at Build goes beyond MXC. Windows Development Skills — a set of structured knowledge modules for building native Windows apps with WinUI 3 — moved to general availability. The supporting GitHub repository has 132 stars and 128 commits covering the full development loop: scaffold, design, build, run, test, package, ship. It targets GitHub Copilot, Claude Code, and OpenAI Codex. This is not a prototype. It is a shipped developer toolchain for agent-driven Windows development.

Windows 365 for Agents also reached general availability. This is Microsoft's Cloud PC execution layer for computer-using agents — scenarios where an agent needs a full operating system environment rather than an API. Enterprise IT gets Defender, Entra, Intune, and Purview controls baked in through the Agent 365 integration.

Aion 1.0 Plan rounds out the announcement. It is a 14-billion parameter on-device reasoning and tool-calling model with a 32K context window, designed to run locally on capable Windows hardware. Microsoft said it will ship "in the coming months." No specific date. No confirmed device requirements.

Microsoft Security also expanded its MDASH preview — a multi-model agentic security scanning harness that orchestrates more than 100 specialized AI agents to discover and validate vulnerabilities in codebases. The system scored 96.55 percent on the CyberGym industry benchmark, up roughly 10 percent in under three weeks. Accenture's Chief Information Security Officer called it "a meaningful shift from reactive, rule-based scanning to agentic systems."

The Frame Shift

Microsoft's own language reveals the stakes. An earlier Windows platform security post described agents this way: "agents are no longer just answering questions and are increasingly taking actions across systems." That is a precise description of the capability gap that has kept enterprise AI agents out of production. Answering questions is safe. Taking actions across a file system, a network, an enterprise application — that requires containment, identity, policy enforcement, and audit trails that did not exist until now.

Windows 365 for Agents and MXC are Microsoft's answer to that gap. They give IT teams the enforcement hooks that security and compliance organizations have been demanding. They also give Microsoft a structural position in the agent stack that no independent agent framework — OpenClaw, CrewAI, LangChain — can claim without Windows-specific integration.

This is the Windows 95 move, applied to AI agents. Own the platform layer, and the applications built on top become dependent on your terms.

The Risk in the Announcement

MXC's preview disclaimer is the most important sentence in the entire Build 2026 agent stack. Microsoft is asking enterprise security teams to trust a containment model that its own repository says is not yet ready to serve as a security boundary. The CyberGym benchmark score is impressive. But a benchmark is not a production deployment, and 96.55 percent means roughly 3.45 percent of confirmed vulnerabilities still slip through.

The pricing for Windows 365 for Agents is not public. The Aion 1.0 Plan ship date is vague. The Intelligent Terminal remains an experimental fork of Windows Terminal. These are the edges where the announcement becomes aspirational.

The OpenAI Codex integration is real. The GitHub stars are real. The commit date is real. The question for builders and enterprise decision-makers is whether to trust the trajectory — or wait for the preview label to lift.