Microsoft Build 2026: Windows Is Now an AI Agent Platform

At Build 2026 (June 2–3, San Francisco), Microsoft repositioned Windows as a secure platform for building and running AI agents. The pillars: Microsoft Execution Containers (MXC) for OS-enforced sandboxing, agent identity backed by Entra, Aion 1.0 on-device models, and a developer experience rebuilt around agentic workflows.¹²

TL;DR

Microsoft's Build 2026 message for developers is that agents are now a first-class workload on Windows. Microsoft Execution Containers (MXC) is a new policy-driven execution layer — in early preview — that lets you declare what an agent can touch (files, network) and have the OS enforce those boundaries at runtime, across Windows and WSL.¹ Every agent gets its own identity, either a local ID or a cloud-provisioned identity backed by Entra, so activity is attributable and governable.¹ On the model side, Aion 1.0 Instruct (a new small language model, previewable today in Edge Insider channels, with open weights coming to Hugging Face in July) and Aion 1.0 Plan (a 14-billion-parameter reasoning and tool-calling model with a 32K context window that ships in-box) bring agentic capability on-device with no per-token cost.¹ OpenAI, NVIDIA, Manus, Nous Research, and the OpenClaw project are already building on MXC.¹³

What you'll learn

• What Microsoft Execution Containers (MXC) are and how the isolation spectrum works
• How OS-enforced agent identity and Agent 365 governance fit together
• What the Aion 1.0 Instruct and Aion 1.0 Plan on-device models can do
• The new developer tooling: Coreutils for Windows, WSL containers, Intelligent Terminal
• The hardware story: Surface RTX Spark Dev Box and DGX Station for Windows

Why Microsoft is rebuilding Windows around agents

Microsoft's framing is blunt: agents deliver productivity gains, but "the issue isn't just the agent. It's the entire system the agent operates across."¹ Every interaction between agents, humans, tools, apps, and models is new attack surface. Pavan Davuluri, EVP of Windows + Devices, describes it as "a multi-layer systems problem" — which is why Microsoft built containment, identity, and manageability as primitives in the operating system itself, rather than leaving them to individual agent frameworks.¹

This lands alongside Microsoft's in-house MAI model family, also announced at Build 2026 — we covered MAI-Thinking-1 and MAI-Code-1-Flash in detail in our Microsoft MAI models breakdown.

Microsoft Execution Containers (MXC): a sandbox spectrum for agents

Microsoft Execution Containers (MXC) is a cross-platform, policy-driven execution layer for agents across Windows and WSL, available now in early preview on GitHub.¹ Developers declare what an agent can access — file and network policies that can be configured in Intune — and MXC enforces those boundaries at runtime.¹

Rather than one sandbox, MXC exposes a composable spectrum behind a single SDK and policy model:

Session isolation is the interesting one for security engineers: by cutting the agent off from the user's desktop, clipboard, and input devices, it mitigates UI spoofing, input injection, and cross-session data leakage — the attack classes that make computer-using agents risky on a shared desktop.¹

Who's building on MXC already

Microsoft named five partners: OpenAI, NVIDIA, Manus, Nous Research (maker of the Hermes agent), and the open-source OpenClaw project.¹³ OpenClaw's node and gateway now run contained on Windows via MXC, with a companion app for setup. NVIDIA is bringing OpenShell to Windows built on MXC, and Nous Research's Hermes Agent will integrate both. On the OpenAI side, David Wiesen (Member of Technical Staff) says the goal is "to help developers move from intent to reliable execution faster, while maintaining the security and control enterprises need."¹

Agent identity and governance: every agent is accountable

Containment alone isn't enough — Microsoft's second primitive is identity. Windows assigns each agent a local ID or a cloud-provisioned identity backed by Entra, and attributes all activity from the container to that identity, so humans and agents are clearly distinguishable in logs and policy.¹

Native integration with Agent 365 (in preview in July) layers Defender, Entra, Intune, and Purview protections on top, so security teams can constrain local agents centrally — gating runtime execution, controlling sensitive data access, and watching for malicious prompts and risky behavior.¹ Windows 365 for Agents is now generally available within Agent 365, giving computer-using agents managed Cloud PCs to execute multi-step workflows across real software.¹

Aion 1.0: on-device models for "unmetered intelligence"

Microsoft's pitch for local AI is economic as much as technical: agentic workflows demand continuous compute, and cloud inference bills scale with it. The answer is what it calls "unmetered intelligence" — frontier models for frontier problems, everything else running locally at no per-token cost.¹

Two new models anchor this, both described as available in the coming months:¹

• Aion 1.0 Instruct — the next-generation Windows small language model, smaller, faster, and more efficient than the current in-box SLM. It powers everyday text intelligence (summarization, rewrite, intents, accessibility), integrates into Edge, and is previewable today in Edge Insider channels. Microsoft says open weights land on Hugging Face in July.¹⁴
• Aion 1.0 Plan — a 14-billion-parameter reasoning and tool-calling model with a 32K context window that ships in-box as part of Windows on capable devices. It can reason over user intent, invoke tools, manage files, and orchestrate sub-agents — fully agentic workflows without a cloud round trip.¹

Alongside the models, a new on-device Speech Recognition API enters public preview (English first), and existing Windows AI APIs expand beyond NPUs: the in-box SLM now runs on capable GPUs, and Video Super Resolution and Speech Recognition run on CPUs.¹ That matters because it extends local AI from the narrow slice of NPU-equipped Copilot+ PCs to the broader Windows 11 install base.

If you're weighing local against cloud inference costs for agent workloads, our GPU cloud comparison breaks down the cloud side of that equation.

Developer experience: Coreutils, WSL containers, and an agent-aware terminal

The quality-of-life announcements are aimed squarely at developers who live across Linux and Windows:

• Coreutils for Windows (generally available) — Linux-like command-line utilities running natively on Windows, built from the uutils open-source project, a Rust reimplementation of GNU Coreutils.¹
• WSL containers (public preview in the coming months) — a built-in way to create, run, and manage Linux containers on Windows with a new CLI and API, without third-party tooling. Since open-sourcing WSL at Build 2025, Microsoft says community contributions have grown to over 200 pull requests per month.¹
• Intelligent Terminal (experimental preview) — builds on Windows Terminal and connects your preferred agents via the Agent Communication Protocol (ACP), so a failed command can surface context and suggested fixes in a dedicated agent pane without leaving the terminal. GitHub Copilot is available out of the box if no agent is installed.¹
• Windows Developer Configurations (generally available) — a WinGet configuration that takes a fresh machine to ready-to-code, with WSL, PowerShell 7, Git, GitHub CLI, VS Code, and Python.¹
• Windows Development Skills (generally available) — structured knowledge packs that let agents build native Windows apps end-to-end with WinUI3 skills and the winapp CLI.¹

If you're building agent tooling yourself, our MCP client tutorial in TypeScript covers the protocol layer that many of these agent integrations speak.

The hardware: local AI gets deskside supercomputers

Two purpose-built developer machines round out the local-compute story:¹

• Surface RTX Spark Dev Box — powered by NVIDIA RTX Spark silicon, delivering up to 1 petaflop of AI compute (theoretical FP4 with sparsity, per NVIDIA) and 128 GB of unified memory shared across CPU and GPU. Available later this year in the U.S., exclusively on Microsoft.com.
• DGX Station for Windows — built on the NVIDIA GB300 Grace Blackwell Ultra Superchip, capable of running frontier models up to 1 trillion parameters locally. Coming in Q4 this year.

The hybrid-compute piece is GitHub Copilot CLI's /fleet: the primary agent runs in the cloud, builds a plan, assesses each task's complexity, and routes appropriate tasks to subagents powered by a local model — using your own silicon to cut cost without giving up frontier quality where it counts.¹

Microsoft also teased Project Solara, a new platform "built from the ground up to power agent-driven experiences," including two concept devices — though details remain thin beyond the mission statement.¹

The bottom line

Build 2026 marks the moment Microsoft stopped treating agents as apps and started treating them as a workload class with OS-level primitives: containment via MXC, identity via Entra-backed agent IDs, governance via Agent 365, and local inference via Aion 1.0. For developers, the practical takeaways are immediate — the MXC SDK, Coreutils, and Windows Developer Configurations are available today, with the rest rolling out through 2026. As of June 4, 2026, the open questions are pricing and reach: Aion 1.0 Plan's in-box availability depends on what Microsoft deems "capable devices," and the Surface RTX Spark Dev Box launches U.S.-only.

Sources