At Build 2026 in San Francisco, Microsoft positioned Windows as an operating system for AI agents, putting software that can build apps, run shell commands and execute code at the center of its developer pitch. The June 2 keynote framed the work as a stack rather than a single product, with agents meant to take action under enterprise controls. Of the marquee pieces, only a handful reach developers today; the rest are preview or still months away.
Pavan Davuluri, executive vice president for Windows and Devices, said the company wants developers to run AI workloads “on-device, in the cloud or across both without trade-offs.” The pieces that can actually run an agent today are real and shipping. The parts that make Windows safe for those agents are early code, and that gap shapes what the announcement means for anyone building right now.
The Shipping List Behind the Pitch
Microsoft grouped the news under its Windows developer platform roundup for Build 2026, and the roundup is honest about maturity. A few of the headline features are generally available. The rest run from experimental to an early platform sketch with no ship date.
| Component | Status | What it does |
|---|---|---|
| Windows Development Skills | Generally available | Gives agents structured knowledge to build native Windows apps |
| Windows Developer Configurations | Generally available | Reproducible setup for developer machines |
| Windows 365 for Agents | Generally available | Cloud PC execution layer for computer-using agents |
| Intelligent Terminal 0.1 | Experimental preview | Agent-aware fork of Windows Terminal |
| Microsoft Execution Containers | Early preview | Policy-driven sandbox for agent code |
| Aion 1.0 Plan | Coming in preview | On-device reasoning and tool-calling model |
| Project Solara | Early look | Chip-to-cloud platform for multi-agent systems |
That spread matters because the agent story leans hardest on the youngest code. The features that let an agent build a native app and run inside a managed Cloud PC are usable now. The container layer meant to keep those agents from wrecking a machine is the least finished thing in the set, and it is the part the whole vision depends on.
Agentic Skills Reach Native Windows Apps
The clearest payoff for developers is in how agents now build Windows software. Microsoft is feeding coding agents platform-specific knowledge so they stop guessing at WinUI patterns, and it is wiring agent help into the shell where developers already live.
From Scaffold to Ship
The most concrete piece is Windows Development Skills, now generally available. It gives agents structured knowledge for building a native Windows app with WinUI 3 and the Windows App SDK (software development kit), exposed through the WinApp command-line interface. The open-source WinUI agent and skills repository on GitHub shows how literal that is: one agent, eight skills and supporting tools for GitHub Copilot, Claude Code and OpenAI Codex. They target the loop a developer runs dozens of times a day.
- Scaffold the project
- Design the interface
- Build and run
- Test the result
- Package the app
- Ship it
Rather than asking a general coding agent to infer how a Windows app should be wired, Microsoft hands it the platform rules up front. The company is publishing a wider catalog of agentic Windows development tools on Microsoft Learn alongside the skills.
A Pair-Programmer in the Shell
Microsoft also shipped Intelligent Terminal 0.1, an experimental open-source fork of Windows Terminal with an agent pane, an agent status bar and automatic error detection. When a command fails, the terminal loads the error into the agent pane so the agent can explain it and suggest or run a fix, with no copy-pasting into a browser. GitHub Copilot CLI is the default agent, though the terminal supports any tool that speaks the Agent Client Protocol. Copilot’s spot as the default fits Microsoft’s broader move to route its own developers off Claude Code and onto an in-house Copilot model. The shell already holds command output, failed builds, package-manager errors and Git state, so it is a natural place to drop an agent.
Containment Becomes a Platform Requirement
The other major thread is keeping agents on a leash. In a separate security post, Microsoft said agents are “no longer just answering questions” and increasingly read files, invoke services, modify environments and chain operations together. That raises trust questions the old assistant model never had to answer.
Process and Session Isolation
The answer is Microsoft Execution Containers (MXC), an early-preview SDK and policy-driven execution layer for agents on Windows and WSL (Windows Subsystem for Linux). A developer or IT administrator writes a policy declaring which files, directories and network resources an agent may touch, and Windows enforces it at runtime. The open-source MXC repository on GitHub describes it as a sandbox for running untrusted code across Windows, Linux and macOS. It offers several containment levels:
- Process isolation – fast, lightweight containment for running model-generated code; GitHub Copilot CLI has already adopted it.
- Session isolation – separates the agent from the user’s desktop, clipboard, interface and input devices for longer-running work.
- Micro-VMs – hardware-backed hypervisor isolation for higher-risk workloads, still on the roadmap.
OpenAI is one of the named partners testing it. Its endorsement, published in Microsoft’s Windows platform security guidance for agents, is careful and forward-looking.
Working with Microsoft on the Microsoft Execution Containers (MXC) allows us to explore new patterns for AI agents to safely and efficiently generate and execute code.
That is David Wiesen, a member of technical staff at OpenAI, quoted in the security post. Note the verb: explore.
Not Yet a Security Boundary
The caveat is the loud part. Microsoft’s own repository warns that no current MXC profiles should be treated as security boundaries. Process and session isolation reach Windows Insiders shortly after Build; the stronger micro-VM and container backends are roadmap items. Microsoft put the production stakes plainly in the same post, writing that the value of an agent is not only what it can do but whether it can be trusted to run unattended. For now, the layer that earns that trust is preview software that Microsoft itself says you should not rely on for security.
Where Cloud PCs Give Agents Room to Act
Some tasks cannot be done through an application programming interface, so Microsoft is giving agents a full Windows session to work inside. Windows 365 for Agents, which Microsoft listed as generally available, acts as an execution layer for computer-using agents within Agent 365. An agent can obtain a Cloud PC and carry out actions in a real Windows session while the service handles provisioning, session lifecycle, isolation and operational reliability.
The documented use cases are the messy ones: driving desktop or web apps that lack reliable APIs, performing interface-level clicks, supporting human-in-the-loop review and running inside environments governed by Microsoft Entra ID, Microsoft Intune and Conditional Access. It gives Microsoft a cloud-side answer to the same problem the containers address locally. Agents need somewhere to act, and that somewhere needs identity, policy and an audit trail before any enterprise will switch it on.
Aion Pushes Reasoning Onto the Device
Microsoft also moved part of the agent brain onto the machine. Aion 1.0 Plan is a 14-billion-parameter reasoning and tool-calling model with a 32K context length that the company said will ship in-box on capable Windows devices. It is built to reason over user intent, invoke tools, manage files and orchestrate sub-agents, which is the orchestration job an on-device agent needs. A lighter sibling, Aion 1.0 Instruct, handles everyday text work like summarizing and rewriting.
The model rides on a broader change to Windows AI APIs, which Microsoft extended beyond neural processing units (NPUs) to CPUs and GPUs. That widens local inference to more Windows 11 machines instead of only the newest Copilot+ class hardware. The heavier developer kit, the Surface RTX Spark Dev Box and a DGX Station for Windows built with Nvidia, lands in Q4 2026, the same wave as Nvidia’s RTX Spark superchip for Arm-based Windows PCs. Microsoft also teased Project Solara, a chip-to-cloud platform for an open multi-agent world, as an early look rather than a tool anyone can use.
Windows Development Skills and Windows 365 for Agents are usable today. The containment layer the pitch depends on reaches Insiders only after Build, and Aion arrives in the coming months. Until those land, Windows is an agent platform mostly on the roadmap, sitting on a small set of shipping parts.
Frequently Asked Questions
Which Build 2026 Windows agent tools can developers use right now?
Three are generally available: Windows Development Skills, Windows Developer Configurations and Windows 365 for Agents. Intelligent Terminal 0.1 is an experimental preview, Microsoft Execution Containers is early preview, and Aion 1.0 Plan arrives in the coming months. Project Solara is an early platform look with no developer release.
Can Microsoft Execution Containers be used as a production security boundary?
No. Microsoft’s own repository warns that no current profiles should be treated as security boundaries. The SDK is early preview; process and session isolation reach Windows Insiders shortly after Build, with hardware-backed micro-VMs still on the roadmap.
What hardware does Aion 1.0 Plan need?
It ships in-box on capable Windows devices, with Copilot+ class NPUs the expected gate for running a 14-billion-parameter model at 32K context. Microsoft also widened Windows AI APIs beyond NPUs to CPUs and GPUs, bringing some local inference to a wider set of Windows 11 PCs.
What is Project Solara?
Microsoft described Project Solara as a chip-to-cloud platform built for an open, multiple-agent world. At Build 2026 it is an early look at future agent-first hardware and platforms, not a product or developer tool available today.
