Microsoft just made Windows the agent operating system

Wed, 03 Jun 2026 07:20:53 +1000

Microsoft’s annual developer conference, Build, kicked off at 3am Melbourne time on Wednesday. I didn’t stay up to watch - but I’ve absorbed the media releases and technical docs, and there’s a genuine shift happening here that’s worth unpacking.

TL;DR for the non-technical: AI assistants are about to get much more capable, but that creates a trust problem - how do you let a smart assistant do things on your computer without giving it the keys to everything? Microsoft just announced that Windows itself will act as the security guard. It will control exactly what an AI assistant can see and touch on your machine, track what it does separately from what you do and run smaller AI models directly on your computer so your data doesn’t have to leave your desk. Think of it as giving your AI assistant its own office with its own keycard, instead of letting it wander freely through yours. The catch: it needs newer, more powerful hardware to work properly, and most of it isn’t shipping yet.

Now, the details.

The trust layer the agent world was missing

Microsoft is turning Windows into an operating system for AI agents. Not in the vague “AI-powered everything” way they’ve been doing for two years. In a concrete, architectural, here-are-the-APIs way.

The centrepiece is Microsoft Execution Containers (MXC) - a policy-driven sandboxing layer being built into the OS. Developers declare what an agent can access (files, network, clipboard, UI) and Windows enforces those boundaries at runtime. Not your app. Not a third-party sandbox. The operating system itself.

Right now, if you’re running an agent locally, you’re trusting it with whatever your user account can touch. Every file, every browser session, every credential in your keychain. MXC proposes to change that from “the agent can do whatever I can do” to “the agent can do exactly what I’ve declared it can do, and nothing else.”

A caveat: MXC is in early preview. Microsoft’s own GitHub repo warns that current profiles “should not be treated as security boundaries” and notes that some Windows network and file controls aren’t fully supported yet. The direction is right; the implementation is months away from being something you’d trust with real workloads.

“Continuously-running local agents, like Hermes Agent, require intentional isolation. Developers need control over what an agent can access and trust that those controls will hold. Microsoft Execution Containers, integrated with OpenShell, provides a policy-driven foundation for private, on-device agents on Windows.”

Dillon Rolnick, CEO, Nous Research

NVIDIA, OpenClaw, Manus, OpenAI and Nous Research (Hermes) are all building on MXC. That breadth of early adoption says something about the gap this fills.

Agent identity: the boring part that matters most

Windows will assign agents their own identity - either a local ID or a cloud-provisioned Entra identity - and attribute all activity from within the container to that identity. You can now distinguish between what a human did and what an agent did on the same machine.

For enterprise audit trails, this is foundational. For personal use, it means you can give an agent meaningful permissions without giving it your permissions.

On-device models: small, local and getting serious

SLMs - small language models - are the compact cousins of the frontier LLMs like GPT-4 and Claude. The boundary is fuzzy, but roughly: if it runs comfortably on a laptop without cloud infrastructure, it’s small. SLMs typically run under 14 billion parameters. They’re fast, free (they run on your hardware), work offline and keep your data private. But they’ve been limited to simpler tasks - summarisation, classification, text cleanup.

Microsoft just moved the goalpost with Aion 1.0, two new SLMs purpose-built for Windows.

Aion 1.0 Instruct handles the lightweight stuff - summarisation, rewriting, intent detection. Ships as open weights on Hugging Face in July.

Aion 1.0 Plan is the one that matters. A 14 billion parameter reasoning and tool-calling model with a 32K context window, shipping in-box on capable Windows devices “in the coming months.” It can reason over user intent, invoke tools, manage files and orchestrate sub-agents. Entirely on-device. No cloud round-trip. No per-token cost. When it ships, that’s not an SLM doing party tricks. That’s a local agent runtime.

The Apple contrast

Compare that to Apple. Apple’s on-device Foundation model has a 4K context window. Four thousand tokens - roughly 3,000 words, less than this blog post. To be fair, Apple’s Foundation Models framework does support tool calling and in-app actions. It’s not incapable. But it’s positioned for constrained app features - summarise this notification, rewrite this email, trigger this shortcut - not for long-running agent workflows that need to hold a project brief, a tool registry and a conversation history in context simultaneously.

Aion 1.0 Plan at 32K tokens can hold an entire project brief, a set of tool definitions, a conversation history and still have room to reason. Apple’s Foundation at 4K is working with a fraction of that. One is architected for agents. The other is architected for smart assists.

And Siri? Apple has been promising a Siri overhaul powered by Apple Intelligence for two years. What we’ve seen so far is incrementally better intent parsing on a growing but still limited set of system commands. Meanwhile, Microsoft is announcing a 14B reasoning model designed to plan multi-step workflows, call APIs and spawn sub-agents - locally, on the device.

Apple gets one more week. WWDC is June 8. If the Siri update and on-device model story doesn’t dramatically close this gap, the narrative shifts from “Apple is taking a careful, privacy-first approach” to “Apple is a generation behind on the thing that matters most.”

For Mac users - and I say this as someone running an agent system on Apple silicon - there’s no equivalent story on macOS yet. Apple has kernel-enforced App Sandbox and entitlements, which is solid app-level isolation. But there’s nothing approaching agent-specific containment with policy-driven permissions, identity attribution and enterprise manageability. macOS doesn’t yet have a public story for agent identity, agent governance or agent-aware containment.

The hardware reality check

The Surface RTX Spark Dev Box pairs NVIDIA RTX Spark silicon with 128GB of unified CPU/GPU memory and 1 petaflop of AI compute. At the extreme end, the DGX Station for Windows brings NVIDIA GB300 Grace Blackwell to a deskside form factor - capable of running 1 trillion parameter models locally. That’s a datacentre in a box, running Windows.

These machines will run Aion 1.0 Plan beautifully. But most Windows PCs won’t.

Microsoft hasn’t published specific RAM requirements for Aion 1.0 Plan. The Build post says only that it runs on “capable devices.” But we can do the maths. A 14B model at 4-bit quantisation needs roughly 7-9GB for the weights. Add the KV cache for that 32K context window, plus whatever else is running, and you’re looking at 24-32GB as a realistic minimum. At full precision, 40-50GB.

The average enterprise Windows laptop ships with 16GB of RAM. Many still ship with 8GB. These machines can barely run Teams and a browser simultaneously, let alone a 14B reasoning model doing agent orchestration in the background.

The gap between “ships in-box on Windows” and “runs on your Windows PC” is the width of a RAM spec sheet, and most of the installed base is on the wrong side of it.

Microsoft is selling a vision of local agent intelligence. What they’re actually shipping is a hardware upgrade cycle with an AI justification. That’s not cynical - the hardware genuinely enables new capabilities. But Aion 1.0 Plan is a feature for new machines with 32GB+ and capable GPUs, not the fleet of three-year-old Dell Latitudes on corporate desks today.

From Copilot buttons to actual architecture

There’s a maturity shift here. Since late 2023, Microsoft’s AI strategy has been “put a Copilot button on everything.” Copilot in Word. Copilot in Teams. Copilot in Excel. Copilot in Paint. Copilot in the taskbar. Copilot on a dedicated keyboard key that nobody asked for. AI as a marketing exercise - a chatbot duct-taped onto every application, with no coherent platform story underneath.

Build 2026 is different. MXC is being built as an OS primitive, not an app feature. Agent identity is designed into the security model, not bolted onto a chatbot wrapper. The on-device models will ship in-box, available to any application through system APIs. Some of this is shipping now, some is preview, some is roadmap. But the direction is unmistakable.

The Copilot buttons were decoration. MXC, Aion, agent identity - that’s architecture.

Absorbing Linux to defend enterprise

Almost everything in this announcement is Microsoft borrowing from Linux.

Coreutils for Windows? GNU Coreutils reimplemented in Rust. WSL containers? Linux containers, running on Windows, managed by Windows tooling. MXC’s containment model? Namespace isolation, cgroups, policy enforcement - the bones of Docker and LXC, dressed in Redmond clothing. Even the developer configuration tooling reads like a curated version of what every Linux developer does with a dotfiles repo and a shell script.

This isn’t criticism. It’s strategy. AI development happened on Linux first. The models were trained there. The frameworks were built there. The agent tooling - LangChain, CrewAI, Hermes, Ollama - all assumed a Unix environment. Windows was where you ran Office. Linux was where you ran inference.

Microsoft looked at that reality and decided to absorb it rather than fight it. WSL was the opening move five years ago. WSL containers is the next step - built-in Linux containers on Windows with CLI and API, no third-party Docker dependency, plus enterprise policy controls for IT admins to govern what containers run and where images come from. MXC then takes those container isolation concepts and wires them into the enterprise management stack. The result is something neither platform had alone: contained agent execution with corporate governance.

Microsoft isn’t inventing containment. They’re making it legible to the CIO.

This is Microsoft defending its enterprise position. If AI agents are going to run on every developer’s machine and every knowledge worker’s desktop, and those machines are overwhelmingly Windows in enterprise, then Windows needs to be where agents run safely. The alternative - developers increasingly working in Linux VMs, Docker containers and remote cloud instances - erodes the relevance of the Windows desktop itself.

Can they execute?

The question isn’t whether this is the right direction. It obviously is. The question is whether Microsoft can execute it without the usual three-year lag between announcement and production-ready reality. MXC is in “early preview.” Aion 1.0 Plan is “coming in the coming months.” The DGX Station is “Q4 this year.”

I’ll believe it when I can install it. But the architecture is right, and the partnerships are real. Microsoft hasn’t shipped the agent OS. They’ve announced the architecture and early primitives for one. That’s still more than anyone else has put on the table. If you’re building agents that run locally, Windows just became a much more interesting platform.

Source: Build 2026: Furthering Windows as the trusted platform for development - Pavan Davuluri, EVP Windows + Devices, Microsoft.

Rambling Rows