Microsoft Build 2026 revealed something that the “AI features in Windows” narrative didn’t prepare anyone for: a three-front strategy to own the operating system layer that agents will run on. Project Solara — a chip-to-cloud platform built on Android for agent-first gadgets — is only the most visible part. The rest is Microsoft Execution Containers (MXC), an OS-level sandbox embedded in Windows kernel for autonomous agents, and the Windows Agent Framework, open-sourced under MIT license. Together, they represent a coordinated bet that the agent platform war will be won at the OS layer, not the model layer.
The thesis is straightforward: the company that controls the agent runtime controls the enterprise. OpenAI owns the model zeitgeist. Google owns search and Android. Anthropic owns safety narrative. Microsoft’s counter-move is to own the substrate — the operating system primitives that agents need to run, be secured, and be managed at enterprise scale. If you are building agents for anything beyond a personal coding assistant, the next 18 months will determine whose runtime your agents live on.
The Three-Front Strategy
Microsoft’s agent OS play breaks into three distinct initiatives, each targeting a different deployment model, and each announced at Build 2026.
- Project Solara is a new platform built on the Android Open Source Project (AOSP), specifically designed for devices that don’t run apps — they run agents. Microsoft showed two concept devices: a desk companion with facial recognition and an ultra-wideband presence sensor, and a wearable badge with a fingerprint scanner, far-field microphone array, and 5G connectivity that lets frontline workers tap to activate an agent. Neither will ship as a Microsoft product. They are reference designs, built with Qualcomm wearable silicon and MediaTek IoT silicon respectively, meant for OEMs to commercialize.
Solara’s key architectural bet is “just-in-time UI” — interfaces that adapt dynamically across screen sizes and modalities without developers redesigning for each form factor. The operating system is liminal, spanning the edge device and Azure, so an agent’s state follows the user across devices. Partners including AccuWeather, Best Buy, CVS Health, Levi’s, and Target are already signed on for private pilots. - Microsoft Execution Containers (MXC) addresses a different problem: how to let autonomous agents run on existing Windows PCs without becoming a security catastrophe. MXC is a policy-driven execution layer embedded in Windows and WSL. Developers declare what an agent can access — files, network, clipboard, screen capture — and the OS kernel enforces those boundaries at runtime. The isolation spectrum ranges from fast process isolation (adopted by GitHub Copilot CLI) to session isolation (separating agent execution from the user’s desktop) to full micro-VMs.
MXC binds every agent to a strong identity — local ID or Entra-backed cloud identity — making every agent action attributable and auditable. The Agent 365 layer integrates Defender, Entra, Intune, and Purview, turning agent containment into an enterprise policy problem rather than a per-agent configuration problem. - The Windows Agent Framework (WAF) is the developer-facing piece: an MIT-licensed open-source framework that provides native agent APIs baked into the Windows OS shell. Combined with the Windows Agent Store (for distributing agents) and Azure Agent Mesh (for cross-cloud orchestration), WAF is Microsoft’s attempt to make Windows the platform where agents are built, discovered, and deployed — the same playbook Windows used to win the PC application ecosystem.
Why the OS Layer Wins
The model layer is a commodity race. OpenAI, Anthropic, Google DeepMind, and Meta are all producing frontier models within spitting distance of each other. The switching cost between models is already approaching zero as agent frameworks abstract model selection behind unified APIs.
The OS layer has no such commoditization. An agent that runs inside MXC on Windows is bound to Microsoft’s identity system (Entra), managed through its device management platform (Intune), and secured by its security stack (Defender). Replicating that integration for a competing OS means rebuilding the trust infrastructure from scratch. The enterprise switching cost is not the model — it is the runtime.
This is the same economic logic that made Windows the dominant desktop platform. Applications were sticky because they depended on Win32 APIs, registry settings, and Active Directory. Agents become sticky because they depend on MXC policies, Entra identities, and Intune management profiles.
The Competitive Landscape
No other major platform vendor has answered this question with equivalent depth.
- Apple is building on-device AI through its Neural Engine and local inference, but its strategy remains device-centric rather than agent-runtime-centric. Apple’s agent story is about what runs on the iPhone or Mac — not about orchestrating agents across a constellation of devices with a shared runtime and identity layer. The walled garden provides security through restriction, but that limitation makes it hard to deploy the kind of autonomous, multi-device agents that enterprises need.
- Google has Android, which gives it a credible foundation for mobile-first agent runtimes, and its cloud infrastructure for server-side agent orchestration. But Google’s agent announcements have been fragmented across products (Gemini, Project Mariner, AI Teammate) without the kind of unified runtime and containment strategy that MXC provides. Android’s security model is also fundamentally different — designed for app sandboxing, not for autonomous agents that act on behalf of users across applications.
- OpenAI has indicated it is building its own devices in partnership with Jony Ive, but that is a hardware play, not an OS play. OpenAI’s runtime is the cloud API — it does not control the client operating system where agents execute. Codex CLI runs in whatever environment the user provides. The partnership with Microsoft on MXC is revealing: OpenAI needs an OS-level containment story for its agents, and Microsoft provides it.
The gap in the market is clear: no major OS vendor is building agent runtime primitives into the kernel. Microsoft is doing it because it has to — Windows has the most to lose if agents bypass the traditional application model entirely. Solara is the offensive push into new device categories. MXC is the defensive moat around existing Windows enterprise deployments. WAF is the developer platform play to make those agents Windows-native.
The OpenClaw Signal
The most underappreciated signal from Build 2026 may be Microsoft’s embrace of OpenClaw. Peter Steinberger, OpenClaw’s creator, appeared on stage. Microsoft contributed a native WinUI companion app to OpenClaw. The Windows team described OpenClaw as “the ultimate test app” for MXC — if the most autonomous open-source agent framework can run safely within MXC boundaries, any agent can.
This matters because OpenClaw is not a Microsoft product. It is a community-run, MIT-licensed open-source project that gives agents broad autonomy on a user’s machine. By making OpenClaw the proving ground for OS-level containment, Microsoft is signaling that its runtime primitives are designed for an open, multi-provider agent ecosystem — not just Microsoft’s own agents.
The contrast with Apple’s approach could not be starker. Apple’s AI strategy secures the device by limiting what agents can do. Microsoft’s strategy secures the device by containing what agents can do — a distinction that matters enormously for enterprise deployment.
What This Means for Enterprise Agent Builders
If you are deploying agents in an enterprise environment today, the decision framework changes. The model provider matters less than the runtime provider, because the runtime determines your security posture, identity model, audit trail, and management surface.
Agents running on Windows through MXC gain containment, attribution, and policy governance out of the box. Agents running outside that ecosystem require bespoke security engineering that most enterprises are not equipped to do. The MXC SDK is available in early preview now. The full Agent 365 integration (Defender, Entra, Intune, Purview) arrives in July 2026.
The open question is whether Microsoft can execute across all three fronts simultaneously. Solara requires OEMs to build hardware. MXC requires third-party agent frameworks to integrate. WAF requires developers to build Windows-native agents. Each is a multi-year adoption cycle.
But the architectural direction is clear: the agent runtime war will be fought at the OS level, and Microsoft is the only platform vendor that has fielded a comprehensive answer.
No comments yet