Discover new Codex plugins, sites, and annotations that help analysts, marketers, designers, investors, and other teams get more done with AI.

2026-06-02

• Actionable error message shown when GitHub API rate limit is hit during copilot update
• Add /rubber-duck command for adversarial feedback on code and designs
• Plugin slash commands (/plugin install, uninstall, update, marketplace add/remove/browse) now show immediate feedback while the operation is in progress
• Canceling a running shell command (Ctrl+C on a !command, or aborting an agent command — including in sandboxed and background-promoted shells) now terminates the whole process tree instead of leaving orphaned processes running
• Canvas providers can return file:// URLs in open results for local file previews
• Symlinked directories appear in /cwd completion suggestions
• In Azure DevOps-only repositories, the built-in GitHub MCP server now exposes only the web_search tool instead of being fully disabled
• Quota footer shows remaining requests as a rounded percentage
• /lsp show, /lsp test, and /lsp reload correctly discover project LSP config when the CLI is launched from a subdirectory
• MCP server timeout configuration is preserved after tools list changes
• /skills add and /skills remove correctly handle paths wrapped in quotes (e.g., from Windows Explorer "Copy as path")
• Running copilot with an unquoted multi-word prompt now shows a helpful "quote your prompt" hint instead of a raw commander error
• Default networking transport is now HTTP/1.1, improving reliability on some network paths. Opt into HTTP/2 with COPILOT_ENABLE_HTTP2=1.
• Plugins auto-installed from repository settings no longer leak into user global config
• Grep tool correctly handles tsx and jsx as file type filters
• COPILOT_HOME is honored for the server discovery registry directory
• Click a diff line with the mouse to select it in diff mode
• Ctrl+C and other modified keys work correctly inside tmux
• @-mention file search matches files regardless of query letter casing
• copilot plugin marketplace list now honors repo-level extraKnownMarketplaces settings from .github/copilot/settings.json
• Queued prompts in the footer are capped to a single line, preventing them from pushing session messages off screen
• MCP servers configured with npx --registry are no longer incorrectly blocked by policy
• Session no longer hangs indefinitely after an error occurs during internal event processing
• Installed plugins no longer include the .git directory from the plugin source repository
• New reasoning after tool calls appears at the bottom of the timeline instead of above earlier output
• Pasting text copied from a browser, editor, or terminal no longer leaves a stray empty line, broken box-drawing lines, or a misplaced cursor in the prompt
• preToolUse hook errors now deny the tool call instead of silently allowing execution
• Session resume works correctly after a crash that left partial data in the session log
• High-contrast diff backgrounds use darker colors to improve text readability
• Add showTipsOnStartup setting to control whether startup tips are shown
• Surface the underlying reason (e.g. GitHub API rate limit) when SDK auth-token validation fails, instead of the misleading "Session was not created with authentication info or custom provider" message.
• /diff defaults to branch diff when there are no unstaged changes

What's Changed

• fix(dotnet): Add AOT-safe SetForegroundSessionRequest for SetForegroundSessionIdAsync() by @Encryptoid in #1144
• Update @github/copilot to 1.0.39-0 by @github-actions[bot] in #1157
• Update @github/copilot to 1.0.39 by @github-actions[bot] in #1167
• Update @github/copilot to 1.0.40-0 by @github-actions[bot] in #1171
• Document --host for non-loopback headless connections by @SteveSandersonMS in #1174
• Replace StreamJsonRpc with a custom JSON-RPC implementation in the .NET SDK by @stephentoub in #1170
• Update @github/copilot to 1.0.40-1 by @github-actions[bot] in #1177
• Update @github/copilot to 1.0.40-3 by @github-actions[bot] in #1182
• Update @github/copilot to 1.0.40 by @github-actions[bot] in #1183
• Derive session event envelopes from schema by @stephentoub in #1184
• Expand E2E test coverage across all 4 SDKs by @stephentoub in #1186
• docs: replace non-existent Docker image with build instructions by @patniko in #1189
• docs(python): clarify available_tools/excluded_tools filter all tools, not just built-ins by @loganrosen in #1180
• Add instructionDirectories session config support by @stephentoub in #1190
• Support optional connection token for TCP servers by @SteveSandersonMS in #1176
• feat: add copilotHome option for configurable data directory by @patniko in #1191
• Refine version update logic to allow arbitrary identifiers (e.g., "beta", not just "preview") by @SteveSandersonMS in #1193
• Update @github/copilot to 1.0.41-0 by @github-actions[bot] in #1195
• Stabilize unknown session delete E2E assertions by @stephentoub in #1198
• Expand SDK E2E runtime coverage by @stephentoub in #1197
• Ignore C# Dev Kit *.csproj.lscache files by @MackinnonBuck in #1196
• Update byok.md by @patniko in #1203
• Make agent reload test runtime-compatible by @stephentoub in #1201
• Add offline GitHub proxy for E2E tests by @stephentoub in #1199
• Update @github/copilot to 1.0.41-1 by @github-actions[bot] in #1202
• Harden Extension E2E Tests With --yolo For Permission Gate Compatibility by @MRayermannMSFT in #1204
• Fix .NET client startup cleanup race by @stephentoub in #1206
• Avoid shell kill cwd cleanup flakes by @stephentoub in #1207
• Add provider model and token limit overrides to ProviderConfig by @MackinnonBuck in #966
• Add Rust SDK (technical preview) by @tclem in #1164
• Update @github/copilot to 1.0.42 by @github-actions[bot] in #1211
• Align Rust SDK public surface by @stephentoub in #1212
• Internalize env_value_mode (cross-SDK parity) by @tclem in #1215
• feat: add remote session support across all SDKs by @patniko in #1192
• Fix .NET E2E event capture race by @stephentoub in #1221
• Update @github/copilot to 1.0.43 by @github-actions[bot] in #1218
• Add SDK tracing diagnostics by @stephentoub in #1217
• Add enableSessionTelemetry session option across SDKs by @stephentoub in #1224
• Update @github/copilot to 1.0.44-2 by @github-actions[bot] in #1225
• Docs normalization for the SDK -> Docs pipeline by @sunbrye in #1208
• Use string enums for .NET session events by @stephentoub in #1226
• Restore mode handler APIs across SDKs by @stephentoub in #1228
• feat(rust): support binary tool results by @cschleiden in #1222
• Disable CI workflows on forked repositories by @IeuanWalker in #1232
• Default release publishing to prerelease by @Copilot in #1233
• Fix SDK documentation typos by @stephentoub in #1235
• Unify Rust SDK release with publish.yml workflow by @tclem in #1237
• Update @github/copilot to 1.0.44-3 by @github-actions[bot] in #1239
• Replace Go RPC quicktype generation by @qmuntal in #1234
• fix(go): capture CLI stderr and fix SetProcessDone race by @claudiogodoy99 in #863
• Handle empty session fork behavior in E2E tests by @stephentoub in #1247
• Add Go reference badge to README by @qmuntal in #1253
• Expand Rust E2E coverage by @stephentoub in #1250
• Add Maven Central badge to README by @brunoborges in #1254
• Update README and guide for Rust SDK by @stephentoub in #1259
• Fix C# listFiles E2E ordering assumption by @stephentoub in #1261
• Update @github/copilot to 1.0.45 by @github-actions[bot] in #1263
• Generate typed Go union interfaces by @qmuntal in #1252
• Use z-prefixed Go generated files by @qmuntal in #1268
• Support experimental schema types in codegen by @stephentoub in #1267
• Normalize skill context replay snapshots by @stephentoub in #1269
• Update @github/copilot to 1.0.46 by @github-actions[bot] in #1270
• Temporarily use beta versions for "latest" dist-tag by @SteveSandersonMS in #1283
• Fix codegen identifier sanitization by @stephentoub in #1285
• Update @github/copilot to 1.0.47 by @github-actions[bot] in #1286
• Derive Default on generated Rust types by @tclem in #1272
• Generate Go bool discriminated unions by @qmuntal in #1284
• Update @github/copilot to 1.0.48-1 by @github-actions[bot] in #1288
• Share generated schema definitions across SDKs by @stephentoub in #1289
• Hide deprecated APIs where supported by @stephentoub in #1293
• Use schema descriptions in generated SDK docs by @stephentoub in #1291
• Update @github/copilot to 1.0.48 by @github-actions[bot] in #1292
• Add remote_session field to all SDK SessionConfig types by @devm33 in #1295
• Fix shared schema comparison for Go codegen by @stephentoub in #1304
• Update @github/copilot to 1.0.49-0 by @github-actions[bot] in #1305
• Update @github/copilot to 1.0.49-1 by @github-actions[bot] in #1307
• feat: add model field to CustomAgentConfig across all SDKs by @patniko in #1309
• Fix Python Quick Start example to compile with current SDK by @stephentoub in #1310
• Fix Python session.send docs examples by @stephentoub in #1312
• Consolidate ask_user E2E snapshots into single canonical folder by @stephentoub in #1311
• Stabilize compaction E2E tests by @stephentoub in #1314
• Harden permission-reject E2E tests across all SDKs (#1194) by @stephentoub in #1317
• Honor preinstalled CLI path in .NET MSBuild targets (#921) by @stephentoub in #1318
• Add netstandard and net10 targets to C# SDK by @stephentoub in #1320
• Fix some argument validation in C# by @stephentoub in #1322
• Add .NET CopilotTool helper by @stephentoub in #1321
• Add cloud session config support by @tiagonbotelho in #1306
• Fix sub-agent hook propagation: expose sessionId on hook inputs by @SteveSandersonMS in #1290
• Make tool callbacks optional across SDKs by @stephentoub in #1308
• Fix permission handler kinds in SDK docs and samples (#1133) by @stephentoub in #1315
• Use 32-bit types for bounded schema integers by @stephentoub in #1329
• Seal generated session event types by @stephentoub in #1330
• Propagate experimental RPC markers through generated types by @stephentoub in #1331
• Clean up more argument validation by @stephentoub in #1328
• Update @github/copilot to 1.0.49-6 by @github-actions[bot] in #1327
• Update @github/copilot to 1.0.49 by @github-actions[bot] in #1333
• Export generated session event types by @stephentoub in #1316
• Fix .NET E2E auth setup by @stephentoub in #1334
• Add enum value descriptions to generated docs by @stephentoub in #1336
• Add SessionFs sqlite support for runtime sqlite routing by @SteveSandersonMS in #1299
• Fix Python from_dict() round-trip for optional fields with schema defaults by @stephentoub in #1313
• Fix hook snapshot for runtime replay by @stephentoub in #1337
• Emit regex attributes from C# codegen by @stephentoub in #1338
• Strip Ms suffix for duration properties by @stephentoub in #1339
• Update @github/copilot to 1.0.51-1 by @github-actions[bot] in #1340
• Update @github/copilot to 1.0.51-2 by @github-actions[bot] in #1342
• Fix flaky Should_Accept_Both_MCP_Servers_And_Custom_Agents test by @stephentoub in #1346
• Add Rust (and C#) to SDK language lists across docs by @stephentoub in #1349
• Make MCPStdioServerConfig.args optional across all SDKs by @stephentoub in #1347
• Publish .snupkg symbols package to NuGet.org by @stephentoub in #1345
• Update @github/copilot to 1.0.51-3 by @github-actions[bot] in #1351
• Update @github/copilot to 1.0.51 by @github-actions[bot] in #1353
• C# API review fixes by @SteveSandersonMS in #1343
• Enable .NET E2E tests to run on .NET Framework (net472) by @stephentoub in #1358
• TypeScript SDK API review fixes by @SteveSandersonMS in #1357
• Fix flaky pending-messages-modified E2E test across SDKs by @stephentoub in #1362
• Go SDK API review fixes by @SteveSandersonMS in #1360
• Add java to monorepo: Phase 02: code and test CI. by @edburns in #1348
• Bump org.apache.maven.plugins:maven-enforcer-plugin from 3.6.2 to 3.6.3 in /java in the java-maven-deps group by @dependabot[bot] in #1365
• Update @github/copilot to 1.0.52-0 by @github-actions[bot] in #1370
• Update @github/copilot to 1.0.52-1 by @github-actions[bot] in #1371
• Add preMcpToolCall hook support to all SDKs by @stephentoub in #1366
• Rust SDK API review fixes by @SteveSandersonMS in #1367
• Python SDK API review fixes by @SteveSandersonMS in #1376
• Add runtime_instructions system message section to all SDKs by @stephentoub in #1377
• Cross-SDK cleanup follow-ups from PR #1376 by @SteveSandersonMS in #1378
• Rust SDK: PR #1367 review follow-ups by @SteveSandersonMS in #1382
• Fix flaky SDK E2E tests by @stephentoub in #1379
• C# SDK: re-land x-opaque-json → JsonElement mapping with object boundary at RPC params by @SteveSandersonMS in #1359
• Implement phase 03 of merge to monorepo plan by @edburns in #1369
• Fix .NET package version props generation by @stephentoub in #1387
• Rust SDK: bundle Copilot CLI by default by @SteveSandersonMS in #1385
• Add Java-specific content to monorepo copilot-instructions.md by @edburns in #1391
• Java SDK: sync reference implementation to ^1.0.52-1, add preMcpToolCall hook, fix PingResponse timestamp type by @edburns in #1389
• Update @github/copilot to 1.0.52-4 by @github-actions[bot] in #1393
• Update @github/copilot to 1.0.52 by @github-actions[bot] in #1405
• Update @github/copilot to 1.0.53-2 by @github-actions[bot] in #1408
• Add SDK canvas runtime support by @jmoseley in #1401
• Update @github/copilot to 1.0.53 by @github-actions[bot] in #1410
• Update @github/copilot to 1.0.54 by @github-actions[bot] in #1411
• Update @github/copilot to 1.0.55-0 by @github-actions[bot] in #1412
• Bump brace-expansion from 5.0.5 to 5.0.6 in /scripts/docs-validation in the npm_and_yarn group across 1 directory by @dependabot[bot] in #1325
• C# codegen: add isOpaqueJson guard to resolveRpcType by @SteveSandersonMS in #1414
• Update vulnerable npm lockfile dependencies by @stephentoub in #1415
• Fix flaky SDK E2E tests by @stephentoub in #1418
• Change title from 'GitHub Copilot SDK documentation' to 'Copilot SDK' by @sunbrye in #1386
• Add cross-SDK RPC E2E coverage by @stephentoub in #1424
• SDK: Align canvas with codegen pipeline, add e2e tests by @SteveSandersonMS in #1413
• Preserve JSON-RPC error data in .NET by @stephentoub in #1425
• Add post-tool-use failure hooks by @stephentoub in #1421
• Fixes #1434 Repackaging. by @edburns in #1437
• Update @github/copilot to 1.0.55-1 by @github-actions[bot] in #1432
• Add MessageOptions.agentMode and fix per-message mode misuse by @MRayermannMSFT in #1438
• Update @github/copilot to 1.0.55-4 by @github-actions[bot] in #1453
• Remove test/scenarios and scenario-builds CI by @patniko in #1448
• Add extract-to-cache build mode for the Copilot CLI by @tclem in #1450
• Move java to monorepo. Phase 05: Cross-Cutting Updates by @edburns in #1441
• Update @github/copilot to 1.0.55-5 by @github-actions[bot] in #1456
• Multitenancy hardening: Client Mode by @SteveSandersonMS in #1428
• Refactor Rust SDK errors to use structs with a kind() method by @heaths in #1400
• Use jsoncreator for AgentMode ctor, per review comments. by @edburns in #1465
• Update @github/copilot to 1.0.55-6 by @github-actions[bot] in #1471
• Port copilot-sdk-java PR #232: reference-impl-sync with EMPTY mode fixes by @edburns in #1473
• Move Java to monorepo: Phase 06: Cutover and Cleanup by @edburns in #1472
• Add from github/copilot-sdk-java#233 by @edburns in #1475
• Add displayPrompt support to session.send across all SDKs by @devm33 in #1470
• Update @github/copilot to 1.0.55-7 by @github-actions[bot] in #1476
• Defer sessionId to server for cloud sessions by @stephentoub in #1479
• Re-invalidate build.rs when extracted CLI cache is removed by @tclem in #1480
• Canvas SDK: post-merge review followups (PR #1401) by @jmoseley in #1420
• feat: add MCP Apps (SEP-1865) support by @mattdholloway in #1335
• Config parity across SDKs: add largeOutput, pluginDirectories, spell out Directory by @stephentoub in #1482
• feat: add mcpOAuthTokenStorage support across all SDKs by @MackinnonBuck in #1326
• Integrate Bruno's PR 1478 with Ed's desired CI/CD changes by @edburns in #1483
• Update @github/copilot to 1.0.55 by @github-actions[bot] in #1484
• Track live open canvas snapshots by @jmoseley in #1447
• Update @github/copilot to 1.0.56-0 by @github-actions[bot] in #1485
• feat: add granular per-session flags for multitenancy hardening by @MackinnonBuck in #1474
• Apply review comments from standalone backport. by @edburns in #1486
• Update @github/copilot to 1.0.56-1 by @github-actions[bot] in #1488
• Coordinate Copilot CLI stderr pump cleanup by @xoofx in #1136
• Skip JaCoCo (always fails on main) by @SteveSandersonMS in #1492
• Expose install_bundled_cli and HAS_BUNDLED_CLI in the Rust SDK by @tclem in #1489
• Expose enableOnDemandInstructionDiscovery across all SDK SessionConfig types by @examon in #1323
• Edburns/fix jacoco failure on main by @edburns in #1497
• Update to use correct package name for generated by @edburns in #1499
• Plumb Extension SDK Path Through Session Create And Resume by @MRayermannMSFT in #1494
• Update Java JaCoCo coverage badge by @github-actions[bot] in #1500
• Update @github/copilot to 1.0.56-2 by @github-actions[bot] in #1495
• Add typed context tier support by @stephentoub in #1503
• Add path-filtered CodeQL workflow for content-specific analysis by @Copilot in #1444
• Fixes #1443: per-language CodeQL targeting by @edburns in #1510
• Add reflection-based Jackson round-trip test for all generated types by @edburns in #1509
• On branch edburns/ghcp-sp-122-java-release-improvements by @edburns in #1512
• Edburns/ghcp sp 122 java release improvements by @edburns in #1514
• Update @github/copilot to 1.0.56 by @github-actions[bot] in #1504
• Fix Go session event attachment aliases by @dmytrostruk in #1515
• Bump tar from 0.4.45 to 0.4.46 in /rust in the cargo group across 1 directory by @dependabot[bot] in #1505
• Update @github/copilot to 1.0.57-2 by @github-actions[bot] in #1517
• Update @github/copilot to 1.0.57-3 by @github-actions[bot] in #1519
• docs: refresh for GA; add cloud sessions, fleet mode, multi-tenancy guides by @patniko in #1481
• Java: Make it so slash command responses are accessible via RPC by @edburns in #1520
• fix(python): derive version from package metadata; align Node version sentinel by @stephentoub in #1521
• Update @github/copilot to 1.0.57-4 by @github-actions[bot] in #1522
• Map session.mcp.apps.callTool result to JsonNode and harden mvn clean by @edburns in #1523
• Add documentation site generation for Java SDK by @edburns in #1524
• Use JAVA_RELEASE_GITHUB_TOKEN for site deploy trigger by @edburns in #1525
• Consolidate Go initialism casing by @qmuntal in #1527
• Preserve empty Go slices and maps in JSON by @qmuntal in #1528
• Fix GitHub brand casing in SDK public surface by @stephentoub in #1531
• Update @github/copilot to 1.0.57 by @github-actions[bot] in #1534
• fix(nodejs): Map suppressResumeEvent to disableResume on the wire by @willglas in #1529
• Remove 'generated' from public API in Python and Rust by @SteveSandersonMS in #1535
• Bump vitest from 3.2.4 to 4.1.0 in /scripts/corrections in the npm_and_yarn group across 1 directory by @dependabot[bot] in #1537
• go: preserve tri-state session flags by @qmuntal in #1536
• De-flake builtin_tools E2E tests with a longer send timeout by @stephentoub in #1538
• Update java README with accurate validation steps by @edburns in #1541
• Java SDK: Update @github/copilot dependency to ^1.0.57 by @edburns in #1546
• Edburns/remove pr 1524 test java publish update notes to point to docs by @edburns in #1543
• java: disable ModeHandlersTest pending snapshot re-recording (#1547) by @edburns in #1548
• Refine Go SDK pre-GA API surfaces by @qmuntal in #1549

New Contributors

• @Encryptoid made their first contribution in #1144
• @loganrosen made their first contribution in #1180
• @tclem made their first contribution in #1164
• @sunbrye made their first contribution in #1208
• @cschleiden made their first contribution in #1222
• @IeuanWalker made their first contribution in #1232
• @claudiogodoy99 made their first contribution in #863
• @tiagonbotelho made their first contribution in #1306
• @heaths made their first contribution in #1400
• @mattdholloway made their first contribution in #1335
• @examon made their first contribution in #1323
• @dmytrostruk made their first contribution in #1515
• @willglas made their first contribution in #1529

Full Changelog: v0.3.0...v1.0.0

Pipelines: fix nuget stage CodeSign failure on in-repo .ps1 scripts (…

Software developers are some of the most ambitious makers we serve. They push devices harder, ask more of their tools and expect their environment to help define the pace of modern software creation. Development today means longer running jobs, larger models and a growing need to prototype and iterate locally rather than paying for every cloud call. That is why we embarked on a project to build two new Surface devices designed specifically for the needs of these makers. Earlier this week, we introduced Surface Laptop Ultra, a high-performance laptop built for developers, creators and technical professionals who need serious performance wherever they work. Today at Microsoft Build, we are introducing Surface RTX Spark Dev Box, a compact developer PC engineered with NVIDIA RTX Spark superchip and built on the Windows developer platform, designed for local-first AI development. Surface RTX Spark Dev Box is for developers who want to prototype, fine-tune and run capable models on their desk, and reach for the cloud when the work calls for it. Together, Surface Laptop Ultra and Surface RTX Spark Dev Box represent the next step for Surface: purpose-built devices for the people building what’s next. https://youtu.be/VlAI1_JkXL4?si=t7VDdKcaaxgdXBDW

A new category of Surface, built for developers

The way developers build software is fundamentally changing. AI models are growing in capability and complexity, agentic workflows demand sustained compute, and every iteration can incur cloud costs, even when the work doesn’t require state-of-the-art models. Surface RTX Spark Dev Box changes that equation. It’s a purpose-built Windows AI developer box that puts up to 1 petaflop of AI compute directly on the desk. By bringing powerful AI compute to the edge, developers can reserve frontier model calls for truly frontier problems and handle the rest on their own hardware. The result is a development workflow that can be more efficient and responsive, with developers in control of where their compute dollars go.

Sustained AI performance in a compact form factor

At the heart of this new developer machine is the NVIDIA RTX Spark superchip, combining a powerful NVIDIA Blackwell RTX GPU and an ultra-efficient NVIDIA Grace CPU to deliver up to 1 petaflop of AI compute with 128 GB of unified memory. That’s enough compute power to run 120B+ parameter models with 1 million token context locally at interactive speeds or fine-tune models that previously required cloud GPU instancesⁱ. With an aluminum chassis engineered to double as a heatsink, Surface RTX Spark Dev Box is designed for the workloads that matter most to developers: long-running training jobs, large model inference and complex agentic pipelines that benefit from consistent, sustained performance.

Built for the tools and workflows developers already use, out of the box

Surface RTX Spark Dev Box ships with Windows 11 Pro pre-configured for developers at the image level. This brings a purposeful set of defaults, preinstalled tools and tuned settings so the development environment is the default from first sign-in. The setup keeps developers in their workflow: dark theme, taskbar simplified for development, Widgets removed, Do Not Disturb on. Developer Mode is enabled. PowerShell 7 is the default shell. Under the hood, WSL 2 is configured with GPU passthrough and CUDA support. VS Code, GitHub Copilot, Git, Python and Node.js are installed. Your favorite IDEs, agents, coding assistants, frameworks and libraries all work on Surface RTX Spark Dev Box, whether you prefer the Windows side or WSL. Surface RTX Spark Dev Box is also a world class entry point to the rest of the Microsoft AI stack. AI Toolkit for VS Code brings model conversion, fine-tuning and evaluation into the editor developers already use. Windows ML with TensorRT, and Windows Copilot Runtime give you a consistent local inference surface. Microsoft Foundry connects local prototyping to production deployment, so the model you tune locally ships through the same tools and identity you use every day. GitHub Copilot scales from CLI to enterprise on the same machine. That is what we mean by best Microsoft experience for developers: the local box, the OS, the developer tools and the cloud platform working as one stack.

Secure by design

For developers working with sensitive models, proprietary data and valuable IP, security isn’t optional. It’s foundational. The powerful GPU and unified memory mean more of your models and IP can stay local and lets developers keep more of their models and data local. Surface RTX Spark Dev Box is built on chip-to-cloud security aligned with Microsoft’s Zero Trust principles:

• Secured-core PC architecture
• BitLocker encryption
• Microsoft Defender protection

For organizations, Surface RTX Spark Dev Box integrates with Entra ID and Intune for management and governance at scale. With Surface Laptop Ultra and Surface RTX Spark Dev Box, we’re expanding the Surface line with two products built specifically for makers. Surface Laptop Ultra is built for high-performance work that moves with you, from compiling and debugging to creative production and AI experimentation, while Surface RTX Spark Dev Box is built for the local compute developers need when models, agents and long-running workloads belong on the desk. Different form factors, same direction: giving developers the best option and more choice in where and how they build. Surface RTX Spark Dev Box will be available later this year in the U.S. exclusively on Microsoft.com. Learn more at microsoft.com/devboxⁱⁱ. i Source: NVIDIA. Based on 1 Theoretical FP4 TOPS using the sparsity feature.  ii Microsoft Surface RTX Spark Dev Box and Surface Laptop Ultra are pre-release products. Products and features are subject to regulatory certification/approval; actual sale and delivery is contingent on compliance with applicable requirements.  

Making Windows the trustworthy OS for agents

AI agents are no longer just answering questions, they are taking actions across systems with increasing autonomy. As they become persistent participants in how software runs, they introduce new risk to control and trust, challenging the security assumptions that have defined computing for decades. Developers are building agents that read files, invoke services, modify environments and chain operations together at increasing speed. That capability is powerful, but it raises a critical question: how do you ensure these systems remain trustworthy when they operate autonomously, at scale, on real data? This shift changes what developers, IT and security teams need from the platform. Security for agents must be built into the foundation by design so they can be developed, deployed and governed with confidence. When that foundation is in place, organizations can scale agent adoption while maintaining control and trust. Containment, identity and manageability are built as foundational primitives in Windows, extending security beyond the app and model into the OS. We’ve previously shared the principles guiding how we secure agent workflows on Windows. Then in May we announced how Microsoft Agent 365 was expanding its capabilities, including the ability to discover and manage local agents on Windows, starting with OpenClaw agents and expanding soon to other widely used agents like GitHub Copilot CLI and Claude Code.  We also announced that "beyond monitoring, organizations will be able to apply policy-based controls to set guardrails for what agents are allowed to do."  At Build 2026 we are sharing an update on how Agent 365 and Windows are working together to provide those capabilities with the introduction of Microsoft Execution Containers (MXC) SDK. For developers, Windows will provide the building blocks needed to implement agents that are more secure on both consumer and enterprise systems. For IT teams looking to balance deploying agents at scale while managing risks, Agent 365 and Windows provide the observability, governance and security capabilities that are critically needed.

Policy-based controls

Containment bounds what agents can access and do, so non-deterministic behavior doesn’t translate into uncontrollable risk. Unlike traditional applications, agent behavior is dynamic and often generated at runtime. The agent often uses models to generate complex code for each prompt that can read, act and chain multiple operations. Containment ensures agents can do useful work without being granted the full authority of the user’s session.

The Microsoft Execution Containers (MXC) SDK

To contain agent impact without limiting productivity gains, we’re introducing an early preview of the Microsoft Execution Containers (MXC) SDK, a cross-platform, policy-driven execution layer for agents on Windows and WSL. Developers define what to constrain in their apps and agents, and Windows enforces those constraints consistently at runtime through MXC. MXC provides an abstraction layer across isolation primitives, so developers do not have to manage low-level isolation details.

The composable sandbox and containment spectrum

The composable sandbox is how Windows applies isolation and containment in practice, with MXC as the control surface for developers. The same policy model and SDK can map to different isolation constructs depending on the workload and containment requirements. A coding agent and an enterprise data-processing agent may not need the same guardrails, but they do need one coherent trust story. The composable sandbox delivers the flexibility and control that developers and IT need. Agent 365's policy-based controls with Microsoft Entra and Intune will be used to apply those MXC constraints to a specific agent. Windows supports a range of containment options so that guardrails can match the nature and risk of the workload. Additional functionality and security enhancements will be added to subsequent releases. The following will be released in early preview shortly after Build to meet the needs of the agent ecosystem:

Process isolation

Windows is simplifying how developers enable process isolation for agents. Process isolation provides fast, lightweight containment within the user’s environment for scenarios like running model-generated code within a dedicated process boundary that restricts access to files and network domains outside defined policy. It is ideal for use cases like coding agents where the developer inner loop must stay responsive. GitHub Copilot CLI has adopted MXC process isolation to constrain what dynamically generated and executed code can do. We are excited to share the results of this deep partnership between Windows and GitHub with our shared customers.

Session isolation

Workloads that span across large numbers of long running processes or ones that need their own resources like a desktop to run automation may find process isolation overly limiting. Sessions in Windows separate the agent’s execution from the human user’s environment, such as the interactive desktop, clipboard, UI, input devices and active sessions. This mitigates UI spoofing, input injection and cross-session data leakage, and is suited for sustained workflows that run alongside the user’s own work. Sessions in Windows run with distinct user accounts, which enables isolation. Windows assigns a local ID or a cloud provisioned identity backed by Entra and attributes all activity from the container to that identity, so you can clearly differentiate human from agent. MXC session isolation paired with unique local ID on Windows enables precise control, least-privilege access and full auditability. Access policies can be applied to Windows session isolation so agents run independently with controlled local access and full lifecycle governance managed through Microsoft Entra and Intune in the cloud. Teams can use Intune policies to require MXC isolation with guardrails such as filesystem rules. Our initial release will support non-interactive sessions with additional capabilities targeted for future releases. As agents evolve, we are continuing to expand MXC containment capabilities and invite developers and the broader ecosystem to share feedback, including through engagement with the project on GitHub. Some other MXC containment capabilities currently on our roadmap are:

Micro-VM

Research at the cutting edge of agent security shows how LLMs are developing capabilities around escaping sandboxes. Is there a way to provide the desirable properties of process isolation like low overhead with a stronger isolation boundary? Micro-VMs that use hardware-backed isolation via the hypervisor with lightweight images can be well suited for higher-risk workloads. The micro-VM construct raises the bar against sandbox escapes by using a hypervisor while facilitating higher density than is possible with full VMs. They are desirable for agents processing sensitive data or running untrusted external code.

Linux containers

Will bring the containment model to Linux-first agent toolchains via WSL. This enables compatibility with Linux ML frameworks and package ecosystems with OS-enforced boundaries.

MXC integration for cloud VM Windows 365 for Agents

Windows 365 for Agents, now generally available, extends containment beyond the local device. The agent runs in an Intune-managed Cloud PC, fully separate from the user’s machine. If compromised, impact is contained to a disposable cloud instance. Suited for enterprise-managed agent fleets with centrally provisioned policy and compliance. To learn more, check out our Windows 365 blog. With the future addition of MXC integration, Windows 365 for Agents will scale from lightweight local isolation to stronger hardware-backed boundaries - through a single SDK and policy model. With the combination of these new Windows capabilities and Agent 365, Microsoft is continuing to expand its full stack offering to help enterprises to observe, govern, and secure their agents.

Innovating with partners in the ecosystem

We are partnering with leading innovators in the industry like Hermes, Manus, NVIDIA, OpenAI and OpenClaw, to ensure the containment we are building supports real developer needs. OpenClaw now runs the node and gateway securely on Windows leveraging MXC. You can use the new Windows companion app to easily set up your own claws or connect to existing ones. NVIDIA brings OpenShell to Windows, built on MXC. Integrating MXC via OpenShell provides developers with an easy-to-deploy package for autonomous, always-on agents safely. Hermes Agent will be integrating OpenShell and MXC in their new Windows application. "Continuously running local agents, like Hermes Agent, require intentional isolation. Developers need control over what an agent can access and trust that those controls will hold,” said Dillon Rolnick, CEO of Nous Research. “Microsoft Execution Containers (MXC), integrated with OpenShell, provides a policy-driven foundation for private, on-device agents on Windows.” "Working with Microsoft on the Microsoft Execution Containers (MXC) allows us to explore new patterns for AI agents to safely and efficiently generate and execute code. By combining Codex's capabilities with MXC's execution environment, we aim to help developers move from intent to reliable execution faster, while maintaining the security and control enterprises need," said David Wiesen, Member of Technical Staff, OpenAI “Manus is built to help users move from intent to completed work across tools, files, code and workflows,” said Tao Zhang. Chief Product Officer. “With Microsoft Execution Containers (MXC), Windows gives developers a policy-driven way to define what an agent can access and enforce those boundaries at runtime, so more autonomous agents can operate safely in enterprise environments.”

Built on a secure foundation by design

This agentic security model runs on a Windows platform designed to reduce risk by default. Decades of investment in Windows provide the foundation for everything running on top of it including agentic security capabilities. Under the Secure Future Initiative, continuously strengthening this foundation remains a company-wide priority. Windows reduces the attack surface and raises the security baseline by default – so agents inherit that protection without additional work. It shows up in capabilities like passwordless sign-in with passkeys, Hotpatch updates without restarts, production drivers written in Rust to reduce memory-safety vulnerabilities and post-quantum cryptography in Insider builds. Secure Boot enforces a hardware root of trust on every startup. Defender provides real‑time protection against prompt injection and other emerging agent threats. It uses advanced scanning engines and continuously updated intelligence to detect and respond to attacks. These protections are available to all Windows customers - including consumers using Windows Defender as their primary antivirus. Enterprise manageability has been a longstanding platform capability that IT and security teams depend on Windows to provide. Agent 365 now provides native integration of observability, governance and security capabilities for agents running on Windows OS environments, like MXC and Windows 365 for agents, so agents running on Windows can start secure and stay secure. Windows will continue to raise the bar for platform security with capabilities like our recently announced Baseline Security Mode. Together, these investments help provide the secure foundation on which trustworthy agentic computing is built.

Start building secure agents today

The value of an agent is not just what it can do, but whether it can be trusted in production. Windows enables agents that are secure, governable and ready for real-world deployment. Many of these capabilities are available today in Windows Insider builds, with more coming through our developer preview program. Windows continues to evolve so developers and organizations can move fast on AI while maintaining trust and security. We are excited to see what you build. To get started:

• Explore the Microsoft Execution Containers SDK.
• Try process and session isolation in Windows Insider builds when available shortly after Build.