Microsoft remakes Windows for an era of autonomous AI agents

Microsoft
is fundamentally restructuring its Windows operating system to become what executives call the first “agentic OS,” embedding the infrastructure needed for autonomous AI agents to operate securely at enterprise scale — a watershed moment in the evolution of personal computing that positions the 40-year-old platform as the foundation for a new era of human-machine collaboration.
The company announced Tuesday at its
Ignite conference
that it is introducing native agent infrastructure directly into
Windows 11
, allowing AI agents — autonomous software programs that can perform complex, multi-step tasks on behalf of users — to discover tools, execute workflows, and interact with applications through standardized protocols while operating in secure, policy-controlled environments separate from user sessions.
The shift is Microsoft’s most significant architectural evolution of Windows since the introduction of the modern security model, transforming the operating system from a platform where users manually orchestrate applications into one where they can “simply express your desired outcome, and agents handle the complexity,” according to Pavan Davuluri, President of Windows & Devices at Microsoft.
“Windows 11 starts with this notion of secure by design, secure by default,” Davuluri said in an exclusive interview with VentureBeat. “And a lot of the work that we’re doing today, when we think about the engagement we have with our customers, the expectations they have with us is making sure we are building upon the fact that Windows is the most secure platform for them and is the most resilient platform as well.”
The announcements arrive as enterprises are
experimenting with AI agents
but struggling with fragmented tooling, security concerns, and lack of centralized management — challenges that Microsoft believes only operating system-level integration can solve. The stakes are enormous: with Windows running on an estimated 1.4 billion devices globally, Microsoft’s architectural choices will likely shape how organizations deploy autonomous AI systems for years to come.
New platform primitives create foundation for agent computing
At the core of Microsoft’s vision are three new platform capabilities entering preview that fundamentally change how agents operate on Windows.
Agent Connectors
provide native support for the
Model Context Protocol (MCP)
, an open standard introduced by Anthropic that allows AI agents to connect with external tools and data sources. Microsoft has built what it calls an “on-device registry” — a secure, manageable repository where developers can register their applications’ capabilities as agent connectors, making them discoverable to any compatible agent on the system.
“These are platform capabilities that then become available to all of our customers,” Davuluri explained, describing how the Windows file system, for example, becomes an agent connector that any MCP-compatible agent can access with user consent. “We’re able to do this in a fashion that can scale for one but it also allows others to participate in the Windows registry for MCP.”
The architecture introduces an
MCP proxy layer
that handles authentication, authorization, and auditing for all communication between agents and connectors. Microsoft is launching with two built-in agent connectors for File Explorer and System Settings, allowing agents to manage files or adjust system configurations like switching between light and dark mode — all with explicit user permission.
Agent Workspace
, entering private preview, represents perhaps the most significant security innovation. It creates what Microsoft describes as “a contained, policy-controlled, and auditable environment where agents can interact with software” — essentially a parallel desktop session where agents operate with their own distinct identity, completely separate from the user’s primary session.
“We want to be able to have clarity in the identity of the agent that is operating in the local operating system,” Davuluri said, addressing security concerns about agents accessing sensitive data. “We want that session to be a session that is secure, that is policy control, that is manageable, that has transparency and auditability.”
Each agent workspace runs with minimal privileges by default, accessing only explicitly granted resources. The system maintains detailed audit logs distinguishing agent actions from user actions — critical for enterprises that need to prove compliance and track all changes to systems and data.
Windows 365 for Agents
extends this infrastructure to the cloud, turning Microsoft’s Cloud PC offering into execution environments for agents. Instead of running on local devices, agents can operate in secure, policy-controlled virtual machines in Azure, enabling what Microsoft calls “computer-using agents” to interact with legacy applications and perform automation tasks at scale without consuming local compute resources.
Taskbar becomes command center for monitoring AI agents at work
The infrastructure enables significant user interface changes designed to make agents as commonplace as applications. Microsoft is introducing “Ask Copilot on the taskbar,” a unified entry point in preview that combines Microsoft 365 Copilot, agent invocation, and traditional search in a single interface.
Users will be able to invoke agents using “@” mentions directly from the taskbar, then monitor their progress through familiar UI patterns like hover cards, progress badges, and notifications — all while continuing other work. When an agent completes a task or needs input, it surfaces updates through the taskbar without disrupting the user’s primary workflow.
“We’ve evolved and created new UX in the taskbar to reflect the unique needs of agents performing background tasks on your behalf,” said Navjot Virk, Corporate Vice President of Windows Experiences, describing features like progress bars and status badges that indicate when agents are working, need approval, or have completed tasks.
The design philosophy, Virk emphasized, centers on user control. “These experiences are designed to be opt in. We want to give customers full control over when and how they engage with copilots and agents.”
For commercial
Microsoft 365 Copilot
users, the integration goes deeper. Microsoft is embedding Copilot directly into File Explorer, allowing users to ask questions, generate summaries, or draft emails based on document contents without leaving the file management interface. On Copilot+ PCs — devices with neural processing units capable of 40 trillion operations per second — new capabilities include converting any on-screen table into an Excel spreadsheet through the Click to Do feature.
Microsoft bets on open standards against Apple and Google’s proprietary approaches
Microsoft’s embrace of the open
Model Context Protocol
, created by Anthropic, marks a strategic bet on openness as enterprises evaluate competing AI platforms from Apple and Google that use proprietary frameworks.
“Windows is an open platform, and by virtue [of being] an open platform, we certainly have the ability to take existing technologies, evolve, harden, adapt those, but we also allow customers to bring their own capabilities to the platform as well,” Davuluri said when asked about competing with
Apple Intelligence
and Google’s
Android AI for Enterprise
.
The company demonstrated this openness with Claude, Anthropic’s AI assistant, accessing the Windows file system through agent connectors with user consent — one of numerous partnerships Microsoft has secured. Dynamics 365 is using the File Explorer connector to streamline expense reporting, reducing what was previously a 30-minute, dozen-step process to “one sentence with high accuracy,” according to Microsoft’s blog post. Other early partners include
Manus AI
,
Dropbox Dash
,
Roboflow
, and
Infosys
.
“Windows is the platform in which they build upon,” Davuluri said of enterprise customers. “And so our ability to take those existing bodies of work they have, and extend them is the, I think, the least friction way for them to go, learn, adopt, experiment and find ways to [scale].”
Security model enforces strict containment and mandatory user consent
Microsoft’s security model for agents adheres to what it calls ”
secure by default
” policies aligned with the company’s broader
Secure Future Initiative
. All agent connectors registered in the on-device registry must meet strict requirements around packaging and identity, with applications properly packaged and signed by trusted sources. Developers must explicitly declare the minimum capabilities their agent connectors require, and agents and connectors run in isolated environments with dedicated agent user accounts, separate from human user accounts. Windows requires explicit user approval when agents first access sensitive resources like files or system settings.
“We give Windows the ability to go deliver on the security expectations, and then it is auditable at the end of the day,” Davuluri said. “You still want an auditability log that looks similar to perhaps what you use in the cloud. And so all three pieces are built into the design and architecture of Agent Workspace.”
For IT administrators,
Microsoft
is introducing management policies through
Intune
and
Group Policy
that allow organizations to enable or disable agent features at device and account levels, set minimum security policy levels, and access event logs enumerating all agent connector invocations and errors. The company emphasized that agents operate with restricted privileges, with minimal permissions by default and access granted only to explicitly approved resources that users can revoke at any time. 
Post-quantum cryptography and recovery tools address emerging and persistent threats
Beyond agent infrastructure, Microsoft announced significant security and resilience updates addressing both emerging and persistent enterprise challenges.
Post-Quantum Cryptography APIs
are now generally available in Windows, allowing organizations to begin migrating to encryption algorithms designed to withstand future quantum computing attacks that could break today’s cryptographic standards. Microsoft worked closely with the National Institute of Standards and Technology to implement these algorithms.
“We are introducing post quantum cryptography APIs in Windows,” Davuluri said. “For customers who want to be able to do cryptographic encryption in their workloads, they can start taking advantage of these APIs in Windows for the first time. That is a huge step forward for us when we think about the future of windows.”
Hardware-accelerated
BitLocker
will arrive on new devices starting spring 2026, offloading disk encryption to dedicated silicon for faster performance while providing hardware-level key protection. Sysmon functionality is becoming generally available as part of Windows in early 2026, bringing advanced forensics and threat detection capabilities previously available only as a separate download directly into the operating system’s event logging system.
The company also detailed progress on its Windows Resiliency Initiative, launched a year ago following the CrowdStrike incident that disrupted 8.5 million Windows devices globally. New recovery capabilities include Quick Machine Recovery with expanded networking support and Autopatch management, allowing IT to remotely fix devices stuck in Windows Recovery Environment. Point-in-time restore entering preview rolls back devices to earlier states to resolve update conflicts or configuration errors, while Cloud rebuild in preview allows IT to remotely rebuild malfunctioning devices by downloading fresh installation media and using Autopilot for zero-touch provisioning.
Microsoft is also raising security requirements for third-party drivers across the Windows ecosystem. Following updated requirements for antivirus drivers effective April 1, 2025, the company is expanding this approach to other driver classes including networking, cameras, USB, printers, and storage — requiring higher certification standards, adding compiler safeguards, and providing more Windows in-box drivers to reduce reliance on third-party kernel-mode code.
Measured rollout reflects enterprise caution around autonomous software
Microsoft is positioning these updates as essential infrastructure for what it calls ”
Frontier Firms
” — organizations that “blend human ingenuity with intelligent systems to deliver real outcomes.” However, the company emphasized a cautious, opt-in approach that reflects enterprise concerns about autonomous software agents.
“The principles we’re using in designing these new platform capabilities accounts for the reality that we have a very, very broad user base,” Davuluri said. “A lot of the features and capabilities we’re building are opt in capabilities. And so it is our goal to be able to have users find value in the workflow and meet them.”
Virk emphasized the measured approach: “This is more about meeting customers where they are and then taking them on this journey when they are ready. So there’s the optionality, but also having support for it. And really important thing is that they should feel comfortable. They should feel secure.”
Microsoft’s bet is that only operating system-level integration can provide the security, governance, and user experience required for mainstream AI agent adoption. Whether that vision materializes will depend on developer adoption, enterprise comfort with autonomous software, and Microsoft’s ability to balance innovation with the stability that
40 years of Windows
customers expect. After four decades of putting users in control of their computers, Windows is now asking them to share that control with machines.