Windows 365 for Agents: A Secured Execution Environment for AI Agents

Enterprise AI agents are moving past chat and API calls into full computer use: clicking, typing, and navigating applications the way a human employee does. That shift creates a governance problem. Where, exactly, does an agent run, and under whose policy? Microsoft’s answer, detailed in a recent Windows IT Pro Blog post, is Windows 365 for Agents, a Cloud PC service built specifically to give AI agents a secured, managed place to execute work.

The problem: agents running on infrastructure nobody governs

Many production systems that enterprises depend on, including legacy line-of-business applications and multistep operational workflows, were never built with APIs. The work happens through a user interface, where context and intent are conveyed visually rather than through a callable endpoint. To act on that work, an agent needs to operate a computer directly.

Today, that often means agents run on local machines, shared virtual machines, or unmanaged cloud infrastructure. IT and security teams lose consistent identity enforcement, policy application, and audit visibility in the process, which is exactly what makes it hard to move agentic pilots into production at enterprise scale.

What Windows 365 for Agents actually provides

Windows 365 for Agents is a purpose-built, IT-managed Cloud PC service reserved exclusively for agent workloads, running on isolated, enterprise-managed compute. Rather than sharing a machine with a human user or living on unmanaged infrastructure, each agent gets a dedicated execution environment. Microsoft frames this as five layers of protection working together.

  • Distinct agent identity through Microsoft Entra ID, establishing a Zero Trust foundation separate from human user accounts
  • Agent-only Cloud PCs that reduce the risk of privilege escalation, accidental human-agent crossover, and lateral movement across shared accounts
  • Microsoft Intune management, enforcing the same consistent security posture used for human-assigned devices
  • Identity-aware, real-time network protection through Global Secure Access
  • Governance and visibility supplied by Microsoft Agent 365

Entra Conditional Access ties access to compliance. Agents can reach organizational resources only when the Cloud PC they are running on meets the organization’s security requirements, extending the same Zero Trust rigor applied to human users to agent identities as well.

Where governance actually lives: Agent 365 as the control plane

It is worth being precise about the division of labor here, because it maps directly onto how Power Platform admins already think about environment strategy. Windows 365 for Agents is the execution environment. Microsoft Agent 365 is the governance and control plane that defines what an agent is permitted to do and how its work fits organizational policy. Windows 365 for Agents is exposed as a model context protocol server inside Agent 365, and telemetry from agent activity flows into Microsoft Defender and Microsoft Purview, the same tools security teams already rely on for human identity and data protection.

Practically, that gives security administrators a single place to discover Agent 365-enabled agents across the estate, apply threat detection and investigation workflows through Defender, and evaluate how agents interact with sensitive data through Purview’s Data Security Posture Management for AI. Governance, in other words, is not bolted onto the execution layer after the fact. It is wired in from the start.

Why this matters for Copilot Studio and Power Platform teams

For anyone building or governing Copilot Studio agents, this is the missing execution layer for computer-use scenarios: automating tasks in applications that have no API surface at all. Microsoft has already put its own agent experiences on this infrastructure, including computer-use automation inside Copilot Studio and Researcher’s computer-use capability in Microsoft 365 Copilot, and a set of third-party agent makers are building on it as well.

For governance-minded admins, the practical takeaway is that Windows 365 for Agents extends familiar controls (Entra ID, Intune, Conditional Access, Defender, Purview) to a new class of identity rather than asking teams to invent a parallel security model for agents. That consistency is the entire pitch: agents should be discoverable, policy-bound, and auditable using the same governance muscle already built for human users, not treated as a special case that quietly expands the attack surface.

What to verify before you plan around it

Windows 365 for Agents entered public preview earlier this year, initially limited to the United States, with broader platform updates announced at Microsoft Build 2026. Availability regions, licensing structure, per-agent Cloud PC pricing, and general availability timing are all details that move quickly in a preview product. Before including specific figures in any customer-facing plan, confirm current terms directly against Microsoft’s Windows 365 for Agents documentation and the Windows IT Pro Blog, since preview-stage offerings are the most likely to change between now and general availability.

Source: Windows 365 for Agents: A secured execution environment for AI agents, Microsoft Windows IT Pro Blog.

Leave a Reply

Discover more from Power Platform Engineer

Subscribe now to keep reading and get access to the full archive.

Continue reading