Securing AI agents on Windows

As AI-powered agents become integral to how we work and create, Windows is committed to making these experiences more productive and secure for individuals and enterprises.

Today, we announced new Copilot and agentic experiences that make powerful AI easy on Windows 11. One of the new experiences we introduced is an experimental feature called Copilot Actions. Copilot Actions on Windows 11 builds on our announcement in May, where we announced Copilot Actions on the web – allowing Copilot to take real actions on your behalf, like booking a table at your favorite restaurant or ordering groceries.

Coming soon to Windows Insiders in Copilot Labs, we’re previewing an experimental mode for Copilot Actions to expand beyond the browser to take actions directly on local files in Windows.

This blog will share how Copilot Actions on Windows is using our new experimental agent workspace to complete tasks for you in a separate, contained environment while keeping you informed and in control.

What is Copilot Actions?

Copilot Actions is an AI agent that completes tasks for you by interacting with your apps and files, using vision and advanced reasoning to click, type and scroll like a human would.

This transforms agents from passive assistants into active digital collaborators that can carry out complex tasks for you to enhance efficiency and productivity – like updating documents, organizing files, booking tickets or sending emails. After you’ve granted the agent access, when integrated with Windows, the agent can take advantage of what you already have on your PC, like your apps and data, to complete tasks for you.

Why security matters

Agentic AI has powerful capabilities today—for example, it can complete many complex tasks in response to user prompts, transforming how users interact with their PCs. As these capabilities are introduced, AI models still face functional limitations in terms of how they behave and occasionally may hallucinate and produce unexpected outputs. Additionally, agentic AI applications introduce novel security risks, such as cross-prompt injection (XPIA), where malicious content embedded in UI elements or documents can override agent instructions, leading to unintended actions like data exfiltration or malware installation. See Securing the Model Context Protocol: Building a safer agentic future on Windows for more information.

As we begin to build agentic capabilities into Windows, our commitment is to include robust security and privacy controls that empower customers to explore their potential confidently with the support of clear guidance and appropriate guardrails.

Agentic security and privacy principles

Addressing the security challenges of AI agents requires adherence to a strong set of security principles to ensure agents act in alignment with user intent and safeguard their sensitive information. We are establishing a set of durable security and privacy principles that must be met to make use of new agentic capabilities in Windows:

1. Distinct agent accounts: We are creating the ability for agents in Windows to operate with dedicated agent accounts distinct from the user account on your device. This facilitates agent-specific policy application that can be different from the rules applied to other accounts like those for human users. You can share access to files and other resources to these dedicated agent accounts the same way you do with other users on your device like family or coworkers.
2. Limited agentic privileges: An agent will start with limited permissions and will only obtain access to resources you explicitly provide permission to, like your local files. There is a well-defined boundary for the agent’s actions, and it has no ability to make changes to your device without your intervention. This access can be revoked at any time.
3. Operational trust: Agents that integrate with Windows must be signed by a trusted source so that maliciously or poorly behaved agents can be revoked and blocked with a range of defense-in-depth measures like certificate validation and antivirus.
4. Privacy-Preserving Design: Windows is designed to help agents adhere to Microsoft’s commitments made in the Microsoft Privacy Statement and Responsible AI Standard. Windows will support agents in collecting and processing data only for clearly defined purposes, ensuring transparency and trust. See the Microsoft Privacy Report for detail on our commitments to advancing AI responsibly while safeguarding privacy and other fundamental rights.

Agent development and AI-related security continue to be a fast-moving field of research with active participation from Microsoft in partnership with the broader security community. As part of Microsoft’s Secure Future Initiative commitment, helping users, businesses and developers address these challenges is our top priority as people begin to interact with  agents as part of their daily workflows.

Security controls

Copilot Actions will put our security and privacy principles into practice, and we will continuously learn and refine our approach as we gather real world feedback from the preview when it becomes available. Four new building blocks have been added to Windows 11 to support this exploration. During the preview period we’ll continue to add more granular security and privacy controls before these features are made broadly available:

• User Control: Copilot Actions will be disabled by default and is only enabled when the user toggles on the following Windows setting in Settings > System > AI components > Agent tools > Experimental agentic features.

• Agent accounts: a separate standard account on your device is provided to agents when acting on your behalf, enabling agent-level authorization and access control.

• Agent workspace: a contained environment where agents can work in parallel with a human user, enabling runtime isolation and granular permissions. This provides the agent with capabilities like its own desktop while limiting the visibility and access the agent has to the user’s desktop activity. The agent workspace is built on recognized security boundaries that Microsoft will defend in accordance with our longstanding security servicing criteria. For more information on agent workspaces, see Experimental Agentic features – Learn More.

• User Transparency: a way for users to authorize, monitor and take over agent actions in agent workspace.

More building blocks, like Entra and MSA identity support, will be coming soon.

The applications and actions driven by Copilot Actions run under the agent account instead of the account of the logged-on PC user which clearly distinguishes the work done by the agent from other actions on the system like those performed by the PC user. The agent accounts are only provisioned when users enable the agent workspace.

During the experimental preview of Copilot Actions, the agent will have access to a limited set of the user’s local known folders—such as Documents, Downloads, Desktop or Pictures—and other resources that are accessible to all accounts on the system. Only when the user provides authorization can Copilot Actions access data outside of these folders. Standard Windows security mechanisms like access control lists (ACLs) help prevent unauthorized use.

While Copilot Actions is working, users can monitor its progress, stay informed at every step and take control at any time. When sensitive actions or important decisions are involved, Copilot Actions may request additional user approval to take those specific steps—ensuring their consent and putting them in charge before anything critical happens.

Looking ahead

Security is a continuous commitment. As we expand agentic capabilities in Windows, we will continue to evolve our defenses. With the upcoming preview release of Copilot Actions to Windows Insiders in Copilot Labs, we look forward to gathering valuable feedback that will help us shape the experience further ahead of broader release. Additionally, the Windows platform and its security controls will be available for other developers in private preview soon to test and provide input.

Windows 11 is the most secure version of Windows ever built, and as we enter this new agentic era, our commitment is clear: Windows will be the most secure, trusted, and user-centric platform for agentic computing.

We look forward to sharing more at Microsoft Ignite 2025 in November.