Windows becomes an operating system for AI agents

We all know the basic concept of Microsoft Windows as an operating system. You install apps, click a mouse, and maybe write a few things on the side. That model still exists, but now it sits alongside something fundamentally new: software that works for the user instead of waiting for instructions. AI agents can interpret tasks, make decisions, and perform actions at a level that feels less like a tool and more like a digital colleague.

This change forces a rethinking of what an operating system should do. If agents are to perform tasks that mimic human behavior—retrieving files, changing settings, manipulating applications—Windows must recognize, govern, and contain them. At Ignite 2025, Microsoft previewed some updates in Windows showing the first outlines of this transformation.

I sat down Jatinder Manpartner manager for product management at Microsoft and Divya Venkataramudirector of product marketing management for the Windows developer platform at Microsoft, to talk about the updates and what they mean for both businesses and users.

A new hydraulic layer for interacting with agents

One of the most important pieces in this pivot is native support for the Model Context Protocol. MCP gives agents a standardized way to interact with tools and data sources—critical in an era when AI capabilities are popping up in unexpected places, including a new wave of AI-enabled browsers vying to become the central interface for digital work. As these browsers introduce their own proxying capabilities, it becomes clear that browsing alone is not enough. The operating system must provide stable, secure access points for anything accessing system resources.

Windows takes MCP a step further by introducing a registry on the device of “proxy sockets”—MCP servers that represent specific capabilities, such as file access or system configuration. All calls to these connections flow through an operating system-level proxy that handles authentication, permissions, consent, and control.

As Jatinder explained during our discussion, “This infrastructure cannot be delivered easily by middleware or applications alone, because it requires OS-level integration for security, consent and control.” This comment captures why Microsoft integrates these controls at the platform level rather than leaving them up to individual developers.

Pure possibilities, pure guardrails

The first plugins available in preview focus on two main areas: File Explorer and System Settings. They allow agents to retrieve and organize files or modify settings such as view mode or accessibility features. These are small, familiar tasks—but they show why structure matters. A link advertises what it can do, under what conditions and with what limitations. There’s no obfuscation, no interface scraping, and no guesswork about behaviors.

Windows supports these features with an explicit consent model. Whenever an agent wants to access a connector, the system prompts the user for a clear explanation and options: allow once, always allow, or never allow. It’s a familiar pattern, but it needs to avoid becoming invisible noise like cookie banners and UAC messages do.

Transparency is essential here. A system prompt that tells you exactly what the agent wants and why they want it is much more useful than a blanket permission request. And because every option can be reversed from a central settings page, the model encourages careful experimentation rather than blanket approvals that can’t be undone.

Giving agents a space of their own

One of the most interesting changes is the Agent Workspace—a separate, isolated desktop environment where agents operate under their own identity. Instead of combining their actions with yours, agents run alongside you in a limited session. The operating system can render actions, monitor access, and limit what the agent can access.

The design recognizes an emerging reality: agents behave less like traditional software and more like autonomous actors. They can perform tasks faster than humans and sometimes more aggressively than expected. A misinterpreted instruction can lead to unintended consequences. The Gini Problem—where an agent fulfills the literal meaning of the prompt rather than the intended one—is not hypothetical. Restriction issues.

As Divya put it, “Agents at all times on Windows will operate with less privileged access. They will only have access to what you define.”

Least Privilege has been a driving mantra since the beginning of cyber security. It’s critical to apply this to agent AI as well and create a controlled boundary around autonomous software before it becomes deeply embedded in daily workflows.

Safety expectations increase with autonomy

Once a system allows autonomous software to act on behalf of a user, the bar for security rises dramatically. Links must now be signed, packaged and associated with explicit statements of competence. The operating system knows who created them, what they can do, and whether they have been compromised. Agents also run through a standard proxy that enforces authentication, authorization, and control.

The need for visibility is obvious. If an agent deletes the wrong log entry, incorrectly modifies a configuration, or escalates privileges in an unexpected way, the system must be able to determine exactly which agent did it and why. This level of observability wasn’t necessary when applications were simply running in the direction of the user. It becomes non-negotiable when the software can act independently.

Organizations are already beginning to treat agents less like tools and more like a new class of digital worker—capable, fast, and potentially error-prone. Without OS-level controls, there is no reliable way to monitor or manage this behavior.

Local AI as a native ability

Another key element is the extension of AI processing to the device. Windows introduces APIs for image creation, video enhancement, content search, and other model-based capabilities—including support for running more advanced models directly on the device. Local inference reduces latency, keeps sensitive data off the network, and gives agents faster access to features they rely on.

This part is not unique to Windows, but the integration with sockets and OS-level permissions gives it a different flavor. Agents can call local models with the same directed paths they use for system resources, which keeps behavior predictable and controllable.

A platform that begins to shift

None of this suggests that Windows is suddenly becoming an agent-first operating system. People are still at the center of the experience. But the foundations for a dual model—people operating in one space, agents operating in another—have begun.

The operating system is emerging as the place where identity, permission, restriction and logging converge. As more apps, browsers and services ship their own AI assistants or built-in agents, Windows is positioning itself as the arbiter of what those agents can do safely.

This is the early stage of a long transition. The value of AI agents will take time to unfold at both the enterprise and consumer levels. But the architectural pieces—standard interfaces, clear permissions, individual runtime environments, and system-level observability—are starting to emerge.