Windows IT Pro Blog:
AI agents are rapidly evolving from answering questions to performing tasks across enterprise systems. As organizations move from experimentation to production, one question continues to rise to the top for security leaders: how do you run agents securely at scale?
Today, many agents operate in fragmented environments: local machines, shared virtual machines, or unmanaged cloud infrastructure. That can make it hard to consistently enforce identity, apply policies, and maintain the visibility security teams need.
Windows 365 for Agents changes that.
A Cloud PC for enterprise agents, with security built-in
Windows 365 for Agents provides secured, managed Cloud PCs built for AI agents. As your organization governs and protects your human users today, Windows 365 for Agents enables you to apply the same enterprise security and compliance controls to agentic workloads.Windows 365 for Agents works with Microsoft Entra, Microsoft Intune, Microsoft Defender, Microsoft Purview, and Microsoft Agent 3651 to provide identity, device management, security, and data governance capabilities for agentic workloads. Agents are designed to operate within enterprise security and compliance boundaries, running in a managed environment with identity, compliance, and security controls.
These core security tenets make it possible.
1. Reduced identity risk with distinct agent identity
Agents running in Windows 365 for Agents are provisioned with their own identity in Microsoft Entra, separate from any human user.When an agent is hired, a unique agent identity is automatically assigned, helping ensure:
- Every action is attributable to a specific agent
- Permissions can be scoped precisely
- Access can be revoked when necessary
With Entra Conditional Access, organizations can enforce access policies by allowing access to organizational resources only when the Windows 365 for Agents Cloud PC is compliant with the organization’s security requirements. This helps ensure agents access enterprise resources only from managed and compliant Cloud PCs.
By combining identity-based access control with Intune device compliance, organizations can extend Microsoft’s Zero Trust policy engine to agents with the same rigor used for human users.
2. Reduced access risk with agent-only access
Windows 365 for Agents Cloud PCs are reserved exclusively for agents and run on isolated and enterprise-managed compute environments built for agent operations. By providing agents with a dedicated and contained execution environment, organizations can mitigate risks such as privilege escalation, accidental human-agent crossover, and lateral movement across shared accounts. IT administrators can further reinforce these boundaries through Intune provisioning policies that assign Cloud PCs only to agent users, helping ensure these environments are used for their intended purpose.3. Consistent security and compliance enforcement
Every Windows 365 for Agents Cloud PC is Entra-joined and Intune-enrolled. Such Cloud PCs are managed by Microsoft Intune1, applying the same security posture your organization already relies on for employee devices.That means:
- Security baselines and compliance policies can be applied from the moment of provisioning
- Configuration, hardening, and updates are centrally managed
4. Network protection with Global Secure Access
Windows 365 for Agents also extends agent security to how agents access the network. Windows 365 for Agents integrates with Microsoft Entra Global Secure Access (GSA) to provide an identity-driven network security layer for agents. This helps organizations apply the same Zero Trust principles they already use for users and devices to agent traffic.With GSA, organizations can route internet traffic through secure, policy-enforced profiles to help protect agents from malicious destinations, risky connections, and unsafe web activity. Security teams can apply controls for web content filtering, URL-based access policies, and inline threat protection.
By combining network signals with identity and device context, organizations can extend Zero Trust protection beyond authentication and into every network connection an agent makes, while maintaining full visibility into how agents interact with enterprise and external resources.
Read our network security with Global Secure Access learn article to learn more.
5. Governance and visibility into Agent Activity
Security is more than prevention; it is also about governance, visibility, and control. By integrating with Microsoft Agent 3651, organizations gain visibility into agent activity and can apply governance and policy controls across agent execution environments. Windows 365 for Agents is exposed as a model context protocol (MCP) server in Agent 365, and the telemetry flows into the tools your security teams already use such as Microsoft Defender and Microsoft Purview.Resilience against threats with Microsoft Defender
Agent activity integrates into Microsoft Defender's AI agent inventory and protection, letting security administrators discover Agent 365 enabled agents in your estate. For agents, Defender offers:
- Advanced hunting across all agent activity
- Traceability of agent identity, tools, and actions
- Threat detection and investigation workflows
On the data side, Microsoft Purview extends your existing security and compliance controls to agentic workloads.
- Data Security Posture Management (DSPM) for AI continuously assesses how agents interact with your data and helps you evaluate alignment with your policies.
- Activity Explorer delivers granular visibility into agent data usage, including what was accessed, classified, or shared, so sensitive information stays within your policy boundaries.
- Existing sensitivity labels, Data Loss Prevention (DLP), and retention policies apply to agent actions similar to human users.
- Insider Risk Management (IRM) detects risky agent behaviors, identifies elevated risk levels, and prioritizes investigations before sensitive data is exposed or misused.
This Windows 365 for Agents demo shows how agents execute in a secure, managed environment.
Are you ready for enterprise-ready agentic computing?
Windows 365 for Agents brings identity, device management, and observability together into a unified, secure platform built for AI agents. In summary, this includes:- Distinct identity to establish the Zero Trust foundation
- Agent-only environments to reduce risk of misuse by design
- Intune management that enforces a consistent security posture
- Identity-aware, real-time network protection with Global Secure Access
- Governance and visibility with Agent 365
Ready to put agents to work securely? Learn more about Windows 365 for Agents security on our support page and start running enterprise-ready agentic workloads today.
Source:









