Corporate Vice President, Windows Security https://blogs.windows.com/windowsexperience/author/danahuang/ Tue, 18 Nov 2025 18:50:20 +0000 en-US hourly 1 https://wordpress.org/?v=6.6.4 https://blogs.windows.com/wp-content/uploads/sites/2/2021/06/cropped-browser-icon-logo-32x32.jpg Corporate Vice President, Windows Security https://blogs.windows.com/windowsexperience/author/danahuang/ 32 32 Preparing for what’s next: Windows security and resiliency innovations help organizations mitigate risks, recover faster and prepare for the era of AI https://blogs.windows.com/windowsexperience/2025/11/18/preparing-for-whats-next-windows-security-and-resiliency-innovations-help-organizations-mitigate-risks-recover-faster-and-prepare-for-the-era-of-ai/ Tue, 18 Nov 2025 16:03:11 +0000 https://blogs.windows.com/windowsexperience/?p=180031 Today, we introduced agentic platform and cloud-powered flexibility capabilities into Windows that bring together human creativity and intelligent agents.

To fully embrace these ag

The post Preparing for what’s next: Windows security and resiliency innovations help organizations mitigate risks, recover faster and prepare for the era of AI appeared first on Windows Experience Blog.

]]> introduced agentic platform and cloud-powered flexibility capabilities into Windows that bring together human creativity and intelligent agents. To fully embrace these agentic capabilities, trust is essential. That’s why Windows is built with privacy, security and enterprise-grade controls that help keep you informed, in control and protected. Windows 11 is more secure by design and by default with each release and update, aligning with Microsoft’s Secure Future Initiative’s core principles. We also recognize that resilience is the cornerstone of a future-ready enterprise. Windows is committed not only to delivering powerful tools for customers, but also to strengthening resiliency across the Windows ecosystem. In this blog, we’ll share some updates on Windows security and resiliency, including the latest announcements about securing agentic interactions on Windows, recent security innovations and our progress with the Windows Resiliency Initiative.

Securing agentic interactions on Windows

Security is our top priority as we expand Model Context Protocol (MCP)-powered capabilities and agentic workflows on Windows. At Microsoft Build 2025, we outlined the principles guiding how we secure MCP on Windows, and last month we expanded on this by sharing our four core principles that guide our approach to securing agent workflows on Windows:
  • Distinct agent accounts, separate from user accounts, enabling agent-specific policies and clear boundaries for access, permissions and accountability.
  • Limited agentic privileges so that agents have minimal permissions and only gain access to resources you explicitly grant.
  • Operational trust agents must be signed by trusted sources and signing can be revoked and blocked if needed.
  • Privacy-preserving design in Windows that helps agents adhere to Microsoft’s Privacy Statement and Responsible AI Standard, collecting and processing data only for clearly defined purposes.
Today’s agentic security announcements help honor these commitments: Agent workspace is a separate and contained, policy-controlled, and auditable environment where agents can interact with software much like humans do, and perform tasks on behalf of end users, without disrupting a user’s primary session.  All actions performed within the agent workspace are attributed to a distinct agent identity, separate from users. This helps ensure every task, workflow and change is clearly tracked, making it easy to differentiate between what agents do and what users initiate. End users are in control and can choose to enable the agent workspace. The agent will have access to a limited set of the user’s local known folders—such as Documents, Downloads, Desktop or Pictures—and other resources that are accessible to all accounts on the system. Standard Windows security mechanisms like access control lists (ACLs) help prevent unauthorized use. Agent workspace is in private preview. Image showing "how Agents operate" with two drop downs reading "Tools and Agents" and "Computer-use Agent Capabilities." Windows 365 for Agents extends agentic platform primitives to the cloud as a secured and scalable virtual environment, preserving the same security principles and developer experience. Developers can choose between local and cloud execution without rewriting their agent logic, while IT maintains consistent governance through Microsoft Intune and enterprise policies. Image of Windows 365 for Agents with four different sections reading "End Users," "Frontier Firms," "Agents" and "Agent Makers."Agent connectors (in preview)in an on-device registry come with an MCP proxy layer built-in that facilitates consent, governance, auditing and containment enforcement, which end users and commercial customers need. This proxy layer allows the system to secure interactions between applications and MCP servers by applying appropriate policies. For customers using agent connectors and developers building them for their applications, the following two security policies will be available:
  • Default security policy: To help ensure a secure by default starting point, the MCP servers must meet the platform security bar around packaging, identity, provenance, containment and consent. The on-device registry will only expose components that are appropriately packaged and signed, declare required capabilities and enable the platform to execute components with containment mechanisms such as running them as an agent user.
  • Bypass security policy: While in developer mode, developers may choose to relax default security checks for testing purposes to allow MCP servers that do not conform to all the requirements to run on their system.
IT manageability:  We’re announcing the public preview of new policies that let IT admins manage agent workspace and connector settings—including enabling or disabling features, configuring registry access and choosing between default or more permissive security policies for groups like developer machines—all through familiar tools like Microsoft Intune, Entra and Group Policy. Additionally, IT admins will be able to use familiar account and event log management tools to manage and observe actions performed by agents using agent user accounts. We’ll continue to learn and gather feedback from customers as they use these capabilities during their preview period and will make adjustments in line with our privacy and security commitments. For more information on these agentic security announcements, please see: Ignite 2025: Furthering Windows as the premier platform for developers, governed by security

Stronger by default: new Windows security capabilities

Security is a pursuit, and not a destination. We continue to add new capabilities and strengthen the layers of defense to address emerging threats. The Windows team is excited to announce several major advancements in security designed to help keep organizations ahead of evolving threats:

Advancing crypto and data protection

Post Quantum Cryptography (PQC) uses algorithms designed to withstand quantum attacks that could break today’s encryption. With quantum computing on the horizon, early adoption is critical. Post Quantum Crypto (PQC) APIs in Windows are now ready, so organizations can start migrating to quantum-safe encryption and validate their applications and infrastructure. Hardware-accelerated BitLocker brings faster and more secure disk encryption to Windows by leveraging modern SoC and CPUs. Cryptographic operations are now offloaded from the main processor to dedicated hardware, boosting performance and reducing system overhead. On supported hardware, encryption keys are now hardware-protected by being wrapped and isolated at the silicon level, which helps to minimize exposure to CPU and memory vulnerabilities, and raises the bar for data protection. These enhancements will be available on new devices starting spring 2026, helping organizations safeguard sensitive data with greater speed and confidence.

Protecting credentials

Credential and identity theft remain top cyberattacks, with phishing as a leading threat vector. As announced in October, the refreshed Windows Hello experience delivers faster, more intuitive authentication, and we are enabling passkey managers to integrate with Windows Hello—this integration is available with the November 2025 security update. We have been working with Microsoft Password Manager in Edge, 1Password, Bitwarden and others as they use this new passkey manager support, enabling smooth sign-in with Windows Hello. So now passkey use on Windows is simpler, smoother, more secure than ever and can be synced across devices.

Passkey with Windows Hello pop up as user tries to sign into LinkedIn reading "sign in with passkey" and "Hello Alice Hawkins, Press okay to continue."Trusted apps and drivers

Attacks often start with unsafe or unsigned apps and drivers. App Control for Business helps ensure only verified apps and drivers run on your device—giving IT peace of mind and reducing risk. With Intune’s Managed Installer, allowing line of business apps to run is simplified. Controlling what apps and drivers run on your device helps eliminate attacks from malicious attachments or social engineered malware, so even if you click on that wrong thing, you’re better protected.

Better visibility with Sysmon functionality

We are also pleased to announce that Sysmon functionality will soon be available in Windows. Sysmon functionality in Windows provides easy to activate, rich, customizable threat detection signals valued by enterprise security teams, third party security vendors and other partners. The upcoming release of Sysmon functionality in Windows will help simplify operations, reduce deployment burdens and significantly increase visibility into Windows logs, empowering security teams to identify threats faster and more efficiently.

Connectivity security

Windows is raising the bar for network protection with two major updates. One is Zero Trust DNS, a powerful new capability that enforces zero trust principles by controlling outbound name resolutions through encrypted DNS and approved DNS servers. This helps organizations meet NIST standards and blocks unauthorized access, helping to ensure only trusted DNS traffic is allowed—a key step toward robust zero trust architecture. And Wi-Fi 7 for Enterprise, which mandates WPA3-Enterprise authentication, delivers seamless roaming and brings the performance benefits of next generation wireless to business environments.

Windows Resiliency Initiative brings recovery at scale

One year ago, at Ignite 2024, we introduced the Windows Resiliency Initiative (WRI), a focused set of improvements to help IT departments prevent incidents, manage those that occur and recover quickly. Most incidents stem from change, and today’s rapid developments in security and AI are accelerating change across products, processes and how people work, raising the bar for IT. Guided by your engagement and feedback, we’re proud to announce new Windows capabilities that help strengthen resilience across your environment.

Preventing incidents through driver resiliency

We invest continuously in Windows quality through deep validation of all new Windows capabilities and monthly security and quality updates. We also work continuously with our partners in the open and innovative Windows app and driver ecosystem to help ensure great reliability end-to-end. We’ve recently made significant progress on two investments to help improve reliability in anti-virus drivers. Effective April 1, 2025, Version 3.0 of the Microsoft Virus Initiative added new requirements for all Windows antivirus (AV) partners to maintain signing rights for Windows AV drivers. In June, we released the first private preview of the Windows endpoint security platform, which shifts AV enforcement from the kernel to user mode. Running AV in user mode prevents bugs from taking down Windows, instead impacting only the AV app, while preserving AV functionality and AV partners’ ability to innovate. We’re now extending the driver resiliency playbook across the Windows ecosystem beyond the AV scenario. In short, we’re raising the bar for driver signing and making it easier to build reliable drivers for Windows. What’s changing:
  • Driver signing will require a higher security and resiliency bar with many new certification tests.
  • We are expanding Microsoft-provided Windows in-box drivers and APIs so partners can replace many custom kernel drivers with standardized Windows drivers or move logic to user mode.
  • Over the coming years, we expect a significant reduction in code that runs in kernel mode across driver classes such as networking, cameras, USB, printers, batteries, storage and audio.
We will continue to support third-party kernel mode drivers. We will not limit partners from innovating where we don’t have Windows in-box drivers, or from using kernel mode drivers where required to help ensure a great Windows experience and for scenarios without in-box coverage. Graphics drivers, for example, will continue to run in kernel mode for performance reasons. For kernel-mode drivers, we’re adding practical guardrails that improve quality and contain faults before they become outages. These include new mandatory compiler safeguards to constrain driver behavior, driver isolation to limit blast radius, and DMA-remapping to prevent accidental driver access to kernel memory.

Manage incidents

For high-impact incidents, customers can now engage Windows product team engineers through the Windows component of Mission Critical Services for Microsoft 365. This new offering enables customers to have specific issues investigated by Windows product engineers directly. To help keep all your employees productive when something happens to their physical PC, we suggest using Windows 365 Reserve, now generally available. It enables employees to stay productive even if their laptop is lost, damaged or compromised, using secured, cost-effective, temporary Cloud PCs. If this occurs, IT can quickly provision a Reserve Cloud PC with all the necessary apps and policies—keeping employees productive and businesses running. The employee can use the Cloud PC from any device IT allows, including personal devices. Two new incident management abilities are coming soon:
  • Intune will surface when a Windows device has booted into the Windows Recovery Environment (WinRE), helping IT admins quickly spot machines that can’t boot into Windows and to prioritize recovery. In Azure Portal the same signals will appear for Windows Server VMs that have switched to WinRE, enabling rapid triage and remediation at scale.
  • Digital Signage mode. This new Windows mode is perfect for machines which drive non-interactive public displays, whether that be a restaurant menu or an airport flight display. Once enabled, it helps ensure no Windows screens or error dialogs will show on your public displays. For Windows screens and errors messages needed for diagnostics and recovery, Windows will only show the screen or error for 15 seconds and then turn off the screen while waiting for keyboard or mouse input to reactivate. It is simple to enable through the Windows Settings app or a registry key. This mode does not replace Kiosk mode. Kiosk mode remains the right solution for interactive kiosks.

Recover

We’re reinventing Windows recovery, modernizing tools first built two decades ago. With Intune endpoint management, SSDs replacing slow HDDs and widespread cloud data protection via OneDrive, recovery tools become simpler, faster and more effective at scale. Illustration of a computer interacting with Intune Remote Recovery which in turn is connected to a syringe labelled quick machine recovery, a clock labelled point-in-time restore and a tower labelled loud rebuild.We released Quick Machine Recovery (QMR) in August. When a widespread issue prevents Windows PCs from booting into Windows, and instead fall back to WinRE, Microsoft can push a QMR update to restore functionality. We’ll soon add two new capabilities to make QMR easier to use in enterprise environments:
  • WinRE networking. WinRE will read networking configuration from full Windows, so networking for WinRE does not need to be configured separately. Supporting ethernet today, it will soon also support Enterprise Wi-Fi with WPA 2/3 enterprise with device certificates.
  • Autopatch QMR management. In preview now, Autopatch adds management and approval of QMR updates, alongside all the other types of Windows updates it already automates.
QMR is a great solution for incidents with broad impact. We’re also investing in tools for smaller, isolated incidents—down to a single device. Intune remote recovery via WinRE will let IT admins see in the Intune console when a managed PC has entered recovery. From there, Intune will be able to push custom recovery scripts and trigger other remediation actions. This is built on a WinRE plug-in model that third party endpoint management solutions can adopt as well. Beyond PCs, the Azure Portal will soon enable recovery control for Windows Server VMs. Two new Windows recovery actions which Intune will soon be able to trigger on a PC are:
  • Point-in-time restore, which will rollback a PC to the exact state it was in an earlier point in time. This recovery action helps resolve a wide range of issues, including problems with updates, driver conflicts and configuration errors. Point-in-time restore will be available in preview in the Windows Insider build of Windows 11 this week.
  • Cloud rebuild: When a device’s erratic behavior can’t be solved in an easier way, Cloud rebuild offers a clean slate without shipping hardware or visiting a service desk. Through the Intune portal, admins will be able to select the desired Windows release and language, triggering the PC to download installation media and rebuild itself. The process leverages Autopilot for zero-touch provisioning, ensuring MDM enrollment and policy compliance post-rebuild. User data and settings restoration is streamlined via OneDrive and Windows Backup for Organizations. This approach will reduce downtime from hours—or days—to a fraction of that time.

Learn more

The latest Windows security and resiliency announcements demonstrate our commitment to helping customers stay secure in a rapidly changing landscape. We look forward to delivering these innovations and supporting organizations as they build a resilient, future-ready security posture. To learn more about Windows 11 security features, visit the Windows 11 Security eBook. For more on the Windows Resiliency Initiative, visit the Windows Resiliency Initiative page and this Technical IT Pro blog for details about recovery tools.]]> Securing AI agents on Windows https://blogs.windows.com/windowsexperience/2025/10/16/securing-ai-agents-on-windows/ Thu, 16 Oct 2025 12:58:05 +0000 https://blogs.windows.com/windowsexperience/?p=179965 As AI-powered agents become integral to how we work and create, Windows is committed to making these experiences more productive and secure for individuals and enterprises.

Today, we Securing AI agents on Windows appeared first on Windows Experience Blog.

]]> announced new Copilot and agentic experiences that make powerful AI easy on Windows 11. One of the new experiences we introduced is an experimental feature called Copilot Actions. Copilot Actions on Windows 11 builds on our announcement in May, where we announced Copilot Actions on the web – allowing Copilot to take real actions on your behalf, like booking a table at your favorite restaurant or ordering groceries. Coming soon to Windows Insiders in Copilot Labs, we’re previewing an experimental mode for Copilot Actions to expand beyond the browser to take actions directly on local files in Windows. This blog will share how Copilot Actions on Windows is using our new experimental agent workspace to complete tasks for you in a separate, contained environment while keeping you informed and in control.

What is Copilot Actions?

Copilot Actions is an AI agent that completes tasks for you by interacting with your apps and files, using vision and advanced reasoning to click, type and scroll like a human would. This transforms agents from passive assistants into active digital collaborators that can carry out complex tasks for you to enhance efficiency and productivity – like updating documents, organizing files, booking tickets or sending emails. After you’ve granted the agent access, when integrated with Windows, the agent can take advantage of what you already have on your PC, like your apps and data, to complete tasks for you.

Copilot Actions screen.Why security matters

Agentic AI has powerful capabilities today—for example, it can complete many complex tasks in response to user prompts, transforming how users interact with their PCs. As these capabilities are introduced, AI models still face functional limitations in terms of how they behave and occasionally may hallucinate and produce unexpected outputs. Additionally, agentic AI applications introduce novel security risks, such as cross-prompt injection (XPIA), where malicious content embedded in UI elements or documents can override agent instructions, leading to unintended actions like data exfiltration or malware installation. See Securing the Model Context Protocol: Building a safer agentic future on Windows for more information. As we begin to build agentic capabilities into Windows, our commitment is to include robust security and privacy controls that empower customers to explore their potential confidently with the support of clear guidance and appropriate guardrails.

Agentic security and privacy principles

Addressing the security challenges of AI agents requires adherence to a strong set of security principles to ensure agents act in alignment with user intent and safeguard their sensitive information. We are establishing a set of durable security and privacy principles that must be met to make use of new agentic capabilities in Windows:
  1. Distinct agent accounts: We are creating the ability for agents in Windows to operate with dedicated agent accounts distinct from the user account on your device. This facilitates agent-specific policy application that can be different from the rules applied to other accounts like those for human users. You can share access to files and other resources to these dedicated agent accounts the same way you do with other users on your device like family or coworkers.
  2. Limited agentic privileges: An agent will start with limited permissions and will only obtain access to resources you explicitly provide permission to, like your local files. There is a well-defined boundary for the agent’s actions, and it has no ability to make changes to your device without your intervention. This access can be revoked at any time.
  3. Operational trust: Agents that integrate with Windows must be signed by a trusted source so that maliciously or poorly behaved agents can be revoked and blocked with a range of defense-in-depth measures like certificate validation and antivirus.
  4. Privacy-Preserving Design: Windows is designed to help agents adhere to Microsoft's commitments made in the Microsoft Privacy Statement and Responsible AI Standard. Windows will support agents in collecting and processing data only for clearly defined purposes, ensuring transparency and trust. See the Microsoft Privacy Report for detail on our commitments to advancing AI responsibly while safeguarding privacy and other fundamental rights.
Agent development and AI-related security continue to be a fast-moving field of research with active participation from Microsoft in partnership with the broader security community. As part of Microsoft’s Secure Future Initiative commitment, helping users, businesses and developers address these challenges is our top priority as people begin to interact with  agents as part of their daily workflows.

Security controls

Copilot Actions will put our security and privacy principles into practice, and we will continuously learn and refine our approach as we gather real world feedback from the preview when it becomes available. Four new building blocks have been added to Windows 11 to support this exploration. During the preview period we’ll continue to add more granular security and privacy controls before these features are made broadly available:
  • User Control: Copilot Actions will be disabled by default and is only enabled when the user toggles on the following Windows setting in Settings > System > AI components > Agent tools > Experimental agentic features.
  • Agent accounts: a separate standard account on your device is provided to agents when acting on your behalf, enabling agent-level authorization and access control.
  • Agent workspace: a contained environment where agents can work in parallel with a human user, enabling runtime isolation and granular permissions. This provides the agent with capabilities like its own desktop while limiting the visibility and access the agent has to the user’s desktop activity. The agent workspace is built on recognized security boundaries that Microsoft will defend in accordance with our longstanding security servicing criteria. For more information on agent workspaces, see Experimental Agentic features – Learn More.
  • User Transparency: a way for users to authorize, monitor and take over agent actions in agent workspace.
More building blocks, like Entra and MSA identity support, will be coming soon. The applications and actions driven by Copilot Actions run under the agent account instead of the account of the logged-on PC user which clearly distinguishes the work done by the agent from other actions on the system like those performed by the PC user. The agent accounts are only provisioned when users enable the agent workspace. During the experimental preview of Copilot Actions, the agent will have access to a limited set of the user’s local known folders—such as Documents, Downloads, Desktop or Pictures—and other resources that are accessible to all accounts on the system. Only when the user provides authorization can Copilot Actions access data outside of these folders. Standard Windows security mechanisms like access control lists (ACLs) help prevent unauthorized use. While Copilot Actions is working, users can monitor its progress, stay informed at every step and take control at any time. When sensitive actions or important decisions are involved, Copilot Actions may request additional user approval to take those specific steps—ensuring their consent and putting them in charge before anything critical happens.

Copilot Actions screen.Looking ahead

Security is a continuous commitment. As we expand agentic capabilities in Windows, we will continue to evolve our defenses. With the upcoming preview release of Copilot Actions to Windows Insiders in Copilot Labs, we look forward to gathering valuable feedback that will help us shape the experience further ahead of broader release. Additionally, the Windows platform and its security controls will be available for other developers in private preview soon to test and provide input. Windows 11 is the most secure version of Windows ever built, and as we enter this new agentic era, our commitment is clear: Windows will be the most secure, trusted, and user-centric platform for agentic computing. We look forward to sharing more at Microsoft Ignite 2025 in November.]]>