Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Windows 365 for Agents is built on a security-first architecture. Every layer from identity and authentication to threat protection, data governance, and auditability is designed to enforce Zero Trust principles across agent workloads. This page provides a security overview of Windows 365 for Agents.
Each Cloud PC for Agents is Microsoft Entra-joined and Microsoft Intune-enrolled, which gives agents a managed identity and device posture from day one. Exposed as an MCP tool within Microsoft Agent 365, Windows 365 for Agents inherits the platform's security and audit trail, with Microsoft Defender providing threat protection and Microsoft Purview delivering data governance and compliance visibility across every agent action.
Security pillars at a glance
The security model for Windows 365 for Agents is organized around five pillars. Each pillar addresses a distinct dimension of the Zero Trust framework applied to agent workloads.
| Pillar | What it does | Learn more |
|---|---|---|
| Identity | Agents use a dedicated Microsoft Entra agent user account, separate from human users. Identity is bound to the session, not the device. Microsoft Entra provides a unified identity and policy control plane across agents, Cloud PCs, and sessions. | Identity and security: secure by design |
| Authentication | Token-based authentication is cryptographically bound to the device. Sessions are authenticated on every connection, with continuous verification throughout the session lifecycle by using identity and context signals. | Agent authentication model |
| Threat protection | Microsoft Defender for Endpoint can run on the Cloud PC, providing real-time detection, Advanced Hunting visibility, Defender for Cloud Apps monitoring, and just-in-time controls based on real-time risk signals. | Threat protection with Microsoft Defender |
| Data governance | Microsoft Purview extends endpoint data loss prevention (DLP), data security posture management (DSPM) for AI, and Activity Explorer to agent workloads, which ensures that sensitive data is governed consistently whether accessed by users or agents. | Data governance with Microsoft Purview |
| Auditability | Agent 365 provides centralized governance and auditability. Every interaction is captured and correlated across identity, access, and actions. Security teams can trace activity from the originating user request through the agent's execution and resulting actions. | Governance and auditability |
Zero Trust principles for agent workloads
Windows 365 for Agents applies Zero Trust principles to every agent session. Zero Trust assumes no implicit trust; every request is validated by using identity, device, and policy signals, regardless of where the request originates or what resource it accesses.
| Principle | How it applies to Windows 365 for Agents |
|---|---|
| Verify explicitly | Every agent session is authenticated through Microsoft Entra with token-based, device-bound credentials. Conditional Access evaluates identity and context, and allows agent access only from compliant devices. |
| Use least-privilege access | Resource access is explicitly assigned to each agent identity. Pool assignment in Intune determines which agent identities can acquire Cloud PCs. Downstream policies define what agents can do after they connect. Conditional Access policies can explicitly block agent identities from accessing resources. |
| Assume breach | Cloud PCs are stateless and reset after every agent session, which ensures that no credentials persist and no trust carries across workloads. Each session runs in a dedicated, isolated environment. Microsoft Defender provides continuous threat detection, and Microsoft Purview monitors data access. |
How security spans the agent lifecycle
Security controls are woven into every phase of the agent session lifecycle. From the moment a Cloud PC is provisioned to the moment it is reset and returned to the pool, identity, policy, and protection are continuously enforced.
| Lifecycle phase | What happens | Security controls |
|---|---|---|
| Prepare | Pools of Cloud PCs are provisioned, configured, and made available for agent use. | IT admins define pools with images, regions, and size. Each Cloud PC is Microsoft Entra-joined and Intune-enrolled. The Microsoft Defender for Endpoint sensor can be deployed. |
| Acquire | A Cloud PC is reserved for a specific caller and session. | Pool assignment determines which agent identities are authorized. |
| Connect | An authenticated session is established, and capabilities become available. | Microsoft Entra issues and validates tokens. Conditional Access evaluates identity, device, and policy signals. Tokens are cryptographically bound to the device. |
| Act | The agent operates the Cloud PC, with optional human observation. | Intune device security policies are enforced by Windows and Microsoft Edge to protect the Cloud PC environment, while Microsoft Entra Conditional Access safeguards resource access. Microsoft Defender provides real-time monitoring, Microsoft Purview governs data, and all actions are fully audited and attributed. |
| Release | The session ends, the Cloud PC is reset, and capacity returns to the pool. | All credentials and tokens are destroyed. The Cloud PC returns to its provisioned baseline. Audit logs are finalized. |
Next steps
- Learn about identity and security in Windows 365 for Agents.