Ignite 2025: Furthering Windows as the premier platform for developers, governed by security

Continuing Windows evolution as a secure open platform for AI and Agents

At Build, we laid out our vision for the future of development on Windows, announcing new tools that empower developers to do their best work with the ultimate flexibility.

• We open-sourced Windows Subsystem for Linux, making it easier than ever for developers to contribute, customize and help us integrate Linux more seamlessly into Windows.
• With Microsoft Foundry on Windows, formerly known as Windows AI Foundry, we introduced a unified and reliable AI platform to support AI development across CPU, GPU and NPU.
• And we announced native support for Model Context Protocol (MCP), which offers a standardized framework for AI agents to connect with apps.

Today, we expand on these foundations, evolving Windows to give developers a platform to build the next generation of software experiences that empower people and organizations at scale.

As AI transforms the way we work, agents are becoming powerful tools to make users more productive, handling routine tasks and taking away the drudgery so users can focus on what matters most. To empower developers and organizations on this journey, Windows is evolving as an operating system with the foundational structures to make agents on Windows more effective, secure and governable—with flexibility for developers and peace of mind for organizations to embrace this trend with confidence.

To realize this vision, we’ve spent the past year listening closely to developers and actively engaging with the broader community, learning about pain points, tracking emerging needs, and identifying opportunities to make Windows a secure platform for the future of AI and agents. The feedback and community insights have directly shaped the updates we are introducing today.

What’s new for Windows Platform at Ignite:

• Public preview of native support for Model Context Protocol (MCP) on Windows, a standardized framework for AI agents to connect with apps and tools to automate routine scenarios and perform tasks for users securely with user consent.
  • Public preview of Windows On-Device Registry (ODR), a secure, manageable repository of agent connectors, which are just MCP servers.
  • Public preview of built-in agent connectors for File Explorer and System Settings. Agents can use the File Explorer connector to manage, organize and retrieve local files with user consent. With System Settings connector, agents will be able to adjust Windows system settings like changing from light mode to dark mode or troubleshooting issues, while keeping the user in full control.
• Private preview of Agent Workspace – a contained, policy-controlled and auditable environment where agents can interact with software and complete tasks for users in a parallel and separate desktop, without disrupting users’ primary session.
• Introducing Agent ID—A unique ID distinct from the user ID that makes it possible to audit every action taken by the agent. The agent ID also helps IT distinguish agent interactions from user actions.
• Secure by default policies for developers building agents and agent connectors and security controls for end-users using agents—keeping their data secure.
• Enterprise manageability controls for IT admins to configure basic policies for their enterprise employees to adopt and use agents through typical policy configuration channels for Configuration Service Provider (CSP) policies and Group Policies (GP) starting with Intune in public preview.
• Public preview of new AI APIs—video super resolution (VSR) and Stable Diffusion (SDXL) in Microsoft Foundry on Windows, formerly known as Windows AI Foundry. Developers can use these APIs powered by Windows on-device models to add AI-powered video enhancement (VSR) and image generation (SDXL) features to their apps.

These updates lay the foundation for a new generation of experiences, providing developers and enterprises with enhanced protection, transparency and governance—introducing platform-level security guardrails to help organizations begin adopting agent-powered workflows.

Announcing public preview of native support for Model Context Protocol (MCP) on Windows

The Model Context Protocol (MCP) is an open standard introduced by Anthropic in late 2024 to give AI agents a universal way to connect with external tools, data sources and services. By creating a common language for content exchange, MCP accelerated innovation and set the foundation for richer, more capable agentic workflows. On Windows, we are taking MCP even further by catering to the needs of developers, IT professionals and end-users. Users need easy discoverability and consistent controls, minimizing security risks. IT professionals need robust security and manageability controls to deploy agents confidently across the organization. Developers need tools and libraries to build and make their servers easily discoverable to agents without doing bespoke work for each platform.

To build these AI experiences and agents at scale, you need an OS that’s built for it. This infrastructure can’t be delivered through middleware or applications alone—it demands OS-level integration for security, consent and control. We are thrilled to transform Windows into an operating system with this secure OS-level integration with a native agent infrastructure.

That’s why today, we are announcing the public preview of native support for MCP on Windows—a standardized framework for AI agents to connect with apps and tools to automate routine scenarios and complete tasks for users.

Developers can build MCP servers to expose their app’s functionality as agent connectors and register in Windows on-device registry

Agent connectors are essentially MCP servers built by app developers and made available in the Windows on-device registry. These are agent-aware tools that agents can connect to acquire new and unique skills and complete tasks for users. This includes built-in agent connectors from Windows, as well as local and remote connectors from our developer community.

Agents can discover and connect to these tools and other agents via a secure, manageable Windows on-device registry (ODR). By default, all agent connectors in the Windows on-device registry will be contained in a secure environment with their own identity and audit trail.

All communication between agents and agent connectors from the Windows on-device registry will go through the MCP proxy, a trusted gateway to ensure secure communication enabled by Windows. The proxy handles authentication (verifying the MCP client, the originator of the call), authorization (enforcing permissions and policies), and auditing (logging every interaction for compliance) for both local and remote MCP servers. With standard security policy, each agent connector has its own identity, and secure communication enforced through the MCP proxy ensures that agents and connectors can trust each other’s provenance.

We are also introducing support for remote agent connectors. Developers can register remote endpoints with the on-device registry, making them discoverable to any compatible agent along with local agent connectors. With the support for remote agent connectors, developers can register their cloud based MCP servers in the Windows on-device registry and expose their apps’ functionality to agents.

Get started, dive into documentation. Platform capabilities in preview coming soon.

• You can build MCP servers to offer your apps unique functionalities as agent connectors and register them in the Windows on-device registry, to be discovered by agents. This will enhance reach and drive engagement for their apps. To get started with building and registering agent connectors, check our documentation—https://aka.ms/RegisterMCPServer
• You can package your agent connectors as either MSIX or MCPB (MCP Bundles). To package and register agent connectors, check our documentation—https://aka.ms/RegisterMCPBundle
• As an agent developer, you can leverage agent connectors and benefit from the apps’ functionality to complete tasks for your users. To connect, list and interact with agent connectors, check our documentation—https://aka.ms/MCPHostQuickstart.

Announcing public preview of Windows built-in agent connectors for File Explorer and System Settings

We are thrilled to announce the public preview of two agent connectors built into Windows—File Explorer and System Settings. These connectors are available via the on-device registry for agents to leverage and complete tasks for users on Windows.

File Explorer Connector: Agents can use the File Explorer connector to manage, organize and retrieve local files on a user’s device with their consent. On Copilot+ PCs, the connector can also perform natural language search to retrieve the exact file based on descriptions, content, metadata, and, for images, enhanced search based on image classification.

System Settings connector: This connector helps agents adjust Windows system settings like changing from light mode to dark mode or troubleshooting issues, while keeping the user in full control.

Announcing private preview of Agent workspace

In addition to using tools like agent connectors, agents can also interact with existing software or line of business applications to complete tasks.

We are excited to announce the private preview of Agent workspace—a contained, policy-controlled and auditable environment where agents can interact with software, just like people, to complete tasks for the user in a parallel and separate desktop, without disrupting users’ primary session.

Introducing Agent ID

When agents are allowed to use software like people, it becomes more critical for IT professionals to clearly audit and distinguish between agent and user actions. To deliver transparency and control, we have built security paradigms that enforce agents to operate with their own unique identity, completely distinct from the user’s identity, and are governed by strict guardrails set by IT. This ensures every task, workflow and change is clearly tracked, making it easy to differentiate between what agents do and what users initiate. With these core primitives all agentic interactions on Windows are a step function, more secure and contained than traditional apps.

Announcing public preview of Windows 365 for Agents

These platform primitives apply not just to agents running locally on Windows client, but also in the cloud in Windows 365. To date, Windows 365 Cloud PCs have been designed for people, delivering the full Windows experience to power employee productivity on any device, anywhere.

Today, we are thrilled to announce Windows 365 for Agents, which extends the local agent workspace concept to the cloud so agents can interact with existing software or line of business applications to complete tasks. The key distinction is simple: on local PCs, agents operate in a secure workspace on the user’s device and with Windows 365 for Agents, the Cloud PC itself becomes the agent’s secure, policy-controlled environment.

Agent developers can build and deploy agents with Windows 365 for Agents. Windows 365 for Agents provides a comprehensive set of APIs for agent developers to manage and utilize compute resources. Agents running in Windows 365 can also use agent connectors and Windows on-device registry. Learn more about Windows 365 for Agents—https://aka.ms/W365forAgentsIgniteBlog

Securing agentic interactions on Windows

In line with Microsoft’s Secure Future Initiative commitment, security is our top priority as we expand MCP powered capabilities and agent workspace on Windows.

At Build this year, we outlined the principles guiding this structure and last month, we expanded on our foundational security principles for agentic AI experiences. We are adhering to a strong set of durable security and privacy principles that must be met to make use of these new capabilities in Windows.

• Distinct agent accounts: Agents in Windows operate with dedicated agent accounts, separate from the user account on your device. This enables agent-specific policies and lets you share access to files and resources in a secure manner with agents just as you would with other users on your device. IT admins using Agent 365 to build digital agents can manage Entra identity, policies, registry and observability through a single unified control pane.
• Restricted agent privileges: By default, agents will start with minimal permissions and only gain access to resources you explicitly grant. Their actions are strictly bounded, and they cannot make changes to your device without your authorization. You can revoke access at any time.
• Operational trust: Agents must be signed by a trusted source. Malicious or poorly behaved agents can be revoked and blocked using a range of defense-in-depth measures like certificate validation and antivirus.
• Privacy-preserving design: Windows helps agents adhere to Microsoft’s commitments in the Microsoft Privacy Statement and Responsible AI Standard. Windows will support agents to collect and process data only for clearly defined purposes, enabling transparency and trust. See the Microsoft Privacy Report for details on our commitments to advancing AI responsibly while safeguarding privacy and other fundamental rights.

Today we begin to deliver on these commitments, and we will continuously learn and refine our approach as we gather real world feedback from the public preview.

Secure by default agent policies

In alignment to the above principles, the standard security policy for agent connectors on Windows aligns with Microsoft’s Secure Future Initiative (SFI) principle of “Secure by Default,” ensuring every connector meets strict requirements for packaging, identity and containment.

Agent connectors and agents running on Windows must meet the platform security bars around packaging, identity, provenance, containment and consent. The on-device registry will only return agent connectors and agents that meet the criteria below.

• Packaging and Identity: All applications must be packaged and have an identity established through trusted signing. This ensures that any connector available for the agent has identity which can be asserted by Windows.
• Private capabilities manifested: Developers are required to define the minimum capabilities required for their agent connectors in their package manifest.
• Containment: Agents and connectors will run in a contained environment as an agent user.

Windows also provides developers with settings and tools to help ensure existing agent connectors work in the default security policy, including testing with less restrictions.

Security controls to manage agentic workflows

To protect user data during agentic operations, we provide key security controls such as experimental agentic feature toggles, mandatory user consent and a dedicated settings page to enable or disable access to agent connectors.

Experimental agentic features toggle:  All agentic experiences powered by agent connectors and agent workspace are disabled by default and are only enabled when the user toggles on the Windows Settings:  Settings > System > AI components > Agent tools > Experimental agentic features.

Mandatory user consent: In standard security policy, whenever an agent wants to access any sensitive information—like your files, applications or resources, Windows will always ask for your consent on the first occurrence.

Windows Settings for Agent connectors: A dedicated Settings page for each agent, allowing users to manage file access permissions and enable the connectors an agent needs to perform tasks.

Enterprise management policies and capabilities to ensure IT is always in control

IT admins can manage basic policies for their enterprise employees to access and use agentic experiences through typical policy configuration channels for Configuration Service Provider (CSP) policies and Group Policies (GP) starting with Intune in public preview.

• IT admins can enable or disable both local and remote agent connectors, at device levels, using Intune or other MDM apps through Configuration Service Provider (CSP) and Group Policy Object (GPO).
• IT admins can enable or disable agent workspace at both account and device levels, using Intune or other MDM apps—through both CSP and GPO.
• IT admins can set minimum security policy levels for agent connectors at both account and device levels through both CSP and GPO.
• Agent connectors packaged using MSIX can be deployed and managed using existing enterprise-grade mechanisms such as Intune, Conditional Access and Managed Installers, already familiar to IT teams. Policy support for MCPB will be available in the coming months.
• IT admins can access event logs, which enumerate key Agent connector events such as invocations in agent workspace, errors and registry updates.

Additional advanced manageability controls will be coming later in 2026.

Building next-gen AI experiences with our partners and developer community

We are excited to be partnering with many agent builders and app developers who are already leveraging the agentic platform on Windows to deliver next-gen AI experiences, with many examples of partners building experiences using MCP shown below.

Dynamics 365 is redefining expense management with MCP on Windows. Today filing an expense report is a tedious manual process—often taking a dozen steps, 30 or more minutes and is often error-prone. With Dynamics 365 agent in Microsoft 365 Copilot this process is reduced to one sentence with high accuracy saving you time to focus on the next important task. Under the hood, Microsoft 365 Copilot uses File Explorer connector to securely access local files and find relevant receipts powered by semantic search in seconds. It then extracts details, generates expense lines and submits the expense—streamlining approvals and reducing friction to just one prompt with MCP on Windows.

Prerelease AI interactions shown; subject to change. Sequences shortened for demonstration purposes.

Manus is an AI-powered general productivity agent that helps users with varied tasks such as creating websites, organizing files and generating content through simple prompts and secure integrations. Manus leverages MCP on Windows, and enables users to build a website in minutes—directly from content stored on their PC—without uploading files or switching apps. The agent uses the File Explorer connector to fetch content and execute tasks entirely within the Windows security model. Beyond website creation, Manus can organize files, generate content and manage information through simple prompts and explicit user approval. This demonstrates the core value of MCP on Windows: enabling agents to act intelligently while keeping enterprise data protected and workflows more seamless.

Prerelease AI interactions shown; subject to change. Sequences shortened for demonstration purposes.

Claude by Anthropic is an AI productivity agent on platforms including Windows that helps users handle multi-step tasks efficiently. By connecting to File Explorer—with user consent—Claude can quickly find relevant documents like meeting notes and status updates, then generate summaries or reports in minutes. In a typical use case, Claude gathers all necessary files and produces an executive summary of a project, which can be sent directly through Outlook. This process saves time and maintains user privacy and control, showing how intelligent agents can streamline everyday work.

On Windows, Dropbox Dash streamlines storage by merging files from sources like Dropbox and OneDrive into a single searchable hub. With MCP integration, agents in any application can quickly access curated content without manual searching, enabling faster execution, real-time collaboration and built-in compliance. Dropbox Dash simplifies cross-app workflows for enterprises seeking unified experience.

New capabilities coming to Microsoft Foundry on Windows

AI-native platform and machine learning models are essential to enable advanced agentic experiences. Microsoft Foundry on Windows,  formerly known as Windows AI Foundry, first introduced at Build 2025, is a unified and reliable AI platform that supports the AI developer lifecycle from model selection, optimization, fine-tuning and deployment across CPU, GPU and NPU.

Microsoft Foundry on Windows gives developers the tools to build AI experiences on-device whether they choose to use AI APIs powered by the inbox models that ship with Windows or access a rich catalog of pre-optimized open-source models in Foundry Local. At the foundation of Microsoft Foundry on Windows is Windows ML, which is generally available and simplifies the deployment of custom, proprietary models across varied Windows hardware devices. Thanks to deep collaboration with silicon partners like AMD, Intel, NVIDIA and Qualcomm, Windows ML offers unified execution, hardware mapping and power-aware performance, so models run on your local device efficiently.

Announcing new Windows AI APIs – Video super resolution (VSR) and Stable Diffusion XL (SDXL) – powering on-device AI through Microsoft Foundry on Windows

Today we are excited to announce new Windows AI APIs that developers can leverage to bring local AI experiences like video super resolution (VSR) to upscale low-resolution streams and Stable Diffusion XL (SDXL) for high quality image generation, both of which are now in public preview. App content search enters public preview as an API for developers to enable fast, intelligent in-app search experiences, making it easy to find relevant content within their Windows apps.

Many leading app developers are already leveraging Microsoft Foundry on Windows to deliver innovative, secure and high-performance AI experiences locally on Windows.

Windows ML is driving innovation across industries with partners like Roboflow leading the way. Roboflow, a Microsoft Start Up Pegasus Program participant, provides Visual AI tools used by millions of developers and over half the Fortune 100 for computer vision applications both in the cloud and on-device. With Windows ML integration, Roboflow is able to deploy the RF-DETR model for state-of-the-art detection and instance segmentation on the edge like cargo container tracking to manufacturing quality assurance.

Infosys, a global leader in digital services and consulting, has integrated Windows ML with Infosys Agentic Foundry, part of Infosys Topaz™. By leveraging custom models tailored with business data, Infosys is transforming a cloud-based invoice classification agentic AI system. This advanced agentic application is designed to help Infosys business operations teams effortlessly understand the status of invoices from data embedded in emails. Consequently, it can quickly determine the necessary actions to move these invoices through the workflow. This integration aims to significantly enhance and expedite the end-to-end process, while ensuring sensitive data remains secure without being transmitted to the cloud.

Many partners are leveraging open-source models from Foundry Local to power local AI workflows in their organization.

HCLTech is exploring building a proctoring solution that monitors a user’s presence, gaze and phone usage during assessments using their custom model  YOLOv8 and Phi-4-mini-reasoning model from Foundry Local, ensuring privacy and enhanced monitoring.

Cognizant is developing an offline plant disease detection solution that can, based on leaf images, identify the disease, describe the associated symptoms and recommend prevention and remediation steps using phi-4-mini reasoning model from Foundry Local and a custom plant disease classification model with Windows ML.

Kahua is redefining field productivity, using locally-run AI and agentic workflows to keep construction teams productive, even when offline. Kahua is experimenting with Foundry Local models like Phi-4-mini-reasonning to analyze construction photos to detect defects, like unpainted areas or uncapped pipes and automatically generate structured data entries to document those defects inside the Kahua application.

AnythingLLM powered by Foundry Local provides enterprises with secure, on-device document intelligence and agent automation through models like DeepSeek, Mistral, Phi and Qwen, while Belt triages and analyzes legal contracts and other sensitive email attachments using model families such as Phi 4 and Qwen through Foundry Local—all processed locally for privacy and efficiency.

Cephable empowers users with its suite of AI productivity tools, such as summarization and rewrite, leveraging Foundry Local models to offer on-device AI with state-of-the-art models like Phi and Qwen. By running these advanced AI workloads locally, Cephable not only enhances productivity but also ensures user data remains private, significantly reducing the risk of data leakage and minimizing cloud computing costs.

Raycast integrates Foundry Local models, bringing privacy-first, on-device AI to the desktop to streamline automation and give users fast, secure access to their tasks and workflows.

Looking ahead

We are committed to building an even more robust and secure Windows platform for developers to build secure, intelligent and next-gen AI solutions. This is just the beginning. With Windows as the foundation, we’re empowering each of you to unlock the full potential of next-gen computing and invite you to explore, build and help us shape the future of Windows.