HomeNewsletterCommunityToolsArchiveBlogToday's NewsAboutQuick Links Subscribe free
← Back to Blog
Guides Windows 365AIIntuneEntra IDCloud PCSecurity

Windows 365 for Agents: A Secured Cloud PC Execution Environment for AI

IA
Imran Awan
12 July 2026

AI agents are now running in enterprise environments. They browse the web, read and write files, call APIs, execute code, and interact with line-of-business applications. The security question that most organisations have not answered yet is: where exactly are these agents running, and what can they touch?

Microsoft's answer is Windows 365 for Agents — a dedicated, isolated Cloud PC execution environment designed specifically for AI agent workloads. This post covers what it is, how the security model works, how it is provisioned and managed from Intune, and what you need to think about before deploying it.

The problem Windows 365 for Agents solves

Running an AI agent on a user's existing workstation creates three unsolvable problems:

  1. Blast radius. If the agent is compromised or behaves unexpectedly, it has access to everything the user has access to — their files, their browser sessions, their email client, their VPN tunnel.
  2. Auditability. You cannot independently audit what the agent did versus what the user did. The logs are interleaved.
  3. Consistency. Agent behaviour varies depending on what software is installed, what the user has open, what the screen resolution is, and what other processes are competing for resources.

Windows 365 for Agents gives each agent its own isolated, Intune-managed, Entra ID-joined Cloud PC. The agent runs in this environment and cannot reach the user's primary workstation, other Cloud PCs, or any network resource not explicitly permitted by policy.

Note: Windows 365 for Agents is a distinct SKU from standard Windows 365 Cloud PC. It is optimised for non-interactive automated workloads — smaller compute profile, lower cost, and session lifecycle tied to agent task completion rather than user persistence.

Architecture: how it fits together

🤖
AI Agent (Microsoft Copilot Studio / custom agent)
The agent orchestration layer. Triggers a Windows 365 Agent session when a task requires a desktop environment.
☁️
Windows 365 for Agents Cloud PC
Ephemeral or persistent Windows 11 Cloud PC. Entra ID-joined, Intune-managed. Agent authenticates with a managed identity — no user credentials in the session.
🔒
Network isolation boundary
The Cloud PC is network-isolated by default. Outbound access to resources is granted explicitly via Intune network policy and Azure network rules — deny by default.
📊
Intune + Entra ID management plane
Full device compliance, conditional access, app management, and session audit logs — same tooling as your standard Cloud PC fleet.

Key security properties

PropertyHow it works
No user credentials in agent sessionsAgents authenticate using Entra ID managed identities or workload identities. No password, no MFA prompt, no user token stored in the session.
Session isolationEach agent session runs in its own Cloud PC. Cross-session data access is not possible — the VMs do not share memory, storage, or network namespaces.
Ephemeral optionCloud PCs can be configured to reset to a known-good snapshot after each agent task. No persistent state means no data leakage between task runs.
Full Intune managementCompliance policies, app control, Defender for Endpoint, and Conditional Access apply identically to agent Cloud PCs as to user Cloud PCs.
Audit loggingAll agent actions on the Cloud PC are logged in Entra ID audit logs and Defender for Endpoint — attributable to the workload identity, not mixed with user activity.
Watch out: Windows 365 for Agents does not automatically restrict what the agent can do inside the Cloud PC. You still need to configure App Control for Business policies (via Intune) to limit which applications the agent can launch, and network policies to restrict which external endpoints it can reach. The isolation is between Cloud PCs — not between the agent and the Cloud PC's local resources.

Provisioning an agent Cloud PC from Intune

  1. Select Type: Agent (where this option appears in your tenant — it requires the Windows 365 for Agents licence)
  2. Select the Azure network connection — or use Microsoft-hosted network if the agent only needs internet access
  3. Choose the image: Windows 11 Enterprise (agent-optimised) or a custom image with your required software pre-installed
  4. Set the compute profile — for most browser and API-based agent tasks, 2 vCPU / 4 GB RAM is sufficient; document processing or code execution tasks may need 4 vCPU / 8 GB
  5. Assign the policy to an Entra ID group containing the agent machine accounts
Intune — Windows 365 — Agent Cloud PC provisioning status
Agent-Finance-001
2 vCPU / 4 GB — West Europe
✓ Provisioned
Agent-HR-001
2 vCPU / 4 GB — West Europe
▶ Provisioning
Agent-IT-Ops-001
4 vCPU / 8 GB — West Europe
✓ Provisioned

Configuring Conditional Access for agent identities

Agent Cloud PCs are Entra ID-joined and appear as devices in your tenant. Create a dedicated Conditional Access policy for agent workload identities:

Gotcha: Workload identity Conditional Access requires the Microsoft Entra Workload Identities Premium licence — this is separate from the standard Entra P1/P2 licence. Check your licence inventory before designing CA policies that target managed identities. Without this licence, Conditional Access cannot evaluate workload identity sign-in conditions.

Monitoring agent sessions

All agent Cloud PC activity is visible in the same places as user Cloud PCs, but with the workload identity as the actor:

PowerShell 7 — Query agent Cloud PC compliance via Graph
# Get all Windows 365 Cloud PCs and filter for agent devices
Connect-MgGraph -Scopes "CloudPC.Read.All" -NoWelcome

$cloudPCs = Get-MgDeviceManagementVirtualEndpointCloudPC -All

$agentPCs = $cloudPCs | Where-Object { $_.DisplayName -like "Agent-*" }

$agentPCs | Select-Object DisplayName, Status, OSVersion, LastModifiedDateTime |
    Format-Table -AutoSize

Write-Host "Total agent Cloud PCs: $($agentPCs.Count)" -ForegroundColor Cyan

What this means for Intune admins today

Windows 365 for Agents is not yet broadly available to all tenants — Microsoft is rolling it out in preview through mid-2026. Here is what to do now:

  1. Review your existing Windows 365 licence agreement — the agent SKU may be an add-on or separate purchase. Engage your Microsoft account team for pricing.
  2. Design your agent network boundary now — which APIs can an agent call? Which SharePoint sites can it read? Document this before provisioning. Changing network policy after agents are running is operationally painful.
  3. Define your agent identity model — managed identity per agent function (finance agent, HR agent, IT agent) rather than a single shared agent identity. Least privilege applies to AI just as much as to humans.
  4. Write your Intune compliance policy for agent Cloud PCs — same hardware requirements as standard Cloud PC, but you may want stricter app control (no browser access to unmanaged sites, for example) depending on what your agent does.
Tip: Start with a single low-risk agent workload in Windows 365 for Agents before deploying broadly — a read-only document summarisation agent, for example. Get your monitoring, compliance, and audit log pipeline working for that one agent before scaling to agents with write access to production data.

CSP and Group Policy

The Windows 365 for Agents environment is a standard Windows 11 Cloud PC from a policy perspective. All Intune device configuration policies, compliance policies, endpoint security policies, and Defender for Endpoint configurations apply identically. There are no agent-specific CSPs — the agent-specific behaviour is configured at the Windows 365 provisioning and network layer, not at the device policy layer.

Watch out (GPO): If your agent Cloud PCs are Entra ID-joined (recommended), Group Policy from your on-premises AD does not apply — only Intune MDM policy. If you Hybrid Entra ID-join them to bring them into AD scope, you must ensure your existing GPOs do not conflict with agent-specific requirements (e.g. a GPO that forces interactive logon notice screens will break unattended agent sessions). Entra ID-join only is strongly recommended for agent Cloud PCs.

References

Share this post
LinkedIn X / Twitter Reddit Bluesky

More from EndpointWeekly

Guides
Active Directory Domain Controller Hardening for Hybrid…
Domain Controllers are the highest-value target in your environment. This post covers…
Guides
Microsoft Intune Complete Roadmap: Beginner to Advanced (All 12…
A structured 12-chapter roadmap covering everything in Microsoft Intune — from…
Guides
Top 20 PowerShell Commands Every Intune & Azure Engineer Needs
PowerShell is not optional for Intune and Azure engineers. Here are the 20 commands you…