Microsoft's AI Agents in Windows: What Businesses Need to Know About Copilot Actions
Microsoft has introduced experimental AI agent capabilities into Windows through Copilot Actions and agent workspaces, features designed to automate everyday tasks like organising files, scheduling meetings, and sending emails.
However, the announcement comes with significant security warnings that business leaders and IT administrators must understand before enabling these capabilities.
What Are Agent Workspaces?
An agent workspace is a separate, contained space in Windows where AI agents can access apps and files to complete tasks in the background whilst users continue working. Each agent operates using its own distinct account, separate from personal user accounts, establishing clear boundaries between agent activity and user activity.
Agents typically receive access to known folders or specific shared folders, with permissions reflected in folder access control settings. Each agent has its own workspace and permissions—what one agent accesses doesn't automatically apply to others. For this initial preview release, agent workspaces run in separate Windows sessions, allowing agents to interact with apps parallel to user sessions.
When running in agent workspace, the AI has access to six commonly used folders in your user profile directory: Documents, Downloads, Desktop, Music, Pictures, and Videos. The feature is off by default and can only be enabled by administrator users.
Microsoft's Security Warning
The company's announcement includes a critical caveat that organisations must take seriously. Microsoft explicitly states:
"We recommend that you only enable this feature if you understand the security implications outlined on this page."
Why the warning? Microsoft acknowledges that "AI models still face functional limitations in terms of how they behave and occasionally may hallucinate and produce unexpected outputs. Additionally, agentic AI applications introduce novel security risks, such as cross-prompt injection (XPIA), where malicious content embedded in UI elements or documents can override agent instructions, leading to unintended actions like data exfiltration or malware installation."
These aren't theoretical risks. Prompt injection attacks have been demonstrated repeatedly by security researchers, and AI hallucinations remain an unsolved problem across all large language models. The combination of these vulnerabilities with system-level access creates genuine security exposure.
Security Principles and Goals
Microsoft outlines ambitious security principles for agentic features:
Non-repudiation: All agent actions must be observable and distinguishable from user actions, ensuring clear audit trails.
Confidentiality: Agents handling protected user data must meet or exceed existing security and privacy standards.
Authorisation: Users must approve all queries for user data and all actions taken by agents.
Additional principles include that agents should operate under least privilege, never exceeding the permissions of the initiating user. Authorised agent privileges should be granular, specific, and time-bound. Agents should only access sensitive information in specific, user-authorised contexts.
Microsoft emphasises that "security in this context is not a one-time feature—it's a continuous commitment. As agentic features evolve, so will our security controls, adapting to each phase of rollout from preview to broad availability."
What IT Administrators Need to Know
The experimental agentic feature setting is off by default and can only be enabled by administrator accounts. Once enabled, it applies to all users on the device including other administrators and standard users.
IT administrators will be able to enable or disable agent workspace at both account and device levels using Intune or other Mobile Device Management applications. This provides central control over which users and devices can access these features.
When running in agent workspace, the AI has access to apps available to all users by default. To limit access, organisations can install apps for specific users or specifically for agents. Agent accounts have access to any folders that all authenticated users can access, such as public user profiles.
The Risk-Benefit Calculation for Businesses
Agentic AI capabilities offer genuine productivity potential. Automating routine tasks, complex file organisation, and multi-step workflows could deliver measurable efficiency gains. However, businesses must weigh these benefits against the acknowledged security risks.
The challenge for organisations is that the same vulnerabilities Microsoft warns about—hallucinations and prompt injection attacks—have proved impossible to fully prevent across the AI industry. Workarounds exist for specific discovered vulnerabilities, but comprehensive solutions remain elusive.
For businesses, this creates difficult decisions. Do you enable powerful productivity features that Microsoft explicitly warns carry security risks? How do you determine which users have sufficient experience to understand and mitigate these risks? What monitoring and auditing processes ensure agents aren't compromised?
Managing the Feature in Your Organisation
If your organisation chooses to enable these experimental features, several practices can help manage risk:
Restrict access carefully. Only enable agent workspaces for users who genuinely need the capabilities and have appropriate technical understanding of the risks.
Use centralised management. Deploy controls through Intune or MDM to maintain visibility into which devices and accounts have agent features enabled.
Monitor agent activity. Take advantage of the separate agent accounts to monitor and audit agent behaviour distinctly from user activity.
Limit file access. Consider restricting agent access to sensitive folders by carefully managing which folders agents can reach.
Maintain awareness. As Microsoft states that security controls will evolve as the feature matures, stay informed about updates and new guidance.
Looking Forward
Microsoft describes this as a phased approach to delivering agentic capabilities, starting with limited access to gather feedback and strengthen foundational security. The company acknowledges that "agent development and AI-related security continue to be a fast-moving field of research."
The reality is that businesses will increasingly encounter AI agent capabilities across various platforms and tools. Microsoft's relatively transparent approach to communicating risks provides a framework for how organisations should evaluate these features—not just from Microsoft, but from any vendor introducing autonomous AI capabilities.
The key question isn't whether AI agents will become part of business computing—they likely will. The question is whether organisations will deploy them thoughtfully, with appropriate security controls and realistic understanding of current limitations, or whether productivity promises will outweigh security caution.
Navigate AI Security Challenges with Expert Guidance
At Altiatech, we help organisations evaluate and implement emerging technologies including AI capabilities whilst maintaining robust security postures. Our cybersecurity and IT infrastructure specialists can assess whether features like AI agents align with your security requirements and help develop appropriate policies and controls.
From security assessments and risk evaluation to ongoing monitoring and incident response planning, we provide the expertise needed to make informed decisions about AI adoption in your business environment.
Get in touch:
📧 Email:
innovate@altiatech.com
📞 Phone (UK): +44 (0)330 332 5482
Innovation with security. Technology with control.
