Key insight

Windows 365 for Agents is an execution environment built specifically for agent workloads, combining Entra identity, Cloud PC isolation, and Microsoft 365 security under Zero Trust. Each Cloud PC is pooled (dynamically assigned per task), stateless (reset completely after every session), and programmatic (accessed by agents, not an interactive human). Together these properties let many agents safely share infrastructure without sharing identity, keep every connection authenticated and isolated, and make every action fully auditable back to a specific agent’s identity.

Every device an organisation manages was, until recently, built around one core assumption: a person sits down at it. This article is about what happens when that assumption is dropped entirely, because the thing using the computer is an agent, not a person.

1 · A computer built for a different set of assumptions

A normal work computer assumes one person owns it, returns to it regularly, and expects its files and settings to persist from one day to the next. An agent breaks every one of those assumptions. It does not sit down; it is invoked, completes a task, and finishes. It should not accumulate personal files over time, because agents are meant to be interchangeable, disposable workers rather than individuals with a permanent desk. A computer built for agents needs a genuinely different shape.

2 · What Windows 365 for Agents actually is

Windows 365 for Agents delivers an execution environment for agent workloads by combining Microsoft Entra identity, Cloud PC isolation (a virtual computer running in the cloud), and Microsoft 365 security controls, all governed end to end by Zero Trust principles. Each Cloud PC is Entra-joined and Intune-enrolled, giving every agent a managed identity and known device posture from day one. Exposed as a tool an agent can call within Agent 365, it inherits the platform’s security and audit trail automatically: Microsoft Defender provides threat protection, and Microsoft Purview delivers data governance and compliance visibility across every action.

3 · Three properties: pooled, stateless, programmatic

Three properties define these agent Cloud PCs, and each solves a real problem. Pooled means machines are dynamically assigned from a shared pool per task, rather than one machine being tied permanently to one agent. Stateless means every session resets after use, with no state carried forward to the next one, so nothing from one agent’s work lingers for the next. Programmatic means these machines are accessed by agents, by software, not by an interactive human user typing at a keyboard.

Three properties of agent Cloud PCs: pooled, stateless, and programmatic Three labelled boxes: pooled, showing a shared pool of machines dynamically assigned; stateless, showing a machine reset between sessions; programmatic, showing access by software rather than a human. Pooledshared pool, per-task assignment Statelessreset completely after every session Programmaticaccessed by agents, not people
Figure 1. Agent Cloud PCs are pooled, stateless, and programmatic, three properties designed for a non-human, disposable, always-governed workload rather than a person’s permanent desk.

4 · Why this shape makes agents safe at scale

These three properties combine into an identity-first, Zero Trust approach where every agent request is validated using identity, device, and policy signals, with security enforced throughout the whole session lifecycle. The concrete benefits follow directly. Safe pooling: many agents share infrastructure without ever sharing an identity. Session-scoped access: every connection is authenticated and policy-governed as it happens. Ephemeral compute: identity travels with the session itself, not with any one physical machine. Isolation: sessions are independent and reset between uses, so nothing bleeds from one into the next. And full auditability: every action traces back to a specific agent’s identity, no matter which pooled machine it happened to run on.

The whole idea in one line

Agents can operate at scale, across shared, constantly changing infrastructure, while remaining fully governed the whole time, because identity, not the machine, is what carries the trust.

5 · Glossary — every short-form term, spelled out

Windows 365 for Agents
An execution environment combining Entra identity, Cloud PC isolation, and Microsoft 365 security, purpose-built for agent workloads.
Cloud PC
A virtual computer running in the cloud rather than on local hardware.
Managed identity
An identity issued and controlled by the platform, rather than a self-managed credential.
Device posture
The known security and configuration state of a device, used in access decisions.
Pooled
Dynamically assigned from a shared set of machines rather than permanently dedicated to one user or agent.
Stateless
Reset completely after each use, carrying no data or configuration forward to the next session.
Programmatic access
Access performed by software or an agent, rather than an interactive human user.
Ephemeral compute
Computing resources that exist only for the duration of a session, with identity tied to the session rather than the machine.
Key takeaways

A normal computer assumes one person, sitting down regularly; an agent breaks every one of those assumptions.
Windows 365 for Agents combines Entra identity, Cloud PC isolation, and Microsoft 365 security under Zero Trust, purpose-built for agent workloads.
Agent Cloud PCs are pooled, stateless, and programmatic, three properties that fit a disposable, non-human workload rather than a permanent desk.
The result is safe pooling, session-scoped access, ephemeral compute, isolation, and full auditability back to a specific agent's identity.
Identity, not the machine, is what carries the trust, which is what lets agents operate safely across shared, constantly changing infrastructure at scale.

References

  1. Microsoft Learn, Identity security overview (Windows 365 for Agents). learn.microsoft.com