What does an agentic Windows mean for organizations?

For organizations of all kinds — particularly those selling to consumers — this new feature is worth monitoring because it could mark the start of a change in customer behavior away from interfacing with apps to using agents for all kinds of activities.

This isn’t to say this will happen fast, or even that it will happen at all; the point is more that this has the potential to represent a significant change in how consumers interact with brands and services.

If this does indeed come to pass, the organizations that will win are those on the front foot when it comes to optimizing for agentic systems. The commercial advantage will be the ability to be discovered and used by agent systems: what we think of as a front end may well evolve.

Criticism and the risks of agents

The impact of this feature, of course, remains to be seen. There’s been plenty of criticism and pushback against Microsoft’s agentic push in recent months; that’s likely to increase if this is the direction of travel.

One of the most significant issues is around security; the feature is, after all, essentially letting a bot rummage through your files and system. For its part, Microsoft has acknowledged this: “Agentic AI applications” the company writes in its support document, “introduce novel security risks, such as cross-prompt injection (XPIA), where malicious content embedded in UI elements or documents can override agent instructions, leading to unintended actions like data exfiltration or malware installation.”

Talking to my Thoughtworks colleague Ben O’Mahony about the story today, he noted that “it definitely opens up a lot more attack vectors.” He mentioned the recent NX s1ngularity supply chain attack (from September), where AI CLI tools like Claude Code and Gemini were used to write code to expose secrets and trash the system.

Microsoft appears to believe it can mitigate risks by making it non-default and instructing users that they need to be aware of the security risks if they turn it on. Whether this is a convincing way for a major technology company to think about security is something for another discussion.