At Microsoft Ignite 2025, after months of heads-down work, my team and I unveiled what we’ve been building: platform infrastructure that enables secure agentic workflows on Windows.
This isn’t marketing speak. This is fundamental OS architecture work—the kind that changes how applications, agents, and users interact at the platform level.
What We Shipped at Ignite
MCP in Public Preview on Windows
The Model Context Protocol (MCP) launched in public preview on Windows at Ignite. For those who’ve been following my work, you know I’ve been deeply involved in MCP development and standardization. It’s now native platform infrastructure.
MCP provides a standardized, secure framework for AI agents to interact with applications. It’s essentially JSON-RPC over HTTP, but the power is in what it enables: agents can automate Windows tasks, orchestrate between apps, and access capabilities—all with user consent and proper security boundaries.
Why this matters: Before MCP, every agent-to-app integration was custom. Now we have a standard protocol. This is like going from proprietary networking protocols to TCP/IP. The ecosystem implications are massive.
Windows On-Device Registry (ODR)
The ODR is a secure, manageable repository for agent connectors—what we call MCP servers. Think of it as an app store, but for agent capabilities.
The problem it solves: In an agentic world, who controls which agents can access what? How do you discover available capabilities? How do you ensure only approved agents run in your enterprise environment?
The solution: ODR lets organizations:
- Control which agent connectors are available
- Manage permissions and policies centrally
- Enable discoverability without compromising security
- Support both local and remote MCP servers
This is governance infrastructure. Without it, agentic computing at enterprise scale doesn’t work.
Agent Workspace (Private Preview)
Agent Workspace is one of the pieces I’m most excited about. Announced in private preview at Ignite, it’s an isolated, policy-controlled environment where agents can operate without disrupting your main session.
The architecture insight: We can’t have agents running tasks that interfere with user workflows. Imagine an agent reorganizing your filesystem while you’re working. Agent Workspace provides that separation—with full transparency and auditing.
This is crucial for regulated industries and enterprises that need to know exactly what agents did, when, and with what permissions.
What This Means from an OS Perspective
I’ve spent my career working on Windows architecture, and this is the most significant shift I’ve seen in how we think about the operating system’s role.
Security by Default
Everything we’re building has security as a first-class concern, not an afterthought. We’re addressing:
- Cross-prompt injection risks
- Authentication and authorization gaps
- Credential leakage vulnerabilities
- Agent identity and separation
The Windows blog post by Logan Iyer goes deep on the security architecture. This is mandatory security checks, not optional best practices.
Open and Extensible by Design
We’re not locking developers into proprietary APIs. MCP is an open standard. The ODR supports third-party connectors. Developers can build on this infrastructure without being locked into Microsoft-only tooling.
This matters because agentic computing only works if the entire ecosystem can participate. Proprietary walled gardens don’t scale when you need agents to orchestrate across thousands of apps and services.
Enterprise Governance
The reality of shipping enterprise software is that control, compliance, and auditing aren’t optional. They’re requirements. We’ve built these capabilities into the platform primitives:
- Policy controls through Intune
- Identity management through Entra
- Compliance and audit trails built into Agent Workspace
- Granular permission models in ODR
This is what lets organizations actually deploy agentic workflows at scale, not just in demos.
What This Looks Like in Practice
Concrete example of what this enables:
An agent wants to help you organize files. Previously, it would need custom integration with File Explorer, custom security model, custom everything. Now:
- Developer builds an MCP server for file operations
- Packages it and publishes to ODR (or enterprise catalog)
- Organization approves it with specific policies
- Agent discovers it through ODR
- Agent requests permission to use it
- User grants permission (with transparent scope)
- Agent performs task in Agent Workspace
- Full audit trail of what happened
This is the difference between “AI features” and “agentic infrastructure.”
The Vision: Windows at the Frontier of Work
The Windows blog post by Pavan Davuluri lays out the broader vision for how Windows enables agentic workflows. Key themes:
Agent launchers on the taskbar (powered by ODR) with progress indicators for background tasks. These agent launchers—which will be renamed from “app agents” in the preview—are built on the App Actions foundation with additional metadata and interface capabilities. Natural language and voice interactions (“Hey Copilot”) enable seamless orchestration across apps, files, and system functions.
Windows 365 for Agents (powered by Agent Workspace) optimizes cloud PCs for agent execution—scalable, secure, auditable runtime environments for agentic workloads at enterprise scale.
Frontier firms are organizations embracing AI agents to blend human ingenuity with intelligent automation. The examples from companies like Levi’s show this isn’t theoretical—it’s happening now.
The Honest Reality
There’s been backlash. Developers and long-time Windows users have voiced legitimate concerns about AI integration, user experience, and feature bloat. Pavan Davuluri has publicly acknowledged these criticisms.
From my perspective building this infrastructure: we have work to do on reliability, ease of use, and developer experience. This is a massive architectural shift, and we’re learning as we go.
The commitment is real: address the concerns, maintain Windows’ accessibility and performance, and keep the developer ecosystem open and extensible.
What’s Next
If you’re a developer interested in building MCP servers, check out:
- MCP specification and documentation
- The Windows blog by Logan Iyer for developer platform details
- My previous posts on MCP tooling and agent development
If you attended Ignite sessions on enabling agentic workflows on Windows, I hope you found them valuable. This is an area where we’re all learning together.
The Bottom Line
This work represents a fundamental shift in how operating systems enable AI. We’re not adding features—we’re rebuilding infrastructure.
MCP as platform infrastructure. ODR for governance. Agent Workspace for isolation and auditing. Security by default. Open and extensible.
This is what operating system engineering looks like when AI becomes native, not adjacent.
The shift to agent-driven computing is happening. Windows is positioning itself as the secure, open, and enterprise-ready platform that enables agentic workflows at scale.
What questions do you have about building on this infrastructure? What problems are you trying to solve that this enables—or doesn’t yet enable? I’m genuinely curious where you see gaps and opportunities.
For the official announcements: