That's what I understand. It basically spins up a windows VM, you grant it access to specific files or folders, and it runs the actions in the VM.

From the MS support doc:

> "An agent workspace is a separate, contained space in Windows where you can grant agents access to your apps and files so they can complete tasks for you in the background while you continue to use your device. Each agent operates using its own account, distinct from your personal user account. This dedicated agent account establishes clear boundaries between agent activity and your own, enabling scoped authorization and runtime isolation. As a result, you can delegate tasks to agents while retaining full control, visibility into agent actions, and the ability to manage access at any time."

MS showed a little bit of something like it at Ignite yesterday, but for enterprise automations, the AI spun up a Windows 365 instance, did some stuff on the web, then disposed of it when it was done.

thanks for explaining that. I could see some value and also tremendous risk.

My concern is that the Windows Credential itself doesn’t have a ton of value (opening windows apps) but the browser cookie jar (e..g Edge or Chrome) , which the Credential unlocks, has tremendous value — and threats.

The core problem is lack of granularity in permissions. If you allow the agent to do browser activities as your user, you can’t control which cookie / scope it will take action on.

You might say “buy me chips” and it instead logs into your Fidelity account and buys $100k worth of stock.

Let’s see how they figure out the authorization model.