Microsoft used Build 2026 to detail an ambitious agent AI stack that weaves together custom silicon, a revamped Azure AI Foundry, and deep integration with Windows security subsystems. The two-day event, held June 2–3 at Fort Mason Center in San Francisco and streamed globally, marked the company’s most concrete push yet toward what CEO Satya Nadella called “agent-native computing.”

Central to the vision is a new control plane that sits above Azure’s infrastructure, orchestrating AI agents across cloud, edge, and local Windows devices. The architecture signals a departure from previous AI toolchains, which often left the operating system as an afterthought. With Windows 11 version 26H2 now shipping on over a billion devices, Microsoft is leveraging that footprint to make agentic workloads behave like native OS services—secure, sandboxed, and context-aware.

The three-layer agent architecture

Microsoft’s agent AI stack breaks into three layers: hardware models, the Azure AI Foundry platform, and a set of operating system primitives collectively called the Agent Control Plane. Each layer received product updates at Build.

Layer 1: silicon and models

The foundation rests on new in-house models—dubbed Project Prometheus 2—trained on synthetic data optimized for task decomposition. These models are compact enough to run on the Neural Processing Units (NPUs) shipping in all Copilot+ PCs, yet they scale to cluster-level inference when needed. Microsoft confirmed that a quantized 2.5-billion-parameter variant ships with Windows 11 26H2 as an inbox component, enabling offline agent execution for common productivity scripts.

On the silicon side, the company announced Azure’s first custom accelerator designed specifically for agent orchestration, codenamed Maia-2. The chip enters private preview later this year, with general availability tied to a new instance family that pairs Maia-2 with AMD’s EPYC Turin processors. Early benchmarks shown during the keynote suggest a 40% reduction in tail latency for multi-agent coordination workloads compared to GPU-only configurations.

Layer 2: Azure AI Foundry

Azure AI Foundry, the successor to Azure Machine Learning and AI Studio, now serves as the unified development environment for agentic applications. Two features dominated Build sessions.

First, Agent Mesh is a managed service that handles service discovery, load balancing, and policy enforcement for fleets of agents. Developers define agent contracts in a declarative YAML schema, and Agent Mesh automatically scales them across regions while maintaining session state. This solves a real problem enterprise developers have faced: chaining agents often meant manually managing HTTP endpoints and sticky sessions. With Agent Mesh, a retailer can spin up hundreds of inventory-checking agents during Black Friday without writing custom orchestration code.

Second, Trustworthy AI Governance is now embedded at the Foundry tier. Every agent deployment is scored against Microsoft’s Responsible AI framework in real time, with drift detection that can automatically roll back models when factual accuracy drops. During a demo, a customer service agent hallucinated a refund policy; the governance module flagged the response within 200 milliseconds, blocked it, and fell back to a rule-based system. This kind of guardrail, built into the platform rather than bolted on, is what Nadella calls “safety by default.”

Layer 3: the Agent Control Plane

The third layer, and the one most relevant to Windows news readers, is the Agent Control Plane. It bridges the gap between cloud-hosted AI and the local operating system. Scott Guthrie, EVP of Cloud + AI, demonstrated an agent seamlessly moving from a cloud VM to a user’s laptop, inheriting the device’s security context without re-authentication.

Technically, the control plane comprises three components.

  • Windows Agent Runtime (WAR): A new subsystem that runs alongside the traditional Win32 and UWP layers. WAR agents access a hardened set of APIs—file system, clipboard, network—only through explicit user consent models that mirror the existing Windows permission framework. During Build, a Microsoft engineer showed a provisioning agent that could install a company’s standard app suite on a new machine, then delete its own runtime to leave no footprint.
  • Identity Mesh: A federated identity layer that ties Azure Active Directory, Windows Hello, and hardware-backed credentials into a single token that agents can carry across environments. This means an agent performing a database query from a developer’s phone has the same least-privilege access as when it runs on a secure workstation.
  • Local Inference Bus: A low-latency message queue that allows agents running on different cores—CPU, GPU, NPU—to share context without polling. The bus is backed by a shared memory region encrypted with Device Encryption keys, so even other processes owned by the user cannot snoop on agent conversations.

Windows security becomes agent-aware

Microsoft’s decision to bake agent runtime directly into Windows reflects a deliberate security strategy. The operating system already isolates processes via virtualization-based security (VBS) and Hypervisor-Enforced Code Integrity (HVCI). The Agent Control Plane extends these protections to AI workloads.

For example, the new Agent Sandbox mode launches each agent inside a lightweight Hyper-V container with a dedicated virtual TPM. If an agent tries to exfiltrate data through a side channel—say, by manipulating the clipboard in a loop—Windows Defender’s behavioral monitoring detects the anomaly and suspends the container. Security researchers at Build validated the approach by running a modified version of the notorious Emotet trojan wrapped as an agent; the sandbox prevented lateral movement and killed the container in under two seconds.

For enterprises, this means agents can operate on endpoints without the constant fear of supply-chain compromise. Because the runtime is an inbox feature of Windows 11 26H2, group policies and Microsoft Intune can manage agent permissions with the same granularity as app control policies. Admins can, for instance, allow a CRM agent to read the user’s contacts but block any attempt to write to disk.

Developer tooling: from VS Code to production

Build 2026 also delivered tangible improvements for the developers who will actually build these agents. Visual Studio 2026 (preview) introduces a new project template called “Agent Worker,” which scaffolds a WAR-compliant agent in C#, Python, or Rust. The template generates a manifest file declaring required capabilities—network, microphone, location—and a digital signature embedded at compile time. The manifest is then registered with the Agent Mesh control plane during deployment, creating a chain of trust from IDE to production.

On the command-line side, the Azure Developer CLI (azd) now includes azd agent init and azd agent deploy commands that package code, dependencies, and the manifest into a container image optimized for the Maia-2 accelerator. A live demo showed a developer deploying a travel-booking agent across three regions in under four minutes, with observability data streaming into Azure Monitor’s new Agent Dashboard.

The dashboard provides a real-time map of agent-to-agent communication, highlighting bottlenecks and security events. In one eye-opening metric, the Microsoft IT team shared that their own internal helpdesk agents—which now run on the Agent Control Plane—handle 72% of tier‑1 support tickets without human escalation, reducing average resolution time from three hours to nine minutes.

Competitive reactions and open questions

Microsoft’s control plane approach is not without critics. Competitors like Apple, which recently debuted its own on-device agent framework for macOS and iOS, argue that a cloud-dependent control plane introduces latency and privacy risks. Google’s Project Oscar similarly emphasizes on-device orchestration with federated learning. Build attendees questioned whether Microsoft’s vision locks enterprises deeper into Azure, given that the Agent Mesh and governance features are tightly coupled to the Azure fabric.

Chris Young, Microsoft’s head of business development, addressed the lock-in concern directly: “The Agent Control Plane APIs are built on open specifications. Any cloud provider could implement them. We’ve published the interface definitions under a Creative Commons license.” Whether Amazon or Google will adopt those specs remains an open question.

Pricing was another hot topic. The in-house models running locally on NPUs carry no additional cost, but Agent Mesh is consumption-based, charged per agent-hour with a premium for the governance layer. Early adopters in the Microsoft 365 E5 tier will receive 10,000 agent-hours per month at no extra charge until December 2026, after which they will need to purchase a new “Intelligent Edge” add-on.

What it means for Windows users

For the average Windows user, the most visible change will be a new “Agent” icon in the system tray, arriving with the Windows 11 October 2025 update. Clicking it opens a curated store where users can install agents validated by Microsoft’s SmartScreen technology. Early listings include a meeting summarizer from Teams, a code reviewer from GitHub, and a travel planner from Expedia—all running inside the Agent Sandbox.

Power users will notice that the Task Manager now includes an “Agent” tab that shows per-agent resource consumption, network calls, and permission activity. Process Explorer gets a similar upgrade, allowing sysadmins to suspend individual agents with a right-click.

Under the hood, the Local Inference Bus handles millions of inter-agent messages per second during heavy workloads. A Microsoft engineer described a scenario where 40 agents collaborate to generate a financial report, with some running on the NPU for speech processing and others on the GPU for data visualization. The communication overhead is so low that the report finishes in 18 seconds—a task that previously took a dedicated cloud instance several minutes.

The road ahead

Build 2026 closed with a roadmap detailing the next phases. Private preview of the Agent Control Plane starts in July for Windows Insiders on the Dev Channel, with broader availability in the October update. Azure AI Foundry’s Agent Mesh will reach general availability in September, and Maia-2 instances will be bookable through the Azure portal starting November.

Nadella’s closing keynote struck a tone of urgency: “Every company will become an agent company. The only question is whether you’ll build on a stack that protects your data, respects your users’ privacy, and scales with the discipline of an operating system—or bolt agents onto insecure containers and hope for the best.”

For Windows enthusiasts, the message is clear: the fight for agent dominance begins at the kernel level. And Microsoft just shipped its first full arsenal.