Microsoft used Build 2026 in San Francisco on June 2–3 to pitch a developer platform built around enterprise-aware AI agents, new Microsoft IQ context layers, in-house MAI models, Windows-based agent runtime infrastructure, and deeper Copilot integration through Project Foundry. The message to the 5,000 in-person attendees and millions watching online was unequivocal: Windows is no longer just an operating system for people, it’s becoming the execution environment for AI agents that span corporate data, the web, and the physical world.

Satya Nadella’s keynote avoided flashy demos of consumer chatbots. Instead, he demonstrated an end‑to‑end workflow in which a procurement agent built with Microsoft’s toolchain negotiated a supply contract, rewrote clauses to comply with a legal playbook stored in SharePoint, and submitted the final PDF to a third-party ERP — all inside a secured Windows enclave on an admin‑less Azure VM. “We’re not just building an AI assistant that appends text to a document,” Nadella said. “We’re giving developers an industrial‑strength agent platform that respects enterprise governance, operates with persistent context, and runs wherever Windows runs.”

The cornerstone of the new platform is Microsoft IQ, a context‑layering layer that decouples an agent’s long‑term memory from any single model or session. Microsoft IQ maintains a cryptographically signed record of every action an agent takes, the data sources it consulted, and the permissions it used. Developers can connect IQ to on‑prem SQL Server instances, Fabric lakehouses, or third‑party connectors via Graph APIs. In the demo, an HR agent used IQ to recall a previous decision about a candidate from three months ago and automatically incorporate it into a new ranking, avoiding the cold‑start problem that plagues prompt‑based agents. Mike Davidson, CVP of Windows Agent Platform, called IQ “a transactional memory system for AI — think of it as NTFS for context.”

The platform relies on a new family of in‑house models branded MAI (Microsoft Agent Intelligence). MAI models come in three sizes: MAI‑Nano (1.8B parameters, runs locally on Windows 11 SE and IoT), MAI‑Core (7B parameters, optimized for GPU‑less server fleets), and MAI‑Pro (70B parameters, available through Azure-hosted endpoints). Unlike the GPT‑based Copilot assistant, MAI models are trained explicitly on enterprise process data — contract approvals, expense‑report parsing, IT ticket triage — and are fine‑tuned for each customer using a new feature called Agent LoRA, which creates lightweight adapters inside the customer’s own tenant. Microsoft claims MAI‑Nano can adjudicate a standard expense report in under 800 ms on a Surface Laptop 6, consuming less than 3 W of power.

Project Foundry is the unified tooling layer. Built on Visual Studio 2025 Update 2, Foundry provides a drag‑and‑drop canvas for designing agent workflows, a YAML‑based declarative manifest format (.agent manifest), and a local emulator that simulates up to 50 concurrent agents on a Windows Dev Kit 2026. Developers can debug an agent’s reasoning chain step by step — including which IQ records it fetched and why — using a new feature called Reason Trace that presents a timeline view akin to distributed tracing tools. The manifest includes a security section that declares the agent’s identity (backed by Entra ID), the Windows security scope (e.g., “can read files in %LOCALAPPDATA%\AcmeCorp\data”), and a data‑loss‑prevention rule set that Windows applies transparently.

Windows itself is being refactored to host agents as first‑class citizens. The Windows Agent Runtime, available in Windows 11 version 24H2 build 26100.712 (KB5037850) and later, introduces a new process isolation boundary called a Trustlet. A Trustlet is a lightweight VM‑based container that hosts the agent’s MAI model and its IQ context store. Trustlets are enforced by Hyper‑V protections even on devices without a TPM 2.0 chip, though a TPM is required for full production, hardware‑backed attestation. The runtime manages local models through Windows Machine Learning (WinML) 2.0, which now supports 4‑bit and 8‑bit quantized models and can switch between CPU, NPU, and discrete GPU on the fly without restarting the agent. In a benchmark shown at Build, a Trustlet‑backed MAI‑Nano agent sustained 99.5% uptime over a 30‑day edge deployment in a factory‑floor scenario.

The integration with Copilot is profound but understated. Copilot itself will eventually be re‑architected to run as an agent, using the same manifests and runtime. For now, businesses can publish agents from Foundry to Microsoft 365 Copilot Chat, Teams, and Outlook, where they appear as shareable extensions. A new Agent Card UX element shows the agent’s identity, its authorized data sources, and its recent actions, giving end users visibility that today’s chatbots lack. In a side session, a program manager demonstrated a Logistics Agent that, when @mentioned in a Teams channel, pulled live shipment data from SAP, detected a delay, rescheduled a delivery via a REST API, and posted the updated ETA along with a confidence score — all within the channel thread, with full evidence provenance stored in IQ.

Security and governance were called out as existential prerequisites. John Lambert, Microsoft’s Deputy CISO, walked the auditorium through the AI Security Boundary model, a new defense‑in‑depth framework that isolates agents at the hardware (Trustlet), OS (Windows Defender Application Control for agents), data (Purview auto‑labeling), and identity (Entra ID Conditional Access with agent‑specific policies) layers. He revealed that the agent runtime would ship with a strict “deny by default” policy; an agent cannot even access its own IQ database until an admin grants the Agent Operator role in Entra. All agent‑to‑agent communication is forced over HTTPS with mutual TLS using machine‑bound certificates, preventing lateral movement. “We’ve seen what happens when a prompt‑injection attack convinces a chatbot to email the entire directory,” Lambert said. “That’s not going to happen on our watch.”

The developer community’s reaction was cautiously optimistic. In hallway chatter and on the Windows Forum (windowsforum.com), excited developers swapped praise for the local emulator and Trustlet performance but questioned the lock‑in effect of MAI models versus an open pluggable model architecture. “Foundry looks slick, but if I can’t swap in a Llama‑4 model without rewriting my manifest, is this really a platform or just a product?” wrote user ‘DevOpsNate’, whose Build thread gathered over 200 replies. Microsoft attempted to address this by announcing the Agent Model Interface (AMI), a standard that will allow any model that conforms to the AMI specification to run in a Trustlet. A preview of AMI is scheduled for Q1 2027, with Llama and Claude adapters promised. Until then, MAI models are mandatory.

Pricing remains a sticking point. Microsoft will charge \$0.15 per agent hour for a Trustlet when running on Windows 11 Pro or Enterprise, with a discounted \$0.05 rate if the device uses an Azure‑managed identity. That amounts to roughly \$108 per agent per month for a continuously running agent. Analysts from Gartner and Forrester who were briefed ahead of Build called the pricing “aggressive but not unreasonable” for enterprises that can replace back‑office headcount, but they warned that small businesses might balk. A spokesperson for Microsoft confirmed that a limited free tier for up to two agents and 500 IQ transactions per month would be available for MSDN subscribers.

A series of breakout sessions filled in the technical details. In “Building Agents with Foundry,” Scott Hanselman and Maria Choi live‑coded an agent that monitors Windows event logs for disk‑failure predictions, uses IQ to correlate a failing drive with a purchase order from 18 months ago, and files a warranty claim via ServiceNow — all in under 300 lines of YAML and C#. The session “MAI Under the Hood” revealed that MAI models are trained on a mixture of synthetic process data generated by Azure LLMs, anonymized telemetry from Microsoft 365 apps (opt‑in only), and web scrape data that has been scrubbed of PII using a new tool called Purview AI Data Prep. The audience applauded when a slide showed that the MAI‑Nano model achieved a 96% accuracy on a SQL‑generation benchmark while using one‑tenth the memory of the previous Phi‑3 model.

Enterprise early adopters shared results during a customer panel. A representative from Accenture described a deployment in which 15,000 contract‑review agents, each in its own Trustlet, processed 2 million vendor agreements in a weekend, a task that previously required 800 temporary workers over three months. A director of IT from the State of Illinois said the agency is prototyping a constituent‑service agent that can pull data from four different agency databases, cross‑reference a citizen’s request with eligibility rules, and draft a response — all while maintaining a complete IQ audit trail that satisfies the state’s FOIA requirements. Questions from the audience, however, homed in on whether the audit logs themselves could be tampered with. The answer: IQ uses a confidential‑computing enclave for its ledger, and any attempt to alter a logged record would be mathematically detectable.

Looking ahead, the roadmap sketched at the event is ambitious. Foundry 2.0, tentatively targeting mid‑2027, will add visual agent orchestration for multi‑agent swarms, allowing an overseer agent to delegate tasks to specialized agents and adjudicate conflicts. A private preview of Windows Agent Mesh will allow agents to communicate across device boundaries using Nomad‑style peer‑to‑peer connections, with secure relay through Azure Communication Services when firewalls block direct links. On the model side, a MAI‑Ultra model (140B parameters) is in early testing for scenarios like M&A due diligence that require days‑long reasoning loops. And in a quiet but potentially transformative move, the team showed a slide about Agent Shell, a mode in Windows Terminal where you can ".run agent://procurement/renegotiate" as easily as you run a command today.

The overall direction is unmistakable: Microsoft is betting that the post‑copilot era belongs to autonomous agents, not conversational assistants. By anchoring those agents in the Windows kernel, with hardware‑backed isolation and a cryptographically verifiable memory, the company is trying to build a moat that no browser‑based agent platform can cross. Developers who attended Build 2026 left with a preview SDK and a hard question for their own organizations: “Do we trust an agent with our business logic, and if not, what exactly are we waiting for?”