Microsoft has issued a security warning about Windows 11’s upcoming agentic AI features, telling users to avoid enabling the setting unless they fully understand the risks involved. The company says the capability will remain off by default due to the potential for unintended actions, including malware installation.
The alert comes as Microsoft prepares to roll out early builds of agentic features to Windows Insiders. The technology allows AI agents to operate on behalf of users inside a dedicated workspace with access to apps, files, and system tools. Microsoft has been outlining its long-term plan to evolve Windows 11 into an AI-forward operating system, but concerns about security have grown as the company reveals more about how these agents will function.
According to documentation first highlighted by Windows Central, Microsoft says enabling the feature creates local agent accounts with limited access to a user’s profile directory. These agents can read and write to the Documents, Downloads, Desktop, Videos, Pictures, and Music folders when the toggle is turned on. The company notes that the setting can only be enabled by an administrator, and once activated, it applies to all accounts on the device.
Microsoft outlines new security risks tied to AI agents
In its support notes, Microsoft warns that agentic AI introduces “novel security risks,” including the possibility of cross-prompt injection. This occurs when malicious text or embedded content overrides an AI agent’s instructions, potentially leading to harmful actions like data extraction or installing malware.
The company says it is building safeguards to monitor agent behavior. Windows will require agent actions to be observable, logged, and verified through an audit system designed to flag unexpected activity. Human approval is also required when agents attempt higher-risk operations.
Microsoft confirmed that preview builds supporting the feature began rolling out this week, though no AI apps can use it yet. Copilot is expected to become one of the first tools capable of running inside the new agentic workspace, with other developers likely to follow once the system matures.
