Microsoft Copilot Researcher with Computer Use: AI That Actively Performs UI Tasks

Microsoft has quietly moved Copilot from being a research assistant to an active operator: the Researcher agent in Microsoft 365 Copilot can now spin up a temporary, sandboxed cloud PC to use a computer on your behalf — opening browsers, entering credentials via a secure handover, clicking buttons, running terminal commands and even executing short code — all while providing a visible “chain of thought” so humans can watch, pause, or take control. This capability, marketed internally and in press as Computer Use, is rolling out to preview customers and signals a deliberate shift toward agentic automation that blends deep reasoning with real-world action.

Background / Overview​

Microsoft’s Copilot program has been moving beyond simple chat-based assistance for some time. The introduction of specialized agents — notably Researcher and Analyst — reframed Copilot as a platform for multi‑step reasoning across tenant data, third‑party connectors and the web. Where earlier versions could synthesize information and produce drafts or briefings, agents like Researcher were still limited by the classic problem: if the information sits behind an interactive user interface or a paywall with no API, the agent could describe the steps but not execute them. Microsoft’s Computer Use addresses that gap by giving the agent a temporary, controlled execution environment in which it can perform UI‑level interactions and short command‑line tasks.
The Computer Use capability appears in two related places in Microsoft’s product family:

• Copilot Studio — the low‑code/no‑code authoring surface where organizations build custom agents — received an explicit Computer Use tool preview in April 2025 that lets agents treat GUIs as programmatic tools. Microsoft documented the feature and positioned it as a research preview for makers.
• Microsoft 365 Copilot’s Researcher agent has been updated to leverage a similar sandboxed runtime so deep research tasks that require signing into websites, downloading datasets, or testing code can be performed end‑to‑end inside an ephemeral VM. Early access for Copilot‑licensed customers is managed through Microsoft’s Frontier / preview channels.

Together these moves mark a strategic redefinition: Copilot now aims to be not just an answer engine but a capability to act where human-like interaction with interfaces is necessary.

---

How “Computer Use” actually works​

The sandboxed runtime: a temporary Windows 365-powered machine​

When Researcher decides a task requires interaction with a live UI or code execution, Copilot provisions an ephemeral virtual machine (VM) hosted in Microsoft’s cloud (built on Windows 365 infrastructure in current documentation). That VM is isolated from the user’s local device and, by default, from the organization’s internal networks and tenant data. The VM includes:

• A visual browser (UI session) the agent can operate for clicking, form-filling and navigation.
• A text browser / extraction tool for faster text scraping when pixel‑accurate navigation is unnecessary.
• A command‑line terminal where the agent can safely run short scripts, use Python to extract and transform downloaded datasets, or test generated code.

The session is ephemeral by design: the VM and most of its state are discarded when the run ends unless enterprise policy explicitly retains artifacts for debugging or audit.

Virtual input + textual control channel​

The agent issues UI actions through a virtual input layer — simulated mouse movements, clicks, keystrokes — orchestrated from a textual control channel that records the agent’s plan and actions. The UI surfaces screenshots and terminal output as a running “visual chain of thought,” letting users observe each step in near real time and intervene if required. Users can pause, cancel, or take over the session manually.

Authentication and secure handover​

To protect credentials, Microsoft avoids transferring user passwords into the agent runtime. When a sign‑in is necessary, the agent pauses and requests the user to enter credentials into the sandbox browser via a secure screen‑sharing or secure entry flow — meaning the agent can’t directly read or retain the password. Administrators can also configure centralized credential vaulting for approved service accounts where appropriate.

Safety checks and network filtering​

All outbound traffic from the sandbox is routed through Microsoft-managed proxies and safety classifiers. These classifiers attempt to ensure that web requests are relevant to the task and block obvious jailbreak or cross‑site attack patterns. Administrators get allow/deny lists for domains, and default policies disable access to internal tenant data during Computer Use runs unless explicitly enabled.

---

What Microsoft says the tool is for (use cases)​

Microsoft and independent reporting highlight enterprise scenarios where the agentic sandbox creates real value:

• Automated market research that must access subscription reports behind paywalls or interactive dashboards.
• Data extraction: log in, download CSVs from a customer portal, run a short Python extraction pipeline in the sandbox, and return cleaned results.
• Legacy system automation: fill multi‑page forms in older enterprise web apps that have no API, or push data into on‑prem systems via UI automation.
• Safe code testing: validate snippets or execute small scripts in an isolated environment before handing results back to the user.

These are the kinds of tasks where the agent’s ability to act — not just explain — materially shortens turnaround and reduces manual toil.

---

Benchmarks, claims and a careful reading of the numbers​

Microsoft and vendors are increasingly using public agent benchmarks to demonstrate progress: BrowseComp (a 1,266‑question benchmark designed to stress browsing agents) and GAIA (a multi‑step assistant benchmark) are two widely cited suites that measure skills such as persistent web navigation, tool orchestration, file handling and multimodal reasoning. The academic BrowseComp paper and GAIA research papers define evaluation protocols used by many teams.
Several press write‑ups covering the Researcher upgrade reported concrete gains: one article stated Researcher with Computer Use performed “44% better” on BrowseComp and had a “6% improvement” on GAIA compared with the prior Researcher. Those figures appeared in industry reporting and press summaries but are not reproduced as explicit topline metrics in Microsoft’s primary Copilot Studio or Microsoft 365 Copilot release notes that are publicly available today; treat them as press‑reported improvements pending independent, repeatable evaluation. In short: the direction of improvement is credible — Computer Use ought to help browsing‑heavy tasks — but the precise percentages are currently press‑reported and should be interpreted with caution until corroborated by either Microsoft’s detailed benchmark disclosures or independent evaluations.

---

Enterprise‑grade security and governance — what’s built in, what remains operator responsibility​

Microsoft framed Computer Use with enterprise controls from the outset. The key protections include:

• Isolation: runs occur in ephemeral, tenant‑bounded VMs removed from a user’s device and, by default, from corporate data stores.
• Credential safety: credentials are not passed to models; secure interactive entry or enterprise vaults are used for authenticated tasks.
• Allow‑lists and admin controls: admins can enable the feature for specific security groups and create domain allow/deny lists for agent interactions.
• Proxying and safety classifiers: outbound network traffic is filtered and analyzed to reduce the risk of malicious activity or unintended data exfiltration.
• Visual auditing: the “visual chain of thought” — periodic screenshots and terminal logs — is captured so humans can see exact agent behavior.

But the design introduces new risk vectors that organizations must manage:

• Sandbox escape remains a theoretical threat; the virtualization and browser stacks are additional attack surfaces that must be patched and monitored.
• Credential entry via secure handover is safer than giving passwords to a model, but social‑engineering or misconfigured flows could still create exposure.
• Automation fragility: UI automation is brittle; site layout changes may cause incorrect actions (for example, submitting the wrong form). Robust testing and explicit fail‑safes are essential.
• Data governance: connectors, memory, or misconfigured retention policies could cause sandbox outputs to be persisted into tenant stores inadvertently. Administrators must validate retention, eDiscovery and DLP settings.

---

Practical rollout checklist for IT and security teams​

• Start small: pilot Computer Use only with a limited user group and low‑sensitivity tasks.
• Configure allow‑lists and per‑tenant policies before enabling the feature broadly.
• Require audited service accounts and MFA for any credentials used in agent runs.
• Integrate sandbox session artifacts (screenshots, command logs) into existing SIEMs and auditing pipelines.
• Test automations in staging with representative UI changes to detect brittle flows.
• Educate users: show them how to observe the chain of thought, take control, and verify outputs before acting on them.

This type of staged rollout reduces the likelihood of accidental exposure and helps build internal runbooks for remediation.

---

Competition, multi‑model strategy and ecosystem implications​

Computer‑level UI automation is no longer unique to Microsoft. Anthropic, OpenAI and others introduced similar “computer use” or operator runtimes in 2024–2025. Microsoft’s competitive edge is its ability to stitch these runtime capabilities into a widely deployed enterprise stack — Windows, Edge, Microsoft 365 connectors, and tenant governance — and to offer model diversity: Microsoft is routing some Researcher workloads to Anthropic’s Claude models while continuing to use OpenAI and Microsoft-backed models where appropriate. That multi‑model strategy aims to let organizations pick the model family that best suits a task — for example, favoring Claude for certain long‑context or polishing jobs while using other models for speed or cost.
For vendors and tool builders this shift matters: agentic automation layers reduce the friction for integrating legacy systems and raise the bar for tools that expose robust, API‑first integrations. For enterprises, it means a future where AI can both research and operationalize results without human handoffs — provided governance and testing are rigorous.

---

Strengths and strategic upside​

• Practical problem solving: Computer Use directly fixes a key limitation for deep research agents — the inability to act in interactive UIs. That reduces manual steps for high‑value workflows.
• Auditability and transparency: the visible chain of thought is a meaningful step beyond opaque background automation; it gives humans real oversight.
• Safer code testing: ephemeral VMs let agents run and verify short scripts without putting host systems at risk.
• Integration with enterprise governance: admin controls, allow‑lists and proxying make the feature deployable in regulated environments where simple consumer agents would be insufficient.

---

Risks and open questions​

• Reliability at scale: UI automation can be fragile; significant effort in testing and failure handling is required to avoid costly mistakes.
• Security surface expansion: virtualization and browser engines run in Microsoft cloud; customers must trust the vendor’s patching cadence and incident response for those runtimes.
• Benchmark transparency: press‑reported percentage gains (for example, the BrowseComp/GAIA numbers) need independent verification. Public documentation does not yet provide a full, reproducible evaluation methodology for the Researcher + Computer Use combination. Treat press numbers as indicative but provisional.
• Operational cost: running ephemeral cloud VMs for many users or long workflows can be costly; organizations should model consumption and tag runs to control spend.

---

What reviewers and early coverage highlight​

Early reporting and hands‑on previews consistently emphasize Microsoft’s focus on governance and visibility — the UI for watching agents run, per‑action confirmations and admin allow‑lists stand out across reviews as deliberate countermeasures to common safety complaints about autonomous agents. Press pieces also stress that while Microsoft aims to keep enterprise data within Microsoft Cloud boundaries and not to use it to train core models, independent audits and tenant‑level controls will determine how comfortable large regulated customers are with the feature in practice.

---

Bottom line: what this means for Windows and Copilot users​

Microsoft’s Researcher agent with Computer Use is a practical, enterprise‑oriented step toward agentic automation: it brings the ability to do routine, multi‑step research and data extraction while preserving visibility and admin controls that most enterprises need. That makes Copilot a more powerful productivity layer — one that can cross the last mile to interactive UIs and legacy systems. At the same time, the introduction of a cloud‑hosted VM runtime raises new operational responsibilities for IT and security teams: sandbox hygiene, credential safety, allow‑list configuration and cost control will determine whether Computer Use becomes a productivity multiplier or a governance headache.
Reported benchmark gains are promising and consistent with the expected advantage of adding real UI control, but the exact numbers circulating in the press should be considered provisional until they’re reproduced or published in vendor or independent benchmark reports. For organizations planning pilots, the sensible path is controlled experiments, conservative policies, and integration of session logs and audits into existing security telemetry.

---

In the hands of careful teams, Researcher with Computer Use can convert hours of tedious, UI‑bound research into minutes of auditable, agent‑driven work; in the hands of the inattentive, it expands an enterprise’s automation surface without sufficient guardrails. The difference will be how thoroughly organizations treat the new runtime not as a convenience toggle but as a new, mission‑critical component of their security and compliance stack.

---

Source: WinBuzzer Microsoft Supercharges Copilot’s Researcher Agent with ‘Computer Use’ to Automate Web Tasks - WinBuzzer