We’re excited to welcome Moonshot AI’s Kimi K2.6 to Microsoft Foundry expanding the platform’s growing catalog of open and frontier models designed for real-world, production-grade AI systems.

Kimi K2.6 represents a new class of agentic, multimodal models built for long-horizon reasoning, coding, and autonomous execution—bringing developers closer to fully self-directed AI systems that can plan, act, and deliver outcomes end-to-end.

Why Kimi K2.6 matters

According to Moonshot AI, K2.6 is a native multimodal agentic model that advances capabilities in long-horizon coding, autonomous execution, and multi-agent orchestration.

This means developers can go beyond prompts and build systems where AI:

• Plans and executes multi-step workflows
• Writes, debugs, and refactors large codebases
• Generates full applications—from UI to backend
• Orchestrates multiple sub-agents to solve complex problems

What differentiates Kimi K2.6 is its focus on agentic intelligence at scale.

Unlike traditional models optimized for single responses, K2.6 is designed to:

• Handle long-running tasks across hundreds of steps
• Coordinate parallel sub-agents (“agent swarms”)
• Combine reasoning with tool use and execution
• Deliver complete outputs—documents, apps, workflows—in a single run

This aligns with the broader industry shift toward AI agents that operate more like systems than tools.

Built for developers: Coding, reasoning, and beyond

Kimi K2.6 builds on the Kimi K2 family, which introduced large-scale Mixture-of-Experts (MoE) architectures with up to 1 trillion parameters, optimized for reasoning, coding, and agent workflows.

With K2.6, those capabilities are extended further:

• Deeper reasoning and planning for complex, multi-file coding tasks
• Improved agent orchestration, enabling cleaner task decomposition
• Stronger tool-use reliability across multi-step workflows
• Multimodal inputs, combining text and visual understanding

The result is a model that is particularly well-suited for:

• Developer copilots and coding agents
• Document and knowledge workflows
• Autonomous research and analysis pipelines
• End-to-end application generation

Open models meet enterprise-grade infrastructure

Kimi K2.6 is part of a growing trend toward open, high-performance models that give developers flexibility without sacrificing capability.

In Microsoft Foundry, you can combine this openness with enterprise-grade features:

• Unified API and SDKs across models
• Model evaluation and observability tools
• Built-in safety and governance controls
• Flexible deployment options (global, regional, data zones)
• Integration with agent frameworks and orchestration tools

This means you can experiment with Kimi K2.6 and seamlessly move to production—without re-architecting your stack.

Pricing 

Getting started

Kimi K2.6 is now available in Microsoft Foundry.

You can:

• Explore the model in the Foundry catalog
• Benchmark it against other models using built-in evaluations
• Integrate it into your applications using the Foundry SDK

 

As AI becomes part of everyday work, it’s more important than ever to clearly indicate when content has been generated or altered using AI. To help support transparency and responsible use, Microsoft 365 now includes watermarking options for AI‑generated content, giving organizations and individuals clearer signals about AI involvement while maintaining flexibility and control.

Whether you’re an IT admin, an information worker, or a consumer using Microsoft 365 at home, here’s what you need to know.

Why watermarks for AI‑generated content matter

AI can help people create faster and more confidently, but transparency builds trust. Watermarks help provide a visible or audible signal when content has been generated or modified using AI in Microsoft 365, supporting responsible sharing and clearer communication.

Even when watermarks aren’t visible, Microsoft 365 also adds AI‑related metadata to generated or altered content to help provide additional context about how that content was created. 

How watermarks work in Microsoft 365

Watermark behavior varies slightly depending on the type of content and account type, but the goal is consistent: make AI‑generated content easier to identify.

At Work

Video and audio content (admin‑controlled)

For video and audio content generated or altered using AI in Microsoft 365, organizations can enable the Include a watermark when content from Microsoft 365 is generated or altered by AI policy that adds:

• Visual watermarks to AI‑generated videos (for example, videos created with Clipchamp)

 

 

• Audible watermarks to AI‑generated audio (such as audio overviews created with Copilot)

Images (user-controlled)

Images follow a slightly different model. Instead of an admin policy, individuals in your organization can choose whether to add watermarks to AI‑generated images. When turned on, the Show watermark toggle in Settings & Privacy adds a watermark to new AI‑generated images or existing images that are altered using AI.  

At home

AI-generated images, videos, and audio can include watermarks to indicate AI involvement, along with embedded metadata for additional context.

By default, the Include a watermark when content from Microsoft 365 is AI-generated control toggle is off. To turn it on:

1. Sign in to the Microsoft privacy dashboard with your Microsoft account.
2. In the dashboard, go Privacy > Empower your productivity > Copilot.
3. Turn on the toggle under Include a watermark when content from Microsoft 365 is AI-generated.

Additional resources

• For IT Admins: Add watermarks to content generated or altered by using AI in Microsoft 365 
• At school or at work: Watermarks on content generated or altered by using AI in Microsoft 365
• At home: Include a watermark when content from Microsoft 365 is AI-generated  

Feedback

Microsoft is committed to continue to evolve these features and offerings as we learn from you, our customers.

We’d love to hear from you and get your feedback about this capability. Please share your thoughts by:

• Selecting Help> Feedback in your favorite app or service.
• Signing in with your Tech Community profile and leaving a comment on this blog post.

 

Learn about the Microsoft 365 Insider program and sign up for the Microsoft 365 Insider newsletter to get the latest information about Insider features in your inbox once a month!

In Diablo IV, the Skill Tree system gives players the ability to pick a skill and choose an upgrade to get stronger. Now, that tree has evolved to support more player choices. These new branches don’t just make skills stronger – they make them different. “If you’re newer to Diablo IV, the system is more approachable than it looks. Click a node, try it out, and see how it grows. For the more veteran adventurers, theorycrafting just got deeper,” writes Blizzard’s Chelsea Leah. Find out more about this at Xbox Wire.

Windows App Development CLI v0.3 is here! This release brings some of our best features yet including a full run-and-debug experience outside Visual Studio and built-in UI Automation from the command line.

With v0.3, we’ve unlocked a whole class of agentic and automation scenarios. Agents or a script can now run, debug, see, and interact with a running Windows app — not just build it.

Whether you’re building with WinUI, WPF, WinForms, C++, Electron, Rust, Tauri, Flutter, or Avalonia — the Windows App Development CLI is for you. It provides the tooling to package, run, add Windows App SDK support, and more to any Windows desktop app. And for .NET developers in particular, this release makes things even smoother with a new NuGet package that brings dotnet run support for packaged apps right out of the box.

Get the update by running winget install Microsoft.WinAppCli or check the repo for other install options.

Let’s dive in!

winapp run: The Visual Studio F5 experience, anywhere

Think of winapp run as Visual Studio’s F5 — but from the command line, and for any packaged app. Give it an unpackaged app folder and a manifest, and it handles the rest: registers a loose package, launches your app, and preserves your LocalState across re-deploys.

# Build your app, then run it as a packaged app
winapp run ./bin/Debug

It works across the full range of app types we support and comes with a set of modes designed for developers or automated workflows:

• --detach: Launch the app and return control to the terminal immediately. Great for CI/automation pipelines where you need the app running but don’t want to block.
• --unregister-on-exit: Automatically cleans up the registered package when the app closes. Perfect for clean test runs where you don’t want leftover state.
• --debug-output: Captures OutputDebugString messages and exceptions in real time. When a crash occurs, a minidump is automatically captured and analyzed in-process. Managed (.NET) crashes are triaged via ClrMD; native (C++/WinRT) crashes are analyzed via DbgEng. Add --symbols to download PDBs from the Microsoft Symbol Server for full function names in native stacks.

Whether you’re a developer iterating locally or an agent running end-to-end validation, winapp run gives you a single command to go from build output to a running, debuggable packaged app.

See full usage instructions for winapp run at WinApp CLI Run Command.

New NuGet package: Microsoft.Windows.SDK.BuildTools.WinApp

We’re introducing a new NuGet package that enables dotnet run to launch packaged .NET apps. It works with WinUI, WPF, WinForms, Console, Avalonia, and more.

With Microsoft.Windows.SDK.BuildTools.WinApp configured, dotnet run can handle the entire inner loop: it can build your app, prepare a loose-layout package, register it with Windows, and launch — all in one step. No extra commands, no manual registration. Just dotnet run.

Install it directly via NuGet or let winapp init set it up for you (which also ensures your .csproj has all the right properties):

# Option 1: Let winapp init do the work
winapp init
# Option 2: Install the NuGet package directly
dotnet add package Microsoft.Windows.SDK.BuildTools.WinApp

For more information on dotnet run and the Microsoft.Windows.SDK.BuildTools.WinApp NuGet package, check out dotnet run Support for Packaged WinUI Apps.

winapp ui: UI Automation from the command line

UI Automation is now built right into the CLI. winapp ui lets you inspect and interact with any running Windows application — WPF, WinForms, Win32, Electron, WinUI3 — all from the command line.

Here’s what you can do:

• List windows — enumerate all top-level windows on the desktop.
• Inspect trees — walk the full UI Automation tree of any window.
• Search across windows — find elements by name, type, or automation ID.
• Click, invoke, set values — drive the app just like a user would.
• Take screenshots — capture individual windows or multi-window composites.
• Wait for elements — block until a specific element appears, ideal for test synchronization.

This unlocks several new agentic and automation scenarios. Agents or a script are now able to see and interact with a running app. Combine winapp ui with winapp run for a complete build → launch → verify workflow entirely from the terminal — driven by an agent, a script, or just you.

See full usage instructions for winapp ui at WinApp CLI UI Command. Also check out our UI Automation Getting Started Guide.

Shell Completion

Tab completion is here. Run one command and every winapp command, subcommand, and option becomes discoverable right in your terminal with descriptions.

# Set up permanently (PowerShell)
winapp complete --setup powershell >> $PROFILE
# Try it in the current session
winapp complete --setup powershell | Out-String | Invoke-Expression

Press Tab to cycle through commands, or Ctrl+Space to see the full list with descriptions. Works for nested commands (winapp cert <Tab>) and options (winapp init --c<Tab>).

See more information on shell completion at Shell Completion Guide.

Other notable changes

• winapp unregister: The cleanup counterpart to winapp run. Safely removes a sideloaded dev package when you’re done with it.
• winapp manifest add-alias: Adds a uap5:AppExecutionAlias to your manifest so a packaged app can be launched by name from the command line. No more hunting for full package family names.
• Package.appxmanifest by default: winapp init and winapp manifest generate now create a Package.appxmanifest file instead of appxmanifest.xml. This aligns with the Visual Studio convention and makes it easier to open and edit manifests in VS with the visual manifest editor.
• Taskbar icon fix: Fixed a visual bug where a blue plate appeared behind app icons in the taskbar when running with a debug identity.

Get started today

The Windows App Development CLI is available now in public preview. Visit our GitHub repository for documentation, guides, and to file issues.

We would love to hear your feedback!

To get started:

Install via WinGet:

winget install Microsoft.WinAppCli

Install via npm:

npm install -g @microsoft/winappcli

Check out our .NET, C++/CMake, Electron, Rust or Flutter guides for getting started quickly.

Happy coding!

The post Windows App Development CLI v0.3: new run and ui commands, plus dotnet run support for packaged apps appeared first on #ifdef Windows.

Passkeys are designed to replace passwords with strong, phishing-resistant credentials that make sign-in quick, easy, and secure. With Microsoft Password Manager, users can now save and sync passkeys across devices signed in with their Microsoft account. Syncing passkeys enables a seamless sign-in experience, allowing users to access their credentials wherever they are signed in. Instead of being tied to a single device, passkeys can be securely available across devices while continuing to leverage device-based authentication such as biometrics or PIN. However, enabling this experience requires a thoughtful approach to security. Roaming cryptographic credentials must be protected during creation, sync, and recovery without weakening their security properties. In this post, we'll walk through the architectural principles that power passkey syncing in Microsoft Password Manager.

Architecture overview

Passkey syncing in Microsoft Password Manager is built on a layered architecture that's designed to securely enable roaming credentials. The system applies multiple independent protections across the boundaries between compute (where sensitive operations are processed), key management, storage, and device authorization. At a high level, passkey syncing in Microsoft Password Manager combines:

• Confidential computing for sensitive passkey operations.
• Hardware-rooted key protection for service-side encryption keys.
• Tamper-evident recovery storage for secure activation and recovery.
• Encrypted synchronization across registered devices.

These layers work together to protect passkeys during creation, synchronization, and recovery. The passkey service backend is deployed using Confidential Containers on Azure Container Instances (ACI), which leverage Trusted Execution Environments for protected execution of sensitive workloads.

Confidential compute for passkey operations

Sensitive passkey operations, including credential creation, assertion, and recovery validation, execute inside the Azure confidential computing environments backed by hardware isolation. This ensures that:

• Cryptographic material is processed inside protected memory.
• The host environment cannot inspect sensitive cryptographic material (such as passkeys and encryption keys) while in use.
• Only attested service code can access protected encryption keys.

By strictly controlling where passkey material can be decrypted and used, we ensure that sensitive cryptographic material remains protected within trusted execution boundaries, while strengthening operational integrity. Access to these operations is further gated by user verification using platform authenticators (for example, Windows Hello or device biometrics), with device-bound cryptographic keys used to authorize passkey operations.

Hardware-rooted key protection

Encryption keys that safeguard synced passkeys are protected using Azure Managed HSM. Access to these keys is restricted through attestation-based secure key release mechanisms. Before keys are released, the execution environment is verified using Microsoft Azure Attestation, ensuring that key material is only accessible within trusted confidential workloads and is not released to non-confidential environments. This provides a hardware-rooted trust anchor for service-side encryption operations. Passkeys are encrypted before synchronization and handled within authorized, hardware-isolated environments.

Secure registration and recovery

Microsoft Password Manager enables cross-device activation through a secure, auditable registration and recovery process. This process requires authentication via a user-defined knowledge factor (PIN), with all protections enforced within confidential computing boundaries. Recovery operations are validated within the confidential computing environment to ensure strong integrity guarantees. Recovery attempts are enforced using a securely maintained retry counter and associated recovery metadata, both recorded in a tamper-evident Azure Confidential Ledger. This prevents counter manipulation and rollback attempts. To protect against malicious brute-force attempts on the low-entropy PIN, the system enforces a fixed limit on consecutive incorrect attempts. Once this limit is reached, the system enters a lockout state. Recovery from lockout requires resetting the PIN through a secure flow that is initiated from a trusted device and authenticated via the user's Microsoft account. This design ensures that recovery mechanisms do not weaken the protections applied to synced passkeys.

Building for the passwordless future

Passkeys represent a major step forward in authentication. In Microsoft Password Manager, we've engineered a sync system that balances strong security protections with seamless cross-device usability. By combining confidential computing, hardware-backed key protection, and device-bound authorization, Microsoft Password Manager delivers secure passkey roaming built to withstand modern threats. These protections are designed as independent layers that collectively safeguard passkeys throughout their lifecycle. Synced passkeys are a strong step forward in our passwordless journey, bringing the simplicity and security of phishing-resistant sign-in to users. We're excited to continue this journey with new capabilities and experiences ahead.

IT practitioners don’t hand out praise easily. So when a solution architect, a head of workplace design and a modern workplace product manager start saying the same thing about an endpoint — simpler to manage, faster to deploy, easier to secure — it's worth paying attention to. Windows 365 Link turns one year old this month. To understand why it matters, it helps to understand the service it is purpose-built for: Windows 365 is a cloud service that streams a full Windows experience — your apps, your settings, your desktop — directly from the Microsoft Cloud to any device. Your PC, essentially, lives in the cloud. Windows 365 Link was built to take that idea further, giving organizations a simple-to-manage, secure endpoint for Windows 365 with no local data, no local apps and no local admin users, so they could scale Cloud PCs simply, securely and cost-effectively. In the year since its launch, it has expanded to new regions and found a home across industries as different as manufacturing, healthcare, retail and professional services. Windows 365 Link is helping a set of organizations with genuinely different challenges — an energy company looking to eliminate the management overhead that comes with running different devices for different roles; a global packaging manufacturer trying to give hundreds of factory workers seamless access to resources as they move station to station; a New Zealand telco rebuilding its entire desktop environment after separating from its parent company; and a Japanese IT infrastructure service provider developing a robust hybrid work foundation that balances convenience with security. What they found in Windows 365 Link wasn’t just a device; it was a way to stop reconciling complexity and start running IT the way it should work. Across organizations, the feedback tells a consistent story: https://youtu.be/KRymSGLgNOg Our growing partner network helps organizations quickly procure and deploy Windows 365 Link. We’ve onboarded more than 200 resellers across 20 countries. Feedback from partners with experience deploying Windows 365 Link highlights Windows 365 Link’s ability to simplify endpoint management and deliver reliable experiences:  https://youtu.be/3NUTul4a0gU Based on customer feedback, we make  regular updates to Windows 365 Link devices to further enhance user experience and streamline IT management. Key updates targeted for release this quarter include:

• Support for pairing Bluetooth® devices during the out-of-box experience, so you can use a wireless keyboard and mouse to set up the device

• Support for tenant branding including setting a custom wallpaper, logo and name on the sign-in screen, so you can provide a tailored experience for your users

• Support for unique peripherals via USB redirection with no endpoint configuration required (GA) and ability to configure specific USB devices via centralized IT Admin controls (Public Preview)

• Support for visibility into pending updates directly on the sign-in screen and ctrl+alt+del screen, so users know when updates are available

Support for tenant branding on the Windows 365 Link sign-in screen As we mark this milestone, we thank our Windows 365 customers and partners for their trust and collaboration. If you’re planning a device refresh for frontline or desk-based workers, consider Windows 365 Link as a more secure, simple-to-manage and cost-effective alternative to traditional desktops. For more on the potential benefits of deploying Windows 365 Link in shared spaces, read the Forrester Consulting study New Technology: The Projected Total Economic Impact™ of Windows 365 Link, July 2025, commissioned by Microsoft. We’re committed to expanding Windows 365 Link’s availability so more organizations can benefit from the power, simplicity and security of Windows 365.