What’s New in Visual Studio Code 1.123

On June 3, 2026 — coinciding with Microsoft Build 2026 — Visual Studio Code 1.123 landed. This is not a routine maintenance update. It’s a deliberate consolidation of Microsoft’s agent-first development strategy, bringing together persistent AI session memory, a deep research agent, parallel agent orchestration, and a critical supply-chain security control that directly responds to the May 2026 GitHub breach via a compromised VS Code extension.

Here’s what enterprise developers and IT teams need to know.

Session Sync and Chronicle — Your Coding History Becomes a Searchable Asset

The headline feature in 1.123 is session sync, which automatically backs up your Copilot chat sessions to your GitHub account and makes them searchable via the new /chronicle commands.

Every chat session now captures:

  • The full conversation with Copilot
  • Every file touched during the session
  • Repository context (repo, branch, timestamps)
  • Referenced pull requests, issues, and commits

With /chronicle in chat, developers can ask natural-language questions like “What did I work on last Friday?” or “Find sessions where I refactored the auth module.” The system can also generate standup reports, surface productivity insights, and search by topic, file, or PR — all without leaving the editor.

What this means for organizations: Session sync transforms Copilot from a stateless assistant into a persistent knowledge layer. For team leads, it reduces the overhead of status meetings. For new hires, it creates a searchable trail of how the codebase evolved. For compliance teams, it provides an audit-grade log of AI-assisted development activity.

Enable it via chat.sessionSync.enabled — and note that session data is tied to the developer’s GitHub identity, which has implications for offboarding and data retention policies.

Research Agent — Deep Code Investigation Comes to Copilot CLI

The new research agent (preview, Insiders only) addresses a gap that every developer has felt: sometimes a quick chat answer isn’t enough. When you need to understand unfamiliar code, evaluate a library, or learn how an API works end-to-end, the research agent runs deep investigation and returns a well-cited Markdown report.

It draws from three sources:

  1. Your codebase
  2. Relevant GitHub repositories
  3. The public web

The research agent is read-only and depth-optimized — it investigates and reports without modifying code. Invoke it with /research in a Copilot CLI session.

Enterprise context: This is a powerful onboarding tool. New team members can research a module, get a structured report with citations, and come up to speed without interrupting senior developers. It also formalizes the “spike investigation” pattern — developers can delegate research to the agent and get documented, auditable results.

Agents Window — Side-by-Side Agent Sessions

The Agents window (preview) gets a major workflow upgrade in 1.123: multiple open sessions. Developers can now run, compare, and review several agent sessions side by side.

Key workflow improvements:

  • Open sessions via context menu, drag-and-drop, or Alt+click
  • Pin sessions to prevent accidental replacement
  • Maximize a session view without closing others
  • Only one session is “active” at a time — the Terminal, Files, and Changes views follow the active session

What this means: Developers working on multi-step refactoring or comparing alternative implementations can keep both sessions visible, pin the one they’re referencing, and switch between them fluidly. For complex tasks spanning multiple projects or harnesses, this turns the Agents window into a genuine orchestration cockpit.

Delayed Extension Auto-Updates — A Targeted Supply-Chain Defense

Perhaps the most security-relevant change in 1.123 is the two-hour delay on extension auto-updates. When a publisher releases a new version, VS Code now waits two hours before automatically updating it for users who have auto-updates enabled.

Why this matters: In May 2026, GitHub suffered an internal breach after attackers weaponized a popular VS Code extension to compromise employee devices (GetSecureSlate). The two-hour window gives the community and security researchers time to detect and report malicious packages before they propagate automatically.

Key details:

  • The manual Update button bypasses the delay at any time
  • Extensions from trusted publishers (Microsoft, GitHub, OpenAI) update immediately — no delay
  • The extension details view shows exactly when the auto-update will happen

What IT teams should do: Review your list of trusted publishers. Consider whether your organization wants to allow any publisher the “immediate update” designation. For regulated environments, this delay is a meaningful addition to your IDE security posture — but it’s not a substitute for a managed extension approval process.

Integrated Browser Grows Up

VS Code’s integrated browser gains two notable features:

  1. Favorite pages — The address bar gets a star icon for bookmarking frequently-used pages, with quick access from the URL bar dropdown alongside open tabs.

  2. Screenshot as context — Building on last release’s browser screenshot feature, 1.123 adds Area Screenshot (select a rectangle) and Full Page Screenshot (experimental, beyond viewport). Both feed directly into Copilot chat as context.

For developers debugging UI layout issues or documenting browser-based workflows, this closes the loop between what they see and what they ask the AI about — without alt-tabbing to a screenshot tool.

Sandbox Network Retry

A smaller but important quality-of-life improvement: agents now retry network-dependent commands (like git fetch) inside the sandbox with unrestricted network access before falling back to unsandboxed execution. This means sandboxed agents can complete network operations while keeping filesystem protections intact. Enable via chat.agent.sandbox.retryWithAllowNetworkRequests.

What Has NOT Changed

  • Copilot pricing and licensing remain the same
  • Extension API compatibility is fully preserved — no breaking changes
  • VS Code Server and Remote Development continue unchanged
  • Theming and UI extension model is stable
  • Keyboard shortcuts and accessibility are fully backward compatible

What Organizations Should Do

  1. Enable session sync for pilot teams. The chronicle feature is opt-in. Run a pilot with 5-10 developers, gather feedback on standup report quality and search usefulness, then evaluate broader rollout.

  2. Audit your extension update policy. The two-hour delay is a default that organizations should understand, not ignore. If you manage extensions via Intune or a private marketplace, this doesn’t change your process. If you rely on auto-updates, review which publishers you trust for immediate updates.

  3. Evaluate the research agent for onboarding. The /research command could meaningfully reduce ramp time for new hires. Test it against your codebase during the Insiders preview.

  4. Train developers on browser screenshot as context. This saves significant time on UI-related debugging. Make sure teams know area and full-page screenshots are available directly from the integrated browser.

The Bigger Picture

VS Code 1.123 arrives alongside Microsoft Build 2026, where the company’s message was unambiguous: the future of development is intent-first, not code-first (TechRadar). GitHub Copilot Agent Mode, the Copilot SDK for embedding agents in any application, and Microsoft Defender’s new AI security posture all point in the same direction: AI agents are becoming first-class production actors inside the development lifecycle, not sidecar helpers.

The session sync and chronicle features are particularly telling. Microsoft is building the organizational memory layer for AI-assisted development — making every interaction traceable, searchable, and auditable. This is what separates a toy from an enterprise tool.

At the same time, the delayed extension update is a pragmatic acknowledgment that the IDE itself is now a vector for supply-chain attacks. The May 2026 GitHub breach demonstrated that VS Code extensions can be weaponized. The two-hour delay won’t stop every attack, but it signals that Microsoft is taking IDE security seriously as AI agents gain more capabilities and permissions.

Ready to optimize your developer tooling at scale? Big Hat Group helps organizations standardize and deploy VSCode with Intune, Windows 365, and GitHub Copilot — from pilot to enterprise-wide rollout. Contact us to discuss your developer productivity strategy.

Big Hat Group is a Microsoft partner specializing in modern endpoint management, Windows 365, and developer productivity tooling.