Securing the Model Context Protocol: Building a safer agentic future on Windows

As artificial intelligence continues to evolve and integrate seamlessly into everyday workflows, the demand for secure and standardized communication between tools and AI agents is becoming increasingly critical. At Microsoft Build 2025, an early preview was unveiled showcasing how Windows 11 is adopting the Model Context Protocol (MCP) as a foundational element for secure and interoperable agentic computing, ensuring robust security measures are embedded from the outset.

What is MCP?

The Model Context Protocol (MCP) is a lightweight, open protocol that essentially functions as JSON-RPC over HTTP. It facilitates the discovery and invocation of tools in a standardized manner, enabling smooth orchestration across both local and remote services. This allows developers to create applications once and integrate them universally.

MCP delineates three distinct roles:

  • MCP Hosts: Applications such as Visual Studio Code or other AI tools that seek to access capabilities via MCP.
  • MCP Clients: Clients that initiate requests to MCP servers.
  • MCP Servers: Lightweight services that expose specific functionalities, including file system access, semantic search, and application actions through the MCP interface.

With Windows 11, developers will have the opportunity to create intelligent applications that leverage MCP and generative AI capabilities, allowing them to perform actions on behalf of users. An early preview of the MCP platform capabilities will be made available to developers in the upcoming months for feedback purposes.

Why security matters

While MCP presents exciting new opportunities, it also introduces potential risks. Without stringent controls, an MCP server could inadvertently expose sensitive functionalities, be misconfigured to permit unauthorized access, or fall victim to various attack vectors, including emerging threats like prompt injection or tool poisoning. The input and training data for large language models (LLMs) are often deemed untrusted, and cross-prompt injection can enable attackers to manipulate prompt data, leading to severe consequences such as remote code execution.

To address these challenges, internal and external security research has identified several emerging threat vectors that must be considered within a secure agentic architecture:

  • Cross-Prompt Injection (XPIA): Malicious content embedded in user interface elements or documents can override agent instructions, resulting in unintended actions such as data exfiltration or malware installation.
  • Authentication Gaps: The current standards for authentication within MCP are nascent and inconsistently implemented, with OAuth being optional and ad-hoc approaches emerging.
  • Credential Leakage: Agents operating with full user privileges risk exposing sensitive tokens or credentials.
  • Tool Poisoning: Unvetted or low-quality MCP servers may expose dangerous functionalities or be exploited to escalate privileges.
  • Lack of Containment: Without proper isolation, a compromised agent could impact the entire user session or system.
  • Limited Security Review: Many servers are developed rapidly with minimal security scrutiny, heightening vulnerability risks.
  • Registry and MCP Supply Chain Risks: A public registry of MCP servers, without proper vetting, could become a vector for malware or abuse.
  • Command Injection: Improperly validated inputs in the MCP server can lead to arbitrary command execution.

The field of MCP standards and AI-related security is rapidly evolving. Windows 11 aims to establish a secure foundation while adapting to emerging threats.

MCP security architecture in Windows 11

In alignment with Microsoft’s Secure Future Initiative, security remains a paramount focus as MCP capabilities expand. The MCP Security Architecture in Windows 11 is built upon several key principles:

  1. Establishing a baseline set of security requirements that all MCP server developers must adhere to, ensuring user safety while fostering an open ecosystem of servers. Each server will be required to meet security standards, possess a unique identity, and have signed code for provenance validation and revocation when necessary.
  2. Ensuring that users maintain control over all security-sensitive operations performed on their behalf. Transparency is crucial; users must be informed about the scope and operations of agents, especially concerning sensitive actions that modify the operating system or access data and credentials.
  3. Enforcing the principle of least privilege to minimize the impact of any potential attack on an MCP server. Windows 11 will implement declarative capabilities and isolation where applicable to limit the blast radius of attacks.

MCP security controls

To fulfill these commitments, Windows 11 will introduce several security controls:

  • Proxy-Mediated Communication: All interactions between MCP clients and servers will be routed through a trusted Windows proxy, allowing for centralized policy enforcement and consent management. This approach will facilitate consistent authentication and authorization, addressing one of the primary challenges associated with the MCP protocol.
  • Tool-Level Authorization: Users will be required to explicitly approve each client-tool pairing, with support for per-resource granularity, reinforcing user control.
  • Central Server Registry: Only MCP servers that meet baseline security criteria will be listed in the Windows Registry, ensuring discoverability without compromising trust.
  • Runtime Isolation: MCP servers will implement the principle of least privilege through mechanisms such as isolation and granular permissions, empowering users to manage the privileges granted to each server.

MCP Server security requirements

To be included in the Windows 11 MCP server registry, MCP Servers must comply with a baseline set of security requirements, which include:

  1. Mandatory code signing to establish provenance and enable revocation.
  2. Servers’ definitions of tools must remain unchanged at runtime.
  3. Security testing of exposed interfaces.
  4. Mandatory package identity.
  5. Servers must declare the privileges they require.

These requirements aim to mitigate risks such as tool poisoning while fostering a diverse ecosystem of MCP servers. Further details on these requirements will be provided upon the release of the developer preview, which may be subject to change based on feedback received.

Developer preview

Post-Microsoft Build, Microsoft will offer an early private preview of the MCP server capability to developers for feedback purposes. This preview may include security features that are not yet in enforcement mode, with full enforcement scheduled for broader availability. Developers will be required to operate in developer mode to access this preview, ensuring that only entitled developers can utilize it. A secure-by-default enforcement strategy will be integral to the overall customer release.

Looking ahead

Security is an ongoing commitment rather than a one-time feature. As MCP and other agentic capabilities expand, Microsoft will continue to enhance its defenses. The roadmap includes innovations such as prompt isolation, dual-LLM validation, runtime policy enforcement, and firewall plugins, all designed to stay ahead of emerging threats. Collaborations with ecosystem partners, including Anthropic and the MCP Steering Committee, will further bolster MCP’s security framework in response to evolving needs. Microsoft believes that trust is the cornerstone of innovation, and by embedding security within the core of its agentic platform, the future of AI on Windows promises to be not only powerful but also safe.

Winsage
Securing the Model Context Protocol: Building a safer agentic future on Windows