Microsoft has integrated Model Context Protocol (MCP) into Windows ML, setting the stage for a more secure "agentic" Windows operating system. This initiative, previewed at Ignite 2025, focuses on enhancing the management of local agents that orchestrate both local and remote resources.
Security and Management Enhancements
MCP acts as a standard API, granting agents controlled access to application data and functions. Microsoft has improved security by introducing an MCP registry and proxy within Windows to facilitate discovery, authentication, auditing, and authorization. By using MSIX bundles for MCP server distribution, Microsoft ensures that the installation adheres to strict security standards, minimizing system resource exposure and addressing prompt-injection risks.
Each MCP server session is isolated, with registry and file access restrictions managed by the hosting app. File permissions granted to one server within a host extend to others under the same host, but must be specifically declared in the app manifest. These measures aim to safeguard interactions while maintaining operational integrity.
Developing Local Agents
Microsoft has supplied sample JavaScript host code and connectors, such as a Windows file-system connector, enabling agents to read, write, and modify files without explicit delete permissions. The company advises enterprises to enforce read-only operations where feasible and manage MCP frameworks through group policies and default settings. This controlled approach aims to limit file access to essential tasks, reinforcing security through sandboxing and virtualization.
The agentic OS vision leverages Windows features like the Krypton hypervisor, treating each agent and its related servers as separate tenants, thus isolating them to reduce potential risks during their operations. Although the platform is in early stages, it signals a meaningful advance in building secure, agent-driven applications that effectively balance local and remote resource integration.
