Microsoft launched its Copilot Plus PC and Windows AI efforts last year, and now it’s going a step further today with native Model Context Protocol (MCP) in Windows and the launch of the Windows AI Foundry. The groundwork is necessary for a future envisioned by Microsoft whereby automated AI agents assist their human companions.
Introduced by Anthropic late last year, MCP is an open-source standard that’s often referred to as the “USB-C port of AI” apps. Just as USB-C connects devices from many manufactures to a variety of peripherals, developers can use MCP to quickly let their AI apps or agents talk to other apps, web services, or even now parts of Windows. Microsoft’s embrace of this protocol is a big part of its ambitions to reshape Windows and make it ready for a world of AI agents to be able to connect to apps and services in ways that haven’t been possible before.
“We want Windows as a platform to be able to evolve to a place where we think agents are a part of the workload on the operating system, and agents are a part of how customers interact with their apps and devices on an ongoing basis,” says Windows chief Pavan Davuluri in an interview with The Verge.
Microsoft is supporting MCP in a big way inside Windows, alongside even broader efforts to power what it calls the agentic web. To evolve Windows to this agentic world that Microsoft envisions, the company is introducing some new developer capabilities to enable this MCP framework for AI agents to expose key Windows functionality that AI agents will be able to access.
An MCP registry on Windows will act as the secure trustworthy source for all MCP servers that AI agents will be able to access. “Agents can discover the installed MCP servers on client devices via the MCP Registry for Windows, leverage their expertise and offer meaningful value to end-users,” says Davuluri. MCP servers will be able to access things like the Windows File System, windowing, or the Windows Subsystem for Linux.
In a demo during a briefing for Microsoft’s MCP in Windows announcement, the company showed me an early preview of how Perplexity on Windows could leverage MCP capabilities. Instead of having to manually select folders of documents, Perplexity can simply query the MCP registry to find a Windows file system MCP server to connect to. This allows Perplexity to perform file searches on behalf of a user in a more natural way, so you could simply say “find all the files related to my vacation in my documents folder,” instead of having to add this folder or the documents manually.
You could imagine how a world of MCP servers and hosts inside Windows might eventually open the operating system up to a lot more automated app features, especially for querying data from the web inside apps like Excel. We’re also starting to see Microsoft make parts of Windows AI-powered through AI agents. Copilot Plus PCs will soon have access to an AI agent settings interface, which lets you control system settings using natural language queries.
This type of MCP functionality also opens Windows up to a world of new attack methods from malicious actors. The security risks of MCP have been well documented in recent months, with warnings of potential token theft, server compromises, and prompt injection attacks. Microsoft is well aware of the security risks of embracing MCP at such an early stage, so the company is only making a preview available to select developers to help work on its feature set and secure it fully.
“I think we have a solid set of foundations and more importantly a solid architecture that gives us all the tools to start, to do this securely,” explains David Weston, vice president of enterprise and OS security at Microsoft, in an interview with The Verge. “We’re going to put security first, and ultimately we considering large language models as untrusted, as they can be trained on untrusted data and they can have cross-prompt injection.”
In the demo Microsoft showed me of MCP working in Windows, there were also early security prompts to let these AI apps access MCP capabilities. “Just like a web app asks for your location, you’re in control of what you share and we want to make sure that’s intentional,” says Weston.
This is all early work from Microsoft right now, but the demo did remind me a little of Windows Vista’s UAC prompts that would pop-up whenever you needed admin permissions to do things in Windows. Those became very annoying and a subject of mocking ads from Apple. Getting these prompts right will be key for Microsoft here, as they have to balance security and the convenience of using these AI agents and apps. I sure don’t want a repeat of UAC or even Apple’s copy / paste prompts that are highly irritating in iOS right now.
Microsoft is also committing to a variety of MCP security controls that Weston outlines in a blog post today, alongside some security requirements in order for MCP servers to appear in Microsoft’s official list, or registry. “These will prevent classes of attack like tool poisoning while also creating and open and diverse
ecosystem of MCP servers,“ says Weston. ”More information on these requirements will be available when the
developer preview is released.“
Alongside this big MCP push, Microsoft is also positioning its own AI platform inside Windows as the rebranded Windows AI Foundry. It integrates models from Foundry Local and other catalogs like Ollama and Nvidia NIMs, and is designed to allow developers to tap into models available on Copilot Plus PCs, or to bring their own models through Windows ML.
Windows ML should make it a lot easier for developers to deploy their apps, “without needing to package
ML runtimes, hardware execution providers, or drivers with their app,“ according to Davuluri. Microsoft is working closely with AMD, Intel, Nvidia, and Qualcomm on its Windows AI Foundry effort.
