diff --git a/build/azure-pipelines/win32/cli-build-win32.yml b/build/azure-pipelines/win32/cli-build-win32.yml
index 19409272ff0..d61f0e722f5 100644
--- a/build/azure-pipelines/win32/cli-build-win32.yml
+++ b/build/azure-pipelines/win32/cli-build-win32.yml
@@ -53,7 +53,8 @@ steps:
         VSCODE_CLI_ENV:
           OPENSSL_LIB_DIR: $(Build.ArtifactStagingDirectory)/openssl/x64-windows-static/lib
           OPENSSL_INCLUDE_DIR: $(Build.ArtifactStagingDirectory)/openssl/x64-windows-static/include
-          RUSTFLAGS: "-C target-feature=+crt-static"
+          RUSTFLAGS: "-Ctarget-feature=+crt-static -Clink-args=/guard:cf -Clink-args=/CETCOMPAT"
+          CFLAGS: "/guard:cf /Qspectre"
 
   - ${{ if eq(parameters.VSCODE_BUILD_WIN32_ARM64, true) }}:
     - template: ../cli/cli-compile.yml@self
@@ -65,7 +66,8 @@ steps:
         VSCODE_CLI_ENV:
           OPENSSL_LIB_DIR: $(Build.ArtifactStagingDirectory)/openssl/arm64-windows-static/lib
           OPENSSL_INCLUDE_DIR: $(Build.ArtifactStagingDirectory)/openssl/arm64-windows-static/include
-          RUSTFLAGS: "-C target-feature=+crt-static"
+          RUSTFLAGS: "-C target-feature=+crt-static -Clink-args=/guard:cf -Clink-args=/CETCOMPAT:NO"
+          CFLAGS: "/guard:cf /Qspectre"
 
   - ${{ if not(parameters.VSCODE_CHECK_ONLY) }}:
     - ${{ if eq(parameters.VSCODE_BUILD_WIN32_ARM64, true) }}:
diff --git a/cli/.cargo/config.toml b/cli/.cargo/config.toml
new file mode 100644
index 00000000000..ad9374d4a90
--- /dev/null
+++ b/cli/.cargo/config.toml
@@ -0,0 +1,6 @@
+[target.'cfg(all(target_os = "windows", any(target_arch = "i686", target_arch = "x86_64", target_arch = "x86")))']
+rustflags = ["-Ctarget-feature=+crt-static", "-Clink-args=/guard:cf", "-Clink-args=/CETCOMPAT"]
+
+# CETCOMPAT is not supported on ARM binaries
+[target.'cfg(all(target_os = "windows", not(any(target_arch = "i686", target_arch = "x86_64", target_arch = "x86"))))']
+rustflags = ["-Ctarget-feature=+crt-static", "-Clink-args=/guard:cf"]
diff --git a/cli/CONTRIBUTING.md b/cli/CONTRIBUTING.md
index d119f1ac98a..4809fccd080 100644
--- a/cli/CONTRIBUTING.md
+++ b/cli/CONTRIBUTING.md
@@ -8,7 +8,7 @@
 
 For the moment, we require OpenSSL on Windows, where it is not usually installed by default. To install it:
 
-1. Install (clone) vcpkg [using their instructions](https://github.com/Microsoft/vcpkg#quick-start-windows)
+1. Follow steps 1 and 2 of [Set up vcpkg](https://learn.microsoft.com/en-us/vcpkg/get_started/get-started-msbuild?pivots=shell-powershell#1---set-up-vcpkg) to obtain the executable.
 1. Add the location of the `vcpkg` directory to your system or user PATH.
 1. Run`vcpkg install openssl:x64-windows-static-md` (after restarting your terminal for PATH changes to apply)
 1. You should be able to then `cargo build` successfully