On Thursday, Microsoft revealed plans to bolster Windows' resilience against system outages caused by third-party security software. This move comes in the wake of a major incident earlier this year when CrowdStrike’s update caused a widespread global outage, taking millions of Windows devices offline for over 24 hours. The tech giant is now working closely with security vendors to help them shift certain operations outside the Windows kernel, reducing the risk of similar incidents in the future.
At the recent Windows Endpoint Security Ecosystem Summit, Microsoft highlighted its strategy to introduce new platform capabilities for Windows. These capabilities will enable security firms to deliver robust protection features without relying on kernel mode access. Currently, many security solutions run at the kernel level, offering high-level access to the system, which is both a blessing and a curse: while it allows vendors to monitor and modify critical system components, any faulty update can trigger widespread disruptions, as seen with CrowdStrike’s mishap.
In a post-summit statement, Microsoft emphasized that working with security vendors to reduce their reliance on the Windows kernel would improve overall system stability without compromising security. The company is focused on enabling these firms to operate effectively outside kernel mode, which should mitigate risks associated with deep system-level access while still allowing them to deliver powerful protective capabilities.
Kernel-level access is currently favored by security vendors due to the extensive control it offers over the system. It allows security software to interact directly with memory, scan running applications, and even modify system files to prevent or neutralize threats. However, this level of access also makes systems vulnerable to catastrophic failures if updates are misconfigured, as demonstrated by the CrowdStrike incident in July, when millions of Windows computers were rendered non-operational.
Microsoft's approach aims to help these vendors offer critical security functionalities—such as threat detection, file integrity monitoring, and anti-tampering measures—without the need for kernel-level operations. This shift could also prevent system performance degradation and minimize the potential impact of future software mishaps.
According to Microsoft, key challenges in this transition include addressing performance trade-offs and ensuring that necessary security features, such as real-time threat sensors and tamper protection, can be effectively maintained outside kernel mode. The company is committed to working closely with its partners to design and implement this new security architecture in a way that meets both security and performance needs.
“As a next step, Microsoft will continue to design and develop this new platform capability with input and collaboration from ecosystem partners to achieve the goal of enhanced reliability without sacrificing security,” the company stated.
By driving innovation and working with the security ecosystem, Microsoft’s efforts are set to enhance the reliability and security of the Windows platform, ensuring a safer environment for users worldwide.