In the wake of a significant incident last year involving a faulty update from CrowdStrike that disrupted 8.5 million Windows-based machines globally, Microsoft is taking proactive steps to enhance the security of its operating system. The tech giant is preparing to initiate a private preview of new Windows changes aimed at relocating antivirus (AV) and endpoint detection and response (EDR) applications away from the Windows kernel, a core component of the operating system that has unrestricted access to system memory and hardware.
Collaborating closely with industry leaders such as CrowdStrike, Bitdefender, ESET, and Trend Micro, Microsoft is developing a new endpoint security platform. David Weston, vice president of enterprise and OS security at Microsoft, expressed enthusiasm about the collaboration, noting, “We’ve had dozens of partners supply papers to us, some of them hundreds of pages long, on how they’d like it to be designed and what the requirements are.” This collective effort underscores a shared commitment among competitors to build a robust security platform.
Weston emphasized that Microsoft is not dictating terms but rather fostering a collaborative environment where all parties can contribute to the development of the security framework. “We’re not here to tell them how the API should work, we’re here to listen and provide the security and reliability,” he stated, highlighting the importance of cooperation in addressing security challenges.
Historically, Windows has allowed developers to integrate security software deeply into its architecture, often at the kernel level. However, the CrowdStrike incident served as a stark reminder of the vulnerabilities associated with this approach, as a single faulty kernel-level driver can lead to catastrophic failures, such as the infamous Blue Screen of Death (BSOD).
To address these concerns, Microsoft has mobilized its top engineers, including some of the original architects of Windows, to work on these security enhancements. “It’s really the biggest brains of core Windows being involved and collaborating with CrowdStrike, ESET, and all those folks,” Weston remarked, indicating the high level of expertise being applied to this initiative.
The upcoming private preview will allow security vendors to suggest modifications, with Weston anticipating several iterations before the final version is ready for implementation. While the primary focus will be on AV and EDR applications, he acknowledged that kernel drivers will still be present for some time as they transition to addressing additional use cases.
Another significant area of concern is the use of kernel-level drivers in anti-cheating engines for gaming. Microsoft is actively engaging with game developers to explore ways to minimize kernel usage, recognizing the complexities involved in preventing cheating while maintaining system integrity. “A lot of [game developers] would love to not have to maintain kernel stuff, and they are very interested in how they do that,” Weston noted, suggesting that further discussions are on the horizon.
As Microsoft navigates these changes, it remains optimistic about adoption rates, particularly as customers express a desire for improvements following the CrowdStrike incident. Additionally, a forthcoming Windows update is set to introduce a Quick Machine Recovery feature, designed to expedite the restoration of machines that encounter boot issues by directing them to the Windows Recovery Environment for diagnostics.
In a notable shift, Microsoft is also redesigning the BSOD, transitioning from its traditional blue screen to a black one, signaling a new era in Windows error handling. This change reflects the company’s commitment to enhancing user experience and system reliability.
