Microsoft is building new Windows security features to prevent another CrowdStrike incident
Image: The Verge Microsoft is announcing plans to make changes to Windows that will help CrowdStrike and other security vendors operate outside of the Windows kernel. The announcement stems from a Microsoft-hosted security summit earlier this week at the company’s Redmond, Washington, headquarters, where it discussed changes to Windows in the wake of the disastrous CrowdStrike incident in July. Windows kernel access has been a hot topic ever since the CrowdStrike catastrophe took down 8.5 million Windows PCs and servers. CrowdStrike’s software runs at the kernel level of Windows — the core part of an operating system that has unrestricted access to system memory and hardware. That’s what allowed a faulty update to generate a Blue Screen of Death as soon as affected systems started up. In the months since, Microsoft has called for changes to Windows to improve resiliency and dropped hints about moving security vendors out of the Windows kernel to prevent this from happening again. But there’s been pressure on Microsoft, from both partners and regulators, to not move unilaterally in making that change. Microsoft says it has now “discussed the requirements and key challenges in creating a new platform which can meet the needs of security vendors” with partners like CrowdStrike, Broadcom, Sophos, and Trend Micro. “Both our customers and ecosystem partners have called on Microsoft to provide additional security capabilities outside of kernel mode which, along with safe deployment practices, can be used to create highly available security solutions,” says David Weston, vice president of enterprise and OS security at Microsoft. Microsoft has discussed performance needs and the challenges for security vendors to operate outside of kernel mode, along with the need for anti-tampering protection for security products and security sensor requirements. “As a next step, Microsoft will continue to design and develop this new platform capability with input and collaboration from ecosystem partners to achieve the goal of enhanced reliability without sacrificing security,” says Weston. While Microsoft isn’t directly saying it’s going to close off access to the Windows kernel, it’s clearly at the early stages of designing a security platform that can eventually move CrowdStrike and others out of the kernel. Microsoft last tried to close off access to the Windows kernel in Windows Vista in 2006, but it was met with pushback from cybersecurity vendors and regulators. This time around, security vendors are a lot more open to it. “It was a welcome opportunity to join industry peers in an open discussion of advancements that will serve our customers by elevating the resilience and robustness of both Microsoft Windows and the endpoint security ecosystem,” says Sophos CEO Joe Levy in a statement provided by Microsoft. “I applaud Microsoft for opening its doors to continue collaborating with leading endpoint security leaders,” says Kevin Simzer, chief operating officer at Trend Micro. Even CrowdStrike, the catalyst for this entire summit, was appreciative of Microsoft’s efforts. “We appreciated the opportunity to join these important discussions with Microsoft and industry peers on how best to collaborate in building a more resilient and open Windows endpoint security ecosystem that strengthens security for our mutual customers,” says Drew Bagley, vice president of privacy and cyber policy at CrowdStrike. Not everyone involved in the security world is happy about Microsoft’s potential changes, though. “Regulators need to be paying attention,” said Cloudflare CEO Matthew Prince on X last month, referencing Microsoft’s Windows security summit. “A world where only Microsoft can provide effective endpoint security is not a more secure world.” Prince says he’s not concerned about Microsoft potentially locking down the Windows kernel, but more that the company could lock it down “for everyone else” while still giving its own offering “privileged access.” Microsoft also invited government officials from the US and Europe to its security summit because it’s clearly aware of concerns like the ones Prince mentioned. The summit comes right in the middle of a broader cybersecurity overhaul inside of Microsoft, following years of incidents and criticisms. Microsoft employees are now being judged directly on their security work, with the company tying those efforts to employee performance reviews.
Microsoft is announcing plans to make changes to Windows that will help CrowdStrike and other security vendors operate outside of the Windows kernel. The announcement stems from a Microsoft-hosted security summit earlier this week at the company’s Redmond, Washington, headquarters, where it discussed changes to Windows in the wake of the disastrous CrowdStrike incident in July.
Windows kernel access has been a hot topic ever since the CrowdStrike catastrophe took down 8.5 million Windows PCs and servers. CrowdStrike’s software runs at the kernel level of Windows — the core part of an operating system that has unrestricted access to system memory and hardware. That’s what allowed a faulty update to generate a Blue Screen of Death as soon as affected systems started up.
In the months since, Microsoft has called for changes to Windows to improve resiliency and dropped hints about moving security vendors out of the Windows kernel to prevent this from happening again. But there’s been pressure on Microsoft, from both partners and regulators, to not move unilaterally in making that change.
Microsoft says it has now “discussed the requirements and key challenges in creating a new platform which can meet the needs of security vendors” with partners like CrowdStrike, Broadcom, Sophos, and Trend Micro.
“Both our customers and ecosystem partners have called on Microsoft to provide additional security capabilities outside of kernel mode which, along with safe deployment practices, can be used to create highly available security solutions,” says David Weston, vice president of enterprise and OS security at Microsoft.
Microsoft has discussed performance needs and the challenges for security vendors to operate outside of kernel mode, along with the need for anti-tampering protection for security products and security sensor requirements. “As a next step, Microsoft will continue to design and develop this new platform capability with input and collaboration from ecosystem partners to achieve the goal of enhanced reliability without sacrificing security,” says Weston.
While Microsoft isn’t directly saying it’s going to close off access to the Windows kernel, it’s clearly at the early stages of designing a security platform that can eventually move CrowdStrike and others out of the kernel. Microsoft last tried to close off access to the Windows kernel in Windows Vista in 2006, but it was met with pushback from cybersecurity vendors and regulators.
This time around, security vendors are a lot more open to it. “It was a welcome opportunity to join industry peers in an open discussion of advancements that will serve our customers by elevating the resilience and robustness of both Microsoft Windows and the endpoint security ecosystem,” says Sophos CEO Joe Levy in a statement provided by Microsoft.
“I applaud Microsoft for opening its doors to continue collaborating with leading endpoint security leaders,” says Kevin Simzer, chief operating officer at Trend Micro. Even CrowdStrike, the catalyst for this entire summit, was appreciative of Microsoft’s efforts. “We appreciated the opportunity to join these important discussions with Microsoft and industry peers on how best to collaborate in building a more resilient and open Windows endpoint security ecosystem that strengthens security for our mutual customers,” says Drew Bagley, vice president of privacy and cyber policy at CrowdStrike.
Not everyone involved in the security world is happy about Microsoft’s potential changes, though. “Regulators need to be paying attention,” said Cloudflare CEO Matthew Prince on X last month, referencing Microsoft’s Windows security summit. “A world where only Microsoft can provide effective endpoint security is not a more secure world.”
Prince says he’s not concerned about Microsoft potentially locking down the Windows kernel, but more that the company could lock it down “for everyone else” while still giving its own offering “privileged access.” Microsoft also invited government officials from the US and Europe to its security summit because it’s clearly aware of concerns like the ones Prince mentioned.
The summit comes right in the middle of a broader cybersecurity overhaul inside of Microsoft, following years of incidents and criticisms. Microsoft employees are now being judged directly on their security work, with the company tying those efforts to employee performance reviews.