Nearly one year after a faulty CrowdStrike update caused widespread system failures across 8.5 million Windows devices globally, Microsoft has announced a strategic initiative to prevent similar incidents in the future. The company plans to release a private preview for new Windows security platform that will move antivirus (AV) and endpoint detection and response (EDR) applications out of the Windows kernel.
New Platform Designed with AV Vendors
This effort is being developed in collaboration with leading cybersecurity vendors, including CrowdStrike, Bitdefender, ESET, and Trend Micro, among others. In an interview with The Verge, David Weston, Vice President of Enterprise and OS Security at Microsoft, shared some details of this cooperation.
Advertisеment
"We’ve had dozens of partners supply papers to us, some of them hundreds of pages long, on how they’d like it to be designed and what the requirements are," Weston stated. "I’ve been really pleased with this. It’s an industry of competitors, but everyone has stepped up and said we’ve got to build a platform that all of us work on."
...
We’re not here to tell [vendors] how the API should work—we’re here to listen and provide the security and reliability. If we had simply gone out and said ‘Here it is, take it or leave it,’ that would have been a real challenge.”
Moving Away from Kernel-Level Execution
For decades, AV and EDR software has operated within the Windows kernel—granting these tools unrestricted access to system memory and hardware. However, the CrowdStrike incident highlighted the risks associated with such deep integration: a single faulty driver update was able to trigger a Blue Screen of Death (BSOD) across millions of systems.
ℹ️Speaking about the BSoD: Microsoft is changing its appearance later this summer. The trademark blue background color will become black, and the QR code and smiley both will be removed.
To address this, Microsoft is working on a new endpoint security model that isolates AV and EDR apps from the kernel. Key Windows engineers are now involved in developing a platform that maintains robust security while reducing system fragility.
“We’ve had key developers on this, some of the kernel architects of Windows and people that don’t even traditionally work in security,” Weston explained. “It’s really the biggest brains of core Windows being involved and collaborating with CrowdStrike, ESET, and all those folks.”
Private Preview and Gradual Rollout
The upcoming changes will first be made available through a private preview, allowing participating vendors to test and request adjustments before final implementation. According to Weston, the rollout will occur gradually, beginning with AV and EDR solutions, while other use cases will follow later.
Game developers, particularly those relying on kernel-level drivers for anti-cheating mechanisms, have also been included in discussions. Weston noted that many game studios are interested in reducing their dependency on kernel access. “A lot of [game developers] would love to not have to maintain kernel stuff, and they are very interested in how they do that,” he said.
Additionally, Microsoft is preparing a major Windows update scheduled for release later this summer, which includes a new feature called Quick Machine Recovery. This tool is specifically designed to restore non-bootable machines by prompting the device to enter the Windows Recovery Environment, where diagnostics can be performed and sent to Microsoft for analysis.
Weston described the feature as “the thing we’d love to have had for the incident last year,” referring to the CrowdStrike outage. Quick Machine Recovery aims to improve system resilience and reduce downtime in the event of critical failures.
Thanks to thecommunity for the tip.
Source: TheVerge
Support us
Winaero greatly relies on your support. You can help the site keep bringing you interesting and useful content and software by using these options:
