Microsoft is announcing plans for changes to Windows that will allow CrowdStrike and other security vendors to operate outside the Windows kernel. The announcement follows a Microsoft-hosted security summit held earlier this week at the company's headquarters in Redmond, Washington, to discuss changes to Windows in the wake of the catastrophic CrowdStrike incident in July.
Access to the Windows kernel has been a hot topic since the CrowdStrike disaster brought down 8.5 million Windows PCs and servers. CrowdStrike's software runs at the kernel level of Windows – the core part of an operating system that has unrestricted access to system memory and hardware. Because of this, a faulty update could cause affected systems to display a Blue Screen of Death when booting up.
In the months that followed, Microsoft called for changes to Windows to improve resiliency and hinted at removing security providers from the Windows kernel to prevent this from happening again. But both partners and regulators put pressure on Microsoft not to make this change unilaterally.
Microsoft says it has now discussed with partners such as CrowdStrike, Broadcom, Sophos and Trend Micro “the requirements and key challenges in creating a new platform that can meet the needs of security vendors.”
“Both our customers and our ecosystem partners have asked Microsoft to provide additional security features outside of kernel mode that can be used in conjunction with secure deployment practices to create highly available security solutions,” said David Weston, vice president of enterprise and operating system security at Microsoft.
Microsoft discussed the performance requirements and challenges for security vendors that arise outside of kernel mode, as well as the need for tamper protection for security products and security sensor requirements. “The next step is for Microsoft to continue to design and develop this new platform functionality with input and in collaboration with ecosystem partners to achieve the goal of improved reliability without sacrificing security,” Weston says.
While Microsoft is not directly saying it will lock down access to the Windows kernel, it is clearly in the early stages of developing a security platform that can eventually remove CrowdStrike and others from the kernel. Microsoft last attempted to lock down access to the Windows kernel in Windows Vista in 2006, but faced resistance from cybersecurity vendors and regulators.
This time, security vendors are much more open to it. “It was a welcome opportunity to engage with industry peers in an open discussion about advances that benefit our customers by increasing the resilience and robustness of both Microsoft Windows and the endpoint security ecosystem,” Sophos CEO Joe Levy said in a statement from Microsoft.
“I applaud Microsoft for opening its doors to continue to collaborate with leaders in endpoint security,” says Kevin Simzer, chief operating officer at Trend Micro. Even CrowdStrike, the catalyst for this entire summit, recognized Microsoft's efforts. “We appreciated the opportunity to participate in these important discussions with Microsoft and industry peers to discuss how we can best work together to build a more resilient and open Windows endpoint security ecosystem that strengthens security for our mutual customers,” says Drew Bagley, vice president of privacy and cyber policy at CrowdStrike.
However, not everyone in the security world is happy about Microsoft's potential changes. “Regulators need to pay attention,” CloudFlare CEO Matthew Prince said at X last month, referring to Microsoft's Windows Security Summit. “A world where only Microsoft can provide effective endpoint security is not a safer world.”
Prince says he's not worried about Microsoft potentially locking down the Windows kernel, but rather that the company might lock it down “for everyone else” while still allowing “privileged access” to its own offering. Microsoft has also invited government officials from the U.S. and Europe to its security summit, apparently aware of concerns like Prince's.
The summit comes amid a major cybersecurity overhaul at Microsoft, stemming from years of incidents and criticism. Microsoft employees are now judged directly on their security work, with the company tying those efforts to employee performance reviews.