Microsoft is building new Windows security features to prevent another CrowdStrike incident

Microsoft is announcing plans to make changes to Windows that will help CrowdStrike and other security vendors operate outside of the Windows kernel. The announcement stems from a Microsoft-hosted security summit earlier this week at the company's Redmond, Washington, headquarters, where it discussed changes to Windows in the wake of the disastrous CrowdStrike incident in July.

Windows kernel access has been a hot topic ever since the CrowdStrike catastrophe took down 8.5 million Windows PCs and servers. CrowdStrike's software runs at the kernel level of Windows - the core part of an operating system that has unrestricted access to system memory and hardware. That's what allowed a faulty update to generate a Blue Screen of Death as soon as affected systems started up.

In the months since, Microsoft has called for changes to Windows to improve resiliency and dropped hints about moving security vendors out of the Windows kernel to prevent this from happening again. But there's been pressure on Microsoft, from both partners and regulators, to not move unilaterally in making that change.

Microsoft says it has now "discussed the requirements and key challenges in creating a new platform which can meet the needs of security vendors" with partners like CrowdStrike, Broadcom, Sophos, and Trend Micro.

"Both our customers and ecosystem partners have called on Microsoft to provide additional security capabilities outside of kernel mode which, along with safe deployment practices, can be used to create highly available security solutions," says David Weston, vice president of enterprise and OS security at Microsoft.

Microsoft has discussed performance needs and the challenges for security vendors to operate outside of kernel mode, along with the need for anti-tampering protection for security products and security sensor requirements. "As a next step, Microsoft will continue to design and develop this new platform capability with input and collaboration from ecosystem partners to achieve the goal of enhanced reliability without sacrificing security," says Weston.

While Microsoft isn't directly saying it's going to close off access to the Windows kernel, it's clearly at the early stages of designing a security platform that can eventually move CrowdStrike and others out of the kernel. Microsoft last tried to close off access to the Windows kernel in Windows Vista in 2006, but it was met with pushback from cybersecurity vendors and regulators.