Microsoft Enhances Windows Security with New Changes

It has been nearly a year since a faulty CrowdStrike update affected Windows-based machines globally, prompting Microsoft to take steps to prevent similar issues in the future. Following discussions with security vendors last year, Microsoft is set to release a private preview of changes to Windows that will relocate antivirus (AV) and endpoint detection and response (EDR) applications out of the Windows kernel.

Collaboration with Security Vendors

The new Windows endpoint security platform is being developed in collaboration with CrowdStrike, Bitdefender, ESET, Trend Micro, and numerous other security vendors. “We have had dozens of partners supply papers to us, some of them hundreds of pages long, detailing how they would like it to be designed and what the requirements are,” explains David Weston, Vice President of Enterprise and OS Security at Microsoft, in an interview with The Verge. “I have been really pleased with this. It is an industry of competitors, but everyone has stepped up and said we need to build a platform that all of us can work on.”

Building Together

Microsoft emphasizes that it is not unilaterally setting the rules but is instead working collaboratively with security vendors. “We are not here to dictate how the API should work; we are here to listen and provide the security and reliability,” Weston states. “I believe if we had approached some of our competitors and said, ‘Here it is, take it or leave it,’ that would have posed a significant challenge.”

Addressing Kernel-Level Security Issues

For decades, Microsoft has designed Windows to allow developers to deliver security software that is deeply integrated into the operating system, operating at the kernel level. This core part of the operating system has unrestricted access to system memory and hardware. The faulty CrowdStrike update last year underscored the risks associated with kernel-level drivers, which can lead to significant system failures, such as the notorious Blue Screen of Death (BSOD).

Expertise in Security Changes

Microsoft has assigned some of its most knowledgeable Windows engineers to work on these security changes. “We have had key developers on this, including some of the kernel architects of Windows and individuals who do not traditionally work in security,” Weston notes. “It is really the biggest brains of core Windows being involved and collaborating with CrowdStrike, ESET, and others.”

Private Preview and Future Iterations

The private preview will enable security vendors to request changes and provide feedback. Weston anticipates several iterations before the platform is ready for vendors to transition. However, he cautions that this initiative will not immediately resolve every kernel-level driver issue. “Our goal is to start with AV and EDR, but there will likely be kernel drivers for some time as we move on to the next set of use cases.”

Gaming and Kernel-Level Drivers

Another significant area of Windows that utilizes kernel-level drivers is anti-cheating engines for games. Microsoft has been in discussions with game developers about reducing kernel usage, although this presents a more complex challenge since cheaters often manipulate their machines to disable protections and run cheating engines.

“Many game developers would prefer not to maintain kernel components, and they are very interested in how to achieve that,” Weston explains. “We have been discussing the requirements in that area, and I believe we will have more to say on that in the near future.” Riot Games told me last year that it is willing to follow potential Windows security changes and “recede from the kernel space.”

Customer Demand for Changes

While it will take time for Microsoft and security vendors to implement these Windows changes, Microsoft is optimistic about adoption rates, as its customers are requesting modifications in light of the CrowdStrike incident.

Upcoming Windows Update

Microsoft is also preparing to release a Windows update later this summer that will introduce a new Quick Machine Recovery feature designed to quickly restore machines that cannot boot. This feature prompts a device to enter the Windows Recovery Environment, allowing the machine to access the network and provide Microsoft with diagnostic information. “We essentially built the solution we would have liked to have had for the incident last year,” Weston states.

Redesigning the Blue Screen of Death

The sight of a Blue Screen of Death will also become a thing of the past. Microsoft is officially redesigning its BSOD to feature a black background instead of blue. More on that big change here.