Microsoft Exec: Windows Will Enable Security Tools To Run ‘Outside Of Kernel Mode’

Following the massive Windows outage in July caused by a defective CrowdStrike update, Microsoft is working on a way to allow security products to ‘run in user mode just as apps do,’ Microsoft’s David Weston says.

Following the massive CrowdStrike-caused Windows outage in July, Microsoft is now working on a way to allow security products to avoid impacting the Windows kernel, a Microsoft executive disclosed Tuesday.

CrowdStrike’s access to the kernel—which is the core control center of Windows—has been pinpointed as a key factor that enabled the defective July 19 CrowdStrike Falcon update to send 8.5 million Windows devices into a “blue screen of death” state, leading to widespread societal disruptions.

[Related: CrowdStrike Sues Delta: 5 Key Takeaways]

In response to calls for Microsoft to offer an alternative to kernel access for security tool vendors, the tech giant announced that additional options are officially on the way.

“We are developing new Windows capabilities that will allow security product developers to build their products outside of kernel mode,” wrote David Weston, vice president of enterprise and OS security at Microsoft, in a post Tuesday.

As a result, security products will be able to “run in user mode just as apps do,” Weston said.

It will also mean “easier recovery” and “less impact to Windows in the event of a crash or mistake,” he said.

The new capabilities will not be available for some time, however. Weston’s blog said the private preview will be offered to security product vendors in July 2025.

Notably, there was no mention that Microsoft plans to make the alternative method compulsory and restrict Windows kernel access to endpoint security vendors.

The move follows the Microsoft-hosted endpoint security summit in September that included executives from top vendors in the space, including CrowdStrike.

Sophos CEO Joe Levy, who was among the attendees, told CRN that Microsoft expressed an interest in finding different ways for the kernel to respond to errors caused by security tool updates.

“I’m hopeful that this begins to bring about the evolution of the safety protocols that the endpoint security ecosystem itself is deploying,” Levy said at the time.

Easier Fixes For Windows

Meanwhile, Microsoft also unveiled additional capabilities Tuesday that are “born out of the learnings from the July incident,” Weston wrote.

The forthcoming Quick Machine Recovery capability will allow IT administrators to “execute targeted fixes from Windows Update on PCs, even when machines are unable to boot, without needing physical access to the PC,” he wrote.

The Quick Machine Recovery capability will be made available as part of the Windows Insider Program starting in early 2025, Weston said.