It’s been almost a year since a flawed CrowdStrike update brought down 8.5 million Windows computers worldwide, and Microsoft is committed to ensuring that this issue never happens again. After holding a summit with security vendors last year, Microsoft is ready to release a closed preview of changes to Windows that will move antivirus (AV) and endpoint detection and response (EDR) out of the Windows kernel.
The new Windows endpoint security platform is being built in collaboration with CrowdStrike, Bitdefender, ESET, Trend Micro, and many other security vendors. “Dozens of partners provided us with documents, some of them hundreds of pages long, about how they wanted to see this platform and what their requirements were,” David Weston, vice president of enterprise and operational security at Microsoft, told The Verge. “I was very pleased with that. It’s a competitive industry, but everybody stepped up and said we have to build a platform that we’re all working on.”
Microsoft is keen to emphasize that it doesn’t set the rules and expect everyone to follow them immediately, but instead builds the rules together. “We’re not here to tell them how the API should work, we’re here to listen and make sure it’s safe and secure,” Weston says. “I think if we went out to our competitors and said: ‘Here it is, take it or leave it,’ that would be a real challenge.”
For decades, Microsoft has designed Windows so that developers can build security software that is deeply rooted in Windows, running at the Windows kernel level-the core part of the operating system that has unlimited access to system memory and hardware. The buggy CrowdStrike update last year demonstrated how easily a kernel-level driver can crash and bring a computer down, resulting in a blue screen of death (BSOD).
Some of Microsoft’s most experienced Windows engineers are currently working on these security changes. “We’ve got key developers, some of the Windows kernel architects, and people who don’t traditionally work in security,” Weston says. “It’s really the biggest Windows kernel brains that are participating and collaborating with CrowdStrike, ESET, and all of these people.”
The closed preview will allow security vendors to request changes. Weston says he expects a few iterations before vendors are ready to make the switch. He also doesn’t intend to address all kernel-level driver issues at once. “Our goal is to start with AV and EDR, but kernel drivers will probably come for a while as we move on to the next set of use cases.”
Another big area of Windows that uses kernel-level drivers is anti-cheating mechanisms in games. Microsoft has been discussing with game developers how to reduce kernel usage, but this is a more difficult use case because cheaters often have to deliberately tamper with the computer to disable the protection and trigger cheating mechanisms.
“A lot of [game developers] would like to not support the kernel, and they’re very interested in how to do that,” Weston says. “We’ve talked about the requirements, and I think we’ll have something to say about that in the near future.” Last year, Riot Games told me that it was ready to monitor potential changes to Windows security and “step back from kernel space.”
Although it will take some time for Microsoft and security vendors to work through these changes to Windows, Microsoft is confident that it will see good adoption rates as its customers have been asking for changes since the CrowdStrike incident.
Microsoft is also preparing to roll out a Windows update later this summer that will include a new Quick Machine Recovery feature designed to quickly restore computers that can’t boot. It prompts the device to enter a Windows recovery environment where the machine can access the network and provide Microsoft with diagnostic information. “We’ve essentially created what we wish we had in case of last year’s incident,” Weston says.
The spectacle of the “blue screen of death” will also be a thing of the past. Microsoft is now officially changing the design of its BSOD to be black, not blue. Read more about this big change here.
