Business Continuity Management / Disaster Recovery,
Endpoint Security,
Governance & Risk Management
Windows 11 Revamp Means No Kernel Access Required for Third-Party Security Tools
“All of the endpoint security features you’ve come to expect, without that pesky kernel-level access,” summarizes the essence of Microsoft’s strategy to enhance the Windows ecosystem’s resilience following the major failure linked to a faulty CrowdStrike software update on July 19, 2024.
As nearly a year has passed since the incident which affected over 8.5 million Windows hosts, Microsoft is adopting a new approach aimed at preventing similar disruptions in the future. A significant component of this initiative is allowing third-party security tools to perform essential functions such as virus detection and behavioral blocking without requiring kernel-level access. This shift aims to reduce the risk associated with faulty updates.
Microsoft plans to introduce a beta version of Windows 11, or “private preview” in company terminology, in July. This version will be made available to a select group of endpoint security software developers affiliated with Microsoft Virus Initiative 3.0.
David Weston, Microsoft’s Vice President of Enterprise and OS Security, indicated that the new capabilities would enable security products to operate outside the Windows kernel, much like standard applications. This change is expected to enhance the reliability of security software and facilitate easier recovery from disruptions, ultimately minimizing impacts on Windows devices in case of unexpected issues.
The recent global incident underscored the pressing need for Microsoft to refine how security tools interact with the operating system kernel. Past updates have led to system crashes for numerous users, prompting the urgent need for a more resilient framework. In response to the lessons learned, Microsoft launched its Windows Resiliency Initiative last November, aimed at expediting system recovery following disruptions.
Key to this initiative are guidelines stipulated by the MVI 3.0 program that outline specific security practices vendors must adhere to, mirroring CrowdStrike’s post-incident commitments. Vendors are now required to implement incremental updates, utilize deployment rings, and maintain monitoring practices to mitigate adverse effects during security updates.
The broader implications of these developments point to a future where endpoint security solutions are required to adhere to more stringent operational standards. Industry players, including Bitdefender, CrowdStrike, and Eset, have publicly signaled their intent to align with Microsoft’s evolving standards.
Questions still linger regarding whether Microsoft will further modify its own Defender Antivirus software to comply with this new paradigm. The timing and market introduction of endpoint security tools designed to function without kernel-level access remain uncertain, especially as organizations carefully navigate their PC refresh cycles.
In addition to these changes, Microsoft is planning to roll out a feature named Quick Machine Recovery, which aims to streamline recovery processes during unexpected reboots. This tool is expected to facilitate rapid remediation without complex manual intervention, allowing IT departments to promptly restore productivity.
With the ongoing evolution of cybersecurity threats, particularly those leveraging ransomware, these new initiatives from Microsoft are poised to significantly impact organizational resilience against potential disruptions.
