Microsoft officials have been putting a focus on how security vendors and their software interacts with the Windows operating system since July, when a faulty update by cybersecurity vendor CrowdStrike crashed more than 8.5 million Windows systems around the world and caused billions of dollars in losses to many Fortune 500 and other companies.

John Cable, vice president of Windows Servicing and Delivery, which is responsible for keeping Windows systems up and running, noted the need for changes in July, just after the CrowdStrike error.

“This incident shows clearly that Windows must prioritize change and innovation in the area of end-to-end resilience,” Cable wrote in a blog post. “These improvements must go hand in hand with ongoing improvements in security and be in close cooperation with our many partners, who also care deeply about the security of the Windows ecosystem.”

The issue of improved Windows security was at the center of discussion again last week, this time at a one-day summit at Microsoft’s headquarters in Redmond, Washington, which brought executives from Microsoft and a number of security companies, including CrowdStrike as well as Sophos, SentinelOne, Trend Micro, and Trellix.

Two days later, David Weston, vice president of enterprise and OS security at Microsoft, gave a high-level wrap-up of the summit and what the IT giant is considering moving forward and added that “the CrowdStrike incident in July underscored the responsibility security vendors have to drive both resiliency and agile, adaptive protection.”

“A key consensus point at the summit was that our endpoint security vendors and our mutual customers benefit when there are options for Windows and choices in security products,” Weston wrote in a blog post. “It was apparent that, given the vast number of endpoint products on the market, we all share a responsibility to enhance resiliency by openly sharing information about how our products function, handle updates and manage disruptions.”

Working Outside of the Kernel

Central to what Microsoft is considering is new security platform capabilities for Windows, in particular the idea of enabling antivirus vendors – including CrowdStrike – to operate outside of the Windows kernel. CrowdStrike’s Falcon platform works at the kernel level, which gives it direct access to key areas like the hardware and system memory

It was this type of access that allowed a bad update from CrowdStrike to ripple around the world and crash Windows PCs and servers that were vulnerable to the problem. Weston in his blog post wrote that “Windows 11’s improved security posture and security defaults enable the platform to provide more security capabilities to solution providers outside of kernel mode.”

Partners and user alike have asked Microsoft to deliver more security capabilities outside of kernel mode which, coupled with Safe Deployment Practices, that developers can use to create highly available security offerings.

“As a next step, Microsoft will continue to design and develop this new platform capability with input and collaboration from ecosystem partners to achieve the goal of enhanced reliability without sacrificing security,” he wrote.

Already in the Works

The tech vendor was moving in that direction before the CrowdStrike incident. In July, Cable pointed to newer security features like VBS enclaves, which offer an isolated compute environment that doesn’t need kernel-mode drivers to be tamper resistant, and Microsoft Azure Attestation service, which determines the boot path security posture. Both use modern zero-trust principles and highlight was can be done with development efforts that don’t rely on kernel access.

“We will continue to develop these capabilities, harden our platform, and do even more to improve the resiliency of the Windows ecosystem, working openly and collaboratively with the broad security community,” Cable wrote.

There were other requirements that will be needed for a new platform that were talked about at the summit, including having anti-tampering protections for security products, security sensors, collaboration principles between Microsoft and ecosystem partners, and Secure-by-Design goals.