Microsoft has announced plans to make changes to Windows to allow security vendors like CrowdStrike to operate outside the Windows kernel.

This week, a security summit was held at Microsoft headquarters in Redmond to discuss the impact of the CrowdStrike incident in July.

Access to the Windows kernel has been a hot topic since the incident that brought down 8.5 million Windows PCs and servers due to a faulty CrowdStrike update. CrowdStrike’s software runs at the kernel level, the heart of an operating system with full access to memory and hardware. This resulted in a bug in the software causing a Blue Screen of Death on affected systems.

Since this incident, Microsoft has been advocating for changes to Windows to improve resiliency, with pressure from both partners and regulators not to implement these changes unilaterally. The summit discussed how Microsoft can work with security vendors such as Broadcom, Sophos and Trend Micro to develop a new platform that meets the needs of security companies without having access to the kernel.

David Weston, vice president of enterprise and operating system security at Microsoft, said: “Both our customers and partners have asked Microsoft for additional security features beyond kernel mode that can be used in conjunction with secure deployment practices to create robust security solutions.”

Collaboration with partners

Microsoft is investigating the performance requirements and challenges for security vendors to operate outside of kernel mode, as well as the need for Tamper protection-Security and sensors for security products. Weston stressed that Microsoft continues to work with partners to develop a new platform with the goal of improving reliability without compromising security.

While Microsoft isn’t saying it will block kernel access entirely, the plans seem to point to a future where vendors like CrowdStrike will have to operate outside of the kernel. According to The Verge, this isn’t the first time Microsoft has taken such steps. It attempted to restrict kernel access with Windows Vista in 2006, but it faced resistance from security vendors and regulators at the time.

This time, however, the industry seems more open to the changes. Joe Levy, CEO of Sophos, called the summit a good opportunity for collaboration and described the discussions as important for improving the resilience of the Windows ecosystem. Kevin Simzer of Trend Micro praised Microsoft for its openness and collaboration with the industry.

CrowdStrike, which initiated the discussion, also appreciated the collaboration. CrowdStrike’s Drew Bagley said the summit was an important step toward creating a more open and resilient Windows security ecosystem.

Industry concerns

However, not everyone is happy with the potential changes. Cloudflare CEO Matthew Prince previously expressed concerns about Microsoft’s potential monopoly in endpoint security, warning that Microsoft could shut down the Windows kernel for third parties while favoring its own security solutions.

Microsoft is aware of these concerns and has therefore also invited representatives from the US and European governments to participate in the discussions during the summit. The meeting took place against the backdrop of a broader cybersecurity review at Microsoft, where employees are now judged on their contribution to security.