Why, oh why, would you ever allow someone else’s code in your kernel, making yourself dependent on the stability of an outsider’s system? But that’s what Microsoft did – and they paid the price. But they’re about to fix that. Microsoft is making significant changes to how security software, including antivirus and endpoint protection solutions, interacts with the Windows operating system. Following the July 2024 CrowdStrike incident—where a faulty update caused widespread system outages by affecting the Windows kernel—Microsoft has committed to reducing the risks associated with third-party security software running at the kernel level.
Moving Security Software Out of Kernel Mode
Microsoft is developing a new platform (not named at the time of this writing) that will allow security products, such as those from CrowdStrike and other vendors, to operate outside of the Windows kernel. This means these applications will run more like standard Windows programs, reducing the risk that a bug or misconfiguration in security software could crash the entire system while still maintaining the ability to access system-level functions.
Why This Matters
Kernel-level access gives security software deep control over the operating system, which is necessary for detecting and removing advanced threats like rootkits. However, it also means that any flaw in such software can cause system-wide failures, as seen in the CrowdStrike incident. By moving security software out of the kernel, Microsoft aims to improve system stability and make it easier to recover from crashes.
Microsoft has held summits with major security vendors, government officials, and industry partners to discuss the technical challenges and performance needs of running security software outside the kernel. The goal is to ensure that security products remain effective while minimizing risk to the operating system.
New Features and Timelines
A private preview will be scheduled for July 2025, which will allow security products to run outside kernel mode, addressing the root cause of the CrowdStrike outage. The feature is rumored to temporarily grant admin privileges to users for specific tasks, enhancing security without leaving persistent admin rights.
Balance Between Security and Stability
While reducing kernel access improves stability, it could limit security software’s ability to detect and remove certain advanced threats that require deep system access. Vendors like ESET have emphasized the need for continued innovation and the ability to access the kernel when necessary.
Avoiding Monopoly Concerns
Microsoft is careful not to give its own security products exclusive kernel access, which could be seen as anti-competitive. Apple implemented similar restrictions with macOS Catalina in 2019, requiring security vendors to adapt their tools to work without kernel-level access.
