Last summer’s CrowdStrike meltdown was a nightmare for network administrators worldwide, disrupting healthcare systems, cutting off access to banking systems, and grounding aircraft. All in all, the event caused billions of dollars in direct and indirect damages, and it was entirely preventable.
Also: How to get Windows 10 extended security updates for free: 2 options
In response, Microsoft convened a security summit, bringing together technical experts from CrowdStrike and its competitors in the endpoint security software business. That meeting led to an announcement late last year of a new set of Safe Deployment practices and some changes to the architecture of Windows desktop and server products, with the goal of preventing a similar incident from ever happening again.
No more kernel drivers?
Today, the company announced that some of those Windows Resiliency Initiative features are about to go live. In July, the company said, it will deliver a private preview of the new Windows endpoint security platform to a set of its partners who have signed on to the Microsoft Virus Initiative 3.0 program. The biggest change is one that the majority of security experts had recommended — moving third-party security drivers out of the Windows kernel, where a flaw could cause a catastrophic crash, and running them in user space instead.
The new Windows capabilities will allow them to start building their solutions to run outside the Windows kernel. This means security products like antivirus and endpoint protection solutions can run in user mode just as apps do. This change will help security developers provide a high level of reliability and easier recovery, resulting in less impact on Windows devices in the event of unexpected issues.
The announcement includes supportive quotes from some of those partners, including Bitdefender, ESET, SentinelOne, Trellix, Trend Micro, WithSecure, and — naturally — CrowdStrike.
Also: Will your old laptop still get security updates after this year? Check this chart
Last year, following the security summit, ESET had been blunt about the prospect of changes to the endpoint security platform: “It remains imperative that kernel access remains an option for use by cybersecurity products,” the company wrote in an unsigned statement. This year’s remarks are more collegial but still not quite a ringing endorsement:
The collaboration between ESET and Microsoft technology teams on the proposed Windows endpoint security platform changes continue to be productive with open and ongoing dialogue.
Delivering a stable and resilient operating system environment is extremely important for our joint customers, and the ESET team continue to provide detailed feedback to help ensure there is no degradation in the security or performance currently enjoyed by our customers.
One company that was notably missing from today’s roster of supporters was Sophos, which had been vocally critical of calls to move security software out of the Windows kernel space. At the time, Sophos Chief Research and Scientific Officer Simon Reed made clear that the company considers access to the Windows kernel to be fundamental. “Operating in ‘kernel-space’ — the most privileged layer of an operating system, with direct access to memory, hardware, resource management, and storage — is vitally important for security products,” he said, adding that kernel drivers are “fundamental” not just to Sophos products but to “robust Windows endpoint security, in general.”
Bye-bye, Blue Screen of Death
Today’s announcement also highlights some related improvements in the Windows 11 24H2 release that had been previously announced. The first is an improvement in the process of collecting “crash dump” reports after a failure that causes the system to restart; that change should cut downtime to about two seconds for most users. A new interface also simplified the classic Blue Screen of Death screen to a less jargon-filled “unexpected restart” screen with white text on a black background. Those changes will be available later this summer, the company says.
Quick Machine Recovery debuts
A second major change that will be rolling out soon is the availability of the quick machine recovery (QMR) feature. One of the most painful aspects of the CrowdStrike failure was that it caused affected machines to go into a restart loop that could only be fixed by sending a technician to physically start the machine in the Windows Recovery Environment (RE) and remove the faulty driver. With QMR, Microsoft can use its update servers to fix the issue automatically.
When a widespread outage affects devices from starting properly, Microsoft can broadly deploy targeted remediations to affected devices via Windows RE — automating fixes with QMR and quickly getting users to a productive state without requiring complex manual intervention from IT.
We are excited to announce QMR generally available later this summer together with the renewed unexpected restart functionality. QMR supports all editions of Windows 11, version 24H2 devices. It is enabled by default for Windows 11 Home devices; IT admins will be in full control and can enable it on devices running Windows 11 Pro and Enterprise. Later this year, Microsoft will release additional capabilities for IT teams to customize QMR.
Fewer restarts for Windows 11 Enterprise updates
A final, related security change promises to fix a longstanding annoyance with Windows security updates — the need to restart a system to apply the fixes. Network administrators can use Windows Autopatch to deploy hotpatch updates on PCs running Windows 11 Enterprise without requiring a restart more than once every three months. (Sorry, but Windows 11 PCs installed in unmanaged home and small business settings don’t qualify.)
Also: Patch your Windows PC now before bootkit malware takes it over – here’s how
For most end users, these changes will be invisible. But for network administrators who’ve logged sleepless nights worrying about another CrowdStrike-style meltdown, they’ll be a welcome change.
Get the morning’s top stories in your inbox each day with our Tech Today newsletter.
