Microsoft plans to redesign the way anti-malware products interact with the Windows kernel in direct response to the global IT outage in July that was caused by a faulty CrowdStrike update.
Technical details on the changes are not yet available, but the world’s largest software vendor said “new platform capabilities” will be fitted into Windows 11 to allow security vendors to operate “outside of kernel mode” in the interest of software reliability.
Following a one-day summit in Redmond with EDR vendors, Microsoft vice president David Weston described the OS tweaks as part of long-term steps to serve resilience and security goals.
“[We] explored new platform capabilities Microsoft plans to make available in Windows, building on the security investments we have made in Windows 11. Windows 11’s improved security posture and security defaults enable the platform to provide more security capabilities to solution providers outside of kernel mode,” Weston said in a note following the EDR summit.
The redesign is meant to avoid a repeat of the CrowdStrike software update mishap that crippled Windows systems and led to billions of dollars in losses around the world.
Weston referenced the CrowdStrike incident to underscore the urgency for EDR vendors to adopt what Microsoft calls Safe Deployment Practices (SDP) while rolling out updates to the large Windows ecosystem.
Weston said a core SDP principle covers “the gradual and staged deployment of updates sent to customers” and the use of “measured rollouts with a diverse set of endpoints” and the ability to pause or rollback updates when necessary.
“We discussed how Microsoft and partners can increase testing of critical components, improve joint compatibility testing across diverse configurations, drive better information sharing on in-development and in-market product health, and increase incident response effectiveness with tighter coordination and recovery procedures,” Weston added.
At the summit, Weston said Microsoft and partners discussed performance needs and challenges of operating outside of kernel mode, the issue of anti-tampering protection for security products, security sensor requirements and secure-by-design goals for future platforms.
Related: Microsoft Convenes EDR Summit Following CrowdStrike Incident
Related: CrowdStrike Dismisses Claims of Exploitability in Falcon Sensor Bug
Related: CrowdStrike Releases Root Cause Analysis of Falcon Sensor BSOD Crash
Related: CrowdStrike Explains Why Bad Update Was Not Properly Tested