Microsoft has taken the first steps toward reimagining how security firms protect Windows, including making it possible for security apps to run outside the kernel.

A failed CrowdStrike update brought the internet to its knees, largely because CrowdStrike’s security platform runs at the Windows kernel level—the lowest level of the operation system. As a result, admins were unable to recover from the failed update without physical access to the impacted machines.

In the aftermath of the outage, Microsoft signaled that it was interested in restricting kernel access, blaming a 2009 EU agreement in which Microsoft guaranteed third-party access to the kernel.

At the company’s Windows Endpoint Security Ecosystem Summit, Microsoft made progress toward addressing the industry’s security needs, while protecting Windows from future CrowdStrike-like incidents.

A key consensus point at the summit was that our endpoint security vendors and our mutual customers benefit when there are options for Windows and choices in security products. It was apparent that, given the vast number of endpoint products on the market, we all share a responsibility to enhance resiliency by openly sharing information about how our products function, handle updates and manage disruptions.

Microsoft and its partners emphasized the importance of the company building out a solution that can operate outside the kernel, while still protecting the OS.

Both our customers and ecosystem partners have called on Microsoft to provide additional security capabilities outside of kernel mode which, along with SDP, can be used to create highly available security solutions. At the summit, Microsoft and partners discussed the requirements and key challenges in creating a new platform which can meet the needs of security vendors.

Some of the areas discussed include:

• Performance needs and challenges outside of kernel mode
• Anti-tampering protection for security products
• Security sensor requirements
• Development and collaboration principles between Microsoft and the ecosystem
• Secure-by-design goals for future platform

As a next step, Microsoft will continue to design and develop this new platform capability with input and collaboration from ecosystem partners to achieve the goal of enhanced reliability without sacrificing security.

Microsoft’s partners praised the company and results of the summit.

“We are honored to be a part of the Windows Endpoint Security Ecosystem Summit,” said Joe Levy, CEO, Sophos. “It was a welcome opportunity to join industry peers in an open discussion of advancements that will serve our customers by elevating the resilience and robustness of both Microsoft Windows and the endpoint security ecosystem. We were very pleased to see Microsoft support many of Sophos’ recommendations, based on the collection of architectural and process innovations we’ve built over the years and present today on the 30 million Windows endpoints we protect globally. The summit was an important and encouraging first step in a journey that will produce incremental improvement over time, and we look forward to collaborating in the design and delivery of more resilient and secure outcomes to our customers.”

At least one partner, however, voiced concern about the possibility of losing access to the kernel.

“ESET supports modifications to the Windows ecosystem that demonstrate measurable improvements to stability, on condition that any change must not weaken security, affect performance, or limit the choice of cybersecurity solutions. It remains imperative that kernel access remains an option for use by cybersecurity products to allow continued innovation and the ability to detect and block future cyberthreats. We look forward to the continued collaboration on this important initiative.”

Microsoft is not shutting down kernel access just yet, but the company is certainly trying to move developers toward a safer option, with the Windows Endpoint Security Ecosystem Summit moving the needle in that direction—even if just a little.