Microsoft is making a major shift concerning antivirus software development for Windows systems, indicating that future security solutions will likely no longer be able to interact directly with the core operating system kernel.
This development addresses a heated debate within cybersecurity circles, especially following the recent CrowdStrike incident, which has bolstered Microsoft’s arguments in this regard. The tech giant is now openly moving toward restricting access to the kernel for third-party security solutions. Starting in July, Microsoft will begin testing a new experimental feature within its Microsoft Virus Initiative (MVI) program, known as the “Windows Endpoint Security Platform.” This platform aims to enable security vendors to create solutions that operate independently of the kernel, essentially running outside of the core system.
However, this move has met resistance from cybersecurity companies like CrowdStrike. The company has expressed concerns that such a change could reduce the effectiveness of its Endpoint Detection and Response (EDR) solution, Falcon, particularly when facing adversaries with high-level privileges capable of disabling security tools in user space—that is, outside the kernel. CrowdStrike fears that operating outside the kernel might give attackers an easier way to bypass security measures.
Looking back to the early 2000s, Microsoft had previously enforced restrictions on kernel access through the implementation of PatchGuard technology with Windows Vista. This feature was designed to prevent third-party software from patching or modifying the kernel, aiming to increase system stability and security. These restrictions led to conflicts with antivirus vendors, prompting some companies, notably Symantec, to escalate the issue to the European Commission. Under pressure from other regulatory concerns, such as bundling Internet Explorer and Windows Media Player, Microsoft eventually agreed to loosen these restrictions. Specifically, for 64-bit editions of Windows Vista, the company allowed security software providers to access the kernel, establishing a precedent that allowed third-party solutions to operate at a low level beneath the operating system.
From Execution to Recovery: Building a More Resilient Windows
This new direction aligns with Microsoft’s broader initiative called the Windows Resiliency Initiative (WRI), announced in late 2024. The goal of WRI is to create a more robust and reliable Windows environment through four strategic pillars:
- Enhancing Windows’ overall reliability by learning from incidents like CrowdStrike
- Enabling more applications to run without requiring administrative privileges
- Implementing stricter controls over what applications and drivers are authorized to execute
- Strengthening identification and authentication systems to prevent phishing attacks
Within this framework, Microsoft has tightened the criteria for participating in the MVI program. Notable among the new requirements is the mandate to adopt “safe deployment practices,” which primarily involves phased rollouts—starting with small pilot groups and gradually expanding to wider user bases to avoid introducing vulnerabilities.
Another innovative feature under the WRI banner is Quick Machine Recovery (QMR). Currently in experimental stages, QMR uses a connected recovery environment linked to Windows Update to automatically address startup problems, aiming to reduce downtime and improve system resilience after failures.
Furthermore, Microsoft plans to implement default restrictions on administrative privileges for new PCs, reducing the risk of malware and other security breaches that exploit elevated permissions.
