Microsoft wants to make future CrowdStrike outages impossible, and it could mean big changes for security software

What you need to know

  • A massive outage caused by a CrowdStrike bug caused 8.5 million PCs to crash and affeted countless people and businesses.
  • The outage was caused by a CrowdStrike update with a bug that was able to affect PCs due to the app having kernel access to Windows 11.
  • In response to the outage, Microsoft appears to be interested in moving away from security software having Windows 11 kernel access.

As a long-time user and advocate for Windows operating systems, I’ve seen my fair share of software bugs and outages that have caused frustration and inconvenience. But the recent CrowdStrike outage was on an entirely different level, affecting 8.5 million PCs and potentially costing businesses billions of dollars in damages.


Approximately 8.5 million computers experienced crashes due to the recent CrowdStrike downtime, impacting countless individuals and potentially resulting in substantial financial losses for businesses. This incident has been labeled as a “digital pandemic” by some, prompting reactions from CrowdStrike, Microsoft, and cybersecurity professionals. The root cause was identified as a bug within CrowdStrike’s system, with Microsoft exploring potential solutions to prevent such occurrences in the future.

Microsoft’s John Cable, Vice President of Program Management for Windows servicing and delivery, emphasized the importance of organizational resilience in the face of mission-critical incidents, such as the recent CrowdStrike incident, and highlighted Microsoft’s capability to facilitate necessary transformations.

CrowdStrike, and some other pieces of security software, run at a kernel level on Windows 11. That setup gives security tools like CrowdStrike access to a PC’s memory and parts of the operating system usually closed off to other applications. This is possible at the moment because kernel access allows a piece of software to monitor a system, but it also means that a faulty driver in something like CrowdStrike can cause a PC to crash.

Cable emphasized that the latest CrowdStrike disruption serves as a stark reminder of the need for Windows to focus on enhancing end-to-end robustness through continuous change and innovation. Although Cable didn’t explicitly state that Microsoft intends to move its security software away from requiring kernel access, the instances he provided were centered around security approaches that don’t necessitate engaging the Windows kernel.

VBS enclaves, as pointed out by Cable, don’t necessitate access to the kernel. Another way to safeguard systems is through Microsoft Azure Attestation service, which offers protection without exposing a computer to the same risks associated with an application possessing kernel access.

Cable stated, “The following illustrations demonstrate contemporary Zero Trust methods and propose techniques for promoting development without requiring kernel privileges. We are committed to enhancing these functionalities, strengthening our system, and making further advancements to bolster the robustness of the Windows environment, all while engaging in an open and cooperative dialogue with the larger security community.”

If Microsoft restricted security apps from gaining kernel access, problematic updates like the one from CrowdStrike or other applications wouldn’t have the power to cause PCs to malfunction or crash. Although it is essential to note that various cyberattacks remain feasible despite this measure, as cybersecurity intricacies are vast and multifaceted, the type of issue responsible for the CrowdStrike disruption would no longer be a concern.

Read More

2024-07-26 17:39